diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go index 60f445b7c665..2028b601c744 100644 --- a/pkg/fanal/artifact/artifact.go +++ b/pkg/fanal/artifact/artifact.go @@ -2,12 +2,8 @@ package artifact import ( "context" - "os" "sort" - "github.com/samber/lo" - "golang.org/x/xerrors" - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/fanal/walker" @@ -63,31 +59,7 @@ func (o *Option) Sort() { sort.Strings(o.FilePatterns) } -func (o *Option) ConfigFiles() []string { - // data paths and policy paths are ignored because their own file systems are created for them - return lo.Flatten( - [][]string{ - o.MisconfScannerOption.TerraformTFVars, - o.MisconfScannerOption.HelmFileValues, - o.MisconfScannerOption.HelmValueFiles, - }, - ) -} - type Artifact interface { Inspect(ctx context.Context) (reference types.ArtifactReference, err error) Clean(reference types.ArtifactReference) error } - -func AddConfigFilesToFS(composite *analyzer.CompositeFS, opt Option) error { - for _, configFile := range opt.ConfigFiles() { - if _, err := os.Stat(configFile); err != nil { - return xerrors.Errorf("config file %q not found: %w", configFile, err) - } - if err := composite.CreateLink(analyzer.TypeConfigFiles, "", configFile, configFile); err != nil { - return xerrors.Errorf("failed to create link: %w", err) - } - } - - return nil -} diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go index 85f3bb9222f4..874f8e109694 100644 --- a/pkg/fanal/artifact/image/image.go +++ b/pkg/fanal/artifact/image/image.go @@ -277,10 +277,6 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable } defer composite.Cleanup() - if err := artifact.AddConfigFilesToFS(composite, a.artifactOption); err != nil { - return types.BlobInfo{}, xerrors.Errorf("failed write config files to fs: %w", err) - } - // Walk a tar layer opqDirs, whFiles, err := a.walker.Walk(rc, func(filePath string, info os.FileInfo, opener analyzer.Opener) error { if err := a.analyzer.AnalyzeFile(ctx, &wg, limit, result, "", filePath, info, opener, disabled, opts); err != nil { diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go index 5cad8bcaa72e..49a61e37e90c 100644 --- a/pkg/fanal/artifact/local/fs.go +++ b/pkg/fanal/artifact/local/fs.go @@ -134,10 +134,6 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error) return types.ArtifactReference{}, xerrors.Errorf("failed to prepare filesystem for post analysis: %w", err) } - if err := artifact.AddConfigFilesToFS(composite, a.artifactOption); err != nil { - return types.ArtifactReference{}, xerrors.Errorf("failed write config files to fs: %w", err) - } - err = a.walker.Walk(a.rootPath, func(filePath string, info os.FileInfo, opener analyzer.Opener) error { dir := a.rootPath diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 8ac77b9f0056..d602bca7c948 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -71,6 +71,7 @@ type Scanner struct { fileType detection.FileType scanner scanners.FSScanner hasFilePattern bool + configFiles []string } func NewAzureARMScanner(filePatterns []string, opt ScannerOption) (*Scanner, error) { @@ -108,6 +109,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption) } var scanner scanners.FSScanner + var configFiles []string switch t { case detection.FileTypeAzureARM: scanner = arm.New(opts...) @@ -117,10 +119,12 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption) scanner = dfscanner.NewScanner(opts...) case detection.FileTypeHelm: scanner = helm.New(opts...) + configFiles = append(opt.HelmFileValues, opt.HelmValueFiles...) case detection.FileTypeKubernetes: scanner = k8sscanner.NewScanner(opts...) case detection.FileTypeTerraform: scanner = tfscanner.New(opts...) + configFiles = opt.TerraformTFVars case detection.FileTypeTerraformPlan: scanner = tfpscanner.New(opts...) } @@ -129,6 +133,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption) fileType: t, scanner: scanner, hasFilePattern: hasFilePattern(t, filePatterns), + configFiles: configFiles, }, nil } @@ -141,6 +146,10 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio return nil, nil } + if err := addConfigFilesToFS(newfs, s.configFiles); err != nil { + return nil, xerrors.Errorf("failed to add config files to fs: %w", err) + } + log.Logger.Debugf("Scanning %s files for misconfigurations...", s.scanner.Name()) results, err := s.scanner.ScanFS(ctx, newfs, ".") if err != nil { @@ -165,6 +174,30 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio return misconfs, nil } +func addConfigFilesToFS(fsys fs.FS, configFiles []string) error { + if len(configFiles) == 0 { + return nil + } + + mfs, ok := fsys.(*mapfs.FS) + if !ok { + return xerrors.Errorf("type assertion error: %T is not a *mapfs.FS", fsys) + } + for _, configFile := range configFiles { + if _, err := os.Stat(configFile); err != nil { + return xerrors.Errorf("config file %q not found: %w", configFile, err) + } + if err := mfs.MkdirAll(filepath.Dir(configFile), os.ModePerm); err != nil && !errors.Is(err, fs.ErrExist) { + return xerrors.Errorf("mkdir error: %w", err) + } + if err := mfs.WriteFile(configFile, configFile); err != nil { + return xerrors.Errorf("write file error: %w", err) + } + } + + return nil +} + func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) { mfs, ok := fsys.(*mapfs.FS) if !ok {