2022-09-28 13:39:54 -05:00
|
|
|
package trivy
|
|
|
|
|
|
|
|
import (
|
2023-01-18 11:24:44 -05:00
|
|
|
"context"
|
2023-01-09 15:37:44 -05:00
|
|
|
"encoding/json"
|
2022-09-28 13:39:54 -05:00
|
|
|
"path"
|
|
|
|
"sync"
|
|
|
|
|
|
|
|
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
|
|
|
"github.com/aquasecurity/trivy/pkg/commands/artifact"
|
|
|
|
"github.com/aquasecurity/trivy/pkg/commands/operation"
|
2023-01-18 11:24:44 -05:00
|
|
|
"github.com/aquasecurity/trivy/pkg/flag"
|
2022-09-28 13:39:54 -05:00
|
|
|
"github.com/aquasecurity/trivy/pkg/types"
|
|
|
|
regTypes "github.com/google/go-containerregistry/pkg/v1/types"
|
2023-01-09 15:37:44 -05:00
|
|
|
godigest "github.com/opencontainers/go-digest"
|
2022-09-28 13:39:54 -05:00
|
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
2022-10-20 11:39:20 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
zerr "zotregistry.io/zot/errors"
|
2022-09-28 13:39:54 -05:00
|
|
|
"zotregistry.io/zot/pkg/extensions/search/common"
|
|
|
|
cvemodel "zotregistry.io/zot/pkg/extensions/search/cve/model"
|
|
|
|
"zotregistry.io/zot/pkg/log"
|
2023-01-09 15:37:44 -05:00
|
|
|
"zotregistry.io/zot/pkg/meta/repodb"
|
2022-09-28 13:39:54 -05:00
|
|
|
"zotregistry.io/zot/pkg/storage"
|
|
|
|
)
|
|
|
|
|
2023-01-18 17:18:03 -05:00
|
|
|
const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db"
|
2023-01-18 11:24:44 -05:00
|
|
|
|
|
|
|
// getNewScanOptions sets trivy configuration values for our scans and returns them as
|
|
|
|
// a trivy Options structure.
|
2023-01-18 17:18:03 -05:00
|
|
|
func getNewScanOptions(dir, dbRepository string) *flag.Options {
|
2023-01-18 11:24:44 -05:00
|
|
|
scanOptions := flag.Options{
|
|
|
|
GlobalOptions: flag.GlobalOptions{
|
|
|
|
CacheDir: dir,
|
|
|
|
},
|
|
|
|
ScanOptions: flag.ScanOptions{
|
|
|
|
SecurityChecks: []string{types.SecurityCheckVulnerability},
|
|
|
|
OfflineScan: true,
|
|
|
|
},
|
|
|
|
VulnerabilityOptions: flag.VulnerabilityOptions{
|
|
|
|
VulnType: []string{types.VulnTypeOS, types.VulnTypeLibrary},
|
|
|
|
},
|
|
|
|
DBOptions: flag.DBOptions{
|
|
|
|
DBRepository: dbRepository,
|
|
|
|
SkipDBUpdate: true,
|
|
|
|
},
|
|
|
|
ReportOptions: flag.ReportOptions{
|
|
|
|
Format: "table",
|
|
|
|
Severities: []dbTypes.Severity{
|
|
|
|
dbTypes.SeverityUnknown,
|
|
|
|
dbTypes.SeverityLow,
|
|
|
|
dbTypes.SeverityMedium,
|
|
|
|
dbTypes.SeverityHigh,
|
|
|
|
dbTypes.SeverityCritical,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
return &scanOptions
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
type cveTrivyController struct {
|
2023-01-18 11:24:44 -05:00
|
|
|
DefaultCveConfig *flag.Options
|
|
|
|
SubCveConfig map[string]*flag.Options
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
type Scanner struct {
|
2023-01-09 15:37:44 -05:00
|
|
|
repoDB repodb.RepoDB
|
2022-09-28 13:39:54 -05:00
|
|
|
cveController cveTrivyController
|
|
|
|
storeController storage.StoreController
|
|
|
|
log log.Logger
|
|
|
|
dbLock *sync.Mutex
|
2023-01-17 16:14:17 -05:00
|
|
|
cache *CveCache
|
2023-01-18 17:18:03 -05:00
|
|
|
dbRepository string
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewScanner(storeController storage.StoreController,
|
2023-01-18 17:18:03 -05:00
|
|
|
repoDB repodb.RepoDB, dbRepository string, log log.Logger,
|
2022-09-28 13:39:54 -05:00
|
|
|
) *Scanner {
|
|
|
|
cveController := cveTrivyController{}
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
subCveConfig := make(map[string]*flag.Options)
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-18 17:18:03 -05:00
|
|
|
if dbRepository == "" {
|
|
|
|
dbRepository = defaultDBRepository
|
|
|
|
}
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
if storeController.DefaultStore != nil {
|
|
|
|
imageStore := storeController.DefaultStore
|
|
|
|
|
|
|
|
rootDir := imageStore.RootDir()
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
cacheDir := path.Join(rootDir, "_trivy")
|
2023-01-18 17:18:03 -05:00
|
|
|
opts := getNewScanOptions(cacheDir, dbRepository)
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
cveController.DefaultCveConfig = opts
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
if storeController.SubStore != nil {
|
|
|
|
for route, storage := range storeController.SubStore {
|
|
|
|
rootDir := storage.RootDir()
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
cacheDir := path.Join(rootDir, "_trivy")
|
2023-01-18 17:18:03 -05:00
|
|
|
opts := getNewScanOptions(cacheDir, dbRepository)
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
subCveConfig[route] = opts
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
cveController.SubCveConfig = subCveConfig
|
|
|
|
|
|
|
|
return &Scanner{
|
|
|
|
log: log,
|
2023-01-09 15:37:44 -05:00
|
|
|
repoDB: repoDB,
|
2022-09-28 13:39:54 -05:00
|
|
|
cveController: cveController,
|
|
|
|
storeController: storeController,
|
|
|
|
dbLock: &sync.Mutex{},
|
2023-01-17 16:14:17 -05:00
|
|
|
cache: NewCveCache(10000, log), //nolint:gomnd
|
2023-01-18 17:18:03 -05:00
|
|
|
dbRepository: dbRepository,
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
func (scanner Scanner) getTrivyOptions(image string) flag.Options {
|
2022-09-28 13:39:54 -05:00
|
|
|
// Split image to get route prefix
|
|
|
|
prefixName := common.GetRoutePrefix(image)
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
var opts flag.Options
|
2022-09-28 13:39:54 -05:00
|
|
|
|
|
|
|
var ok bool
|
|
|
|
|
|
|
|
var rootDir string
|
|
|
|
|
|
|
|
// Get corresponding CVE trivy config, if no sub cve config present that means its default
|
2023-01-18 11:24:44 -05:00
|
|
|
_, ok = scanner.cveController.SubCveConfig[prefixName]
|
2022-09-28 13:39:54 -05:00
|
|
|
if ok {
|
2023-01-18 11:24:44 -05:00
|
|
|
opts = *scanner.cveController.SubCveConfig[prefixName]
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
imgStore := scanner.storeController.SubStore[prefixName]
|
|
|
|
|
|
|
|
rootDir = imgStore.RootDir()
|
|
|
|
} else {
|
2023-01-18 11:24:44 -05:00
|
|
|
opts = *scanner.cveController.DefaultCveConfig
|
2022-09-28 13:39:54 -05:00
|
|
|
|
|
|
|
imgStore := scanner.storeController.DefaultStore
|
|
|
|
|
|
|
|
rootDir = imgStore.RootDir()
|
|
|
|
}
|
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
opts.ScanOptions.Target = path.Join(rootDir, image)
|
|
|
|
opts.ImageOptions.Input = path.Join(rootDir, image)
|
|
|
|
|
|
|
|
return opts
|
|
|
|
}
|
|
|
|
|
|
|
|
func (scanner Scanner) runTrivy(opts flag.Options) (types.Report, error) {
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
runner, err := artifact.NewRunner(ctx, opts)
|
|
|
|
if err != nil {
|
|
|
|
return types.Report{}, err
|
|
|
|
}
|
|
|
|
defer runner.Close(ctx)
|
|
|
|
|
|
|
|
report, err := runner.ScanImage(ctx, opts)
|
|
|
|
if err != nil {
|
|
|
|
return types.Report{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
report, err = runner.Filter(ctx, opts, report)
|
|
|
|
if err != nil {
|
|
|
|
return types.Report{}, err
|
|
|
|
}
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-18 11:24:44 -05:00
|
|
|
return report, nil
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func (scanner Scanner) IsImageFormatScannable(image string) (bool, error) {
|
2023-01-17 16:14:17 -05:00
|
|
|
if scanner.cache.Get(image) != nil {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
imageDir, inputTag := common.GetImageDirAndTag(image)
|
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
repoMeta, err := scanner.repoDB.GetRepoMeta(imageDir)
|
2022-09-28 13:39:54 -05:00
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
manifestDigestStr, ok := repoMeta.Tags[inputTag]
|
|
|
|
if !ok {
|
|
|
|
return false, zerr.ErrTagMetaNotFound
|
|
|
|
}
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
manifestDigest, err := godigest.Parse(manifestDigestStr.Digest)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
manifestData, err := scanner.repoDB.GetManifestData(manifestDigest)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
var manifestContent ispec.Manifest
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
err = json.Unmarshal(manifestData.ManifestBlob, &manifestContent)
|
|
|
|
if err != nil {
|
|
|
|
scanner.log.Error().Err(err).Str("image", image).Msg("unable to unmashal manifest blob")
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
return false, zerr.ErrScanNotSupported
|
|
|
|
}
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
for _, imageLayer := range manifestContent.Layers {
|
|
|
|
switch imageLayer.MediaType {
|
|
|
|
case ispec.MediaTypeImageLayerGzip, ispec.MediaTypeImageLayer, string(regTypes.DockerLayer):
|
2023-01-20 15:09:40 -05:00
|
|
|
continue
|
2023-01-09 15:37:44 -05:00
|
|
|
default:
|
|
|
|
scanner.log.Debug().Str("image", image).
|
|
|
|
Msgf("image media type %s not supported for scanning", imageLayer.MediaType)
|
2022-09-28 13:39:54 -05:00
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
return false, zerr.ErrScanNotSupported
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-20 15:09:40 -05:00
|
|
|
return true, nil
|
2022-09-28 13:39:54 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func (scanner Scanner) ScanImage(image string) (map[string]cvemodel.CVE, error) {
|
2023-01-17 16:14:17 -05:00
|
|
|
if scanner.cache.Get(image) != nil {
|
|
|
|
return scanner.cache.Get(image), nil
|
|
|
|
}
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
cveidMap := make(map[string]cvemodel.CVE)
|
|
|
|
|
2023-01-09 15:37:44 -05:00
|
|
|
scanner.log.Debug().Str("image", image).Msg("scanning image")
|
2022-09-28 13:39:54 -05:00
|
|
|
|
|
|
|
scanner.dbLock.Lock()
|
2023-01-18 11:24:44 -05:00
|
|
|
opts := scanner.getTrivyOptions(image)
|
|
|
|
report, err := scanner.runTrivy(opts)
|
2022-09-28 13:39:54 -05:00
|
|
|
scanner.dbLock.Unlock()
|
|
|
|
|
2022-10-05 05:21:14 -05:00
|
|
|
if err != nil { //nolint: wsl
|
2022-09-28 13:39:54 -05:00
|
|
|
scanner.log.Error().Err(err).Str("image", image).Msg("unable to scan image")
|
|
|
|
|
|
|
|
return cveidMap, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, result := range report.Results {
|
|
|
|
for _, vulnerability := range result.Vulnerabilities {
|
|
|
|
pkgName := vulnerability.PkgName
|
|
|
|
|
|
|
|
installedVersion := vulnerability.InstalledVersion
|
|
|
|
|
|
|
|
var fixedVersion string
|
|
|
|
if vulnerability.FixedVersion != "" {
|
|
|
|
fixedVersion = vulnerability.FixedVersion
|
|
|
|
} else {
|
|
|
|
fixedVersion = "Not Specified"
|
|
|
|
}
|
|
|
|
|
|
|
|
_, ok := cveidMap[vulnerability.VulnerabilityID]
|
|
|
|
if ok {
|
|
|
|
cveDetailStruct := cveidMap[vulnerability.VulnerabilityID]
|
|
|
|
|
|
|
|
pkgList := cveDetailStruct.PackageList
|
|
|
|
|
|
|
|
pkgList = append(
|
|
|
|
pkgList,
|
|
|
|
cvemodel.Package{
|
|
|
|
Name: pkgName,
|
|
|
|
InstalledVersion: installedVersion,
|
|
|
|
FixedVersion: fixedVersion,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
cveDetailStruct.PackageList = pkgList
|
|
|
|
|
|
|
|
cveidMap[vulnerability.VulnerabilityID] = cveDetailStruct
|
|
|
|
} else {
|
|
|
|
newPkgList := make([]cvemodel.Package, 0)
|
|
|
|
|
|
|
|
newPkgList = append(
|
|
|
|
newPkgList,
|
|
|
|
cvemodel.Package{
|
|
|
|
Name: pkgName,
|
|
|
|
InstalledVersion: installedVersion,
|
|
|
|
FixedVersion: fixedVersion,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
cveidMap[vulnerability.VulnerabilityID] = cvemodel.CVE{
|
|
|
|
ID: vulnerability.VulnerabilityID,
|
|
|
|
Title: vulnerability.Title,
|
|
|
|
Description: vulnerability.Description,
|
|
|
|
Severity: vulnerability.Severity,
|
|
|
|
PackageList: newPkgList,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-17 16:14:17 -05:00
|
|
|
scanner.cache.Add(image, cveidMap)
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
return cveidMap, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateDb download the Trivy DB / Cache under the store root directory.
|
|
|
|
func (scanner Scanner) UpdateDB() error {
|
|
|
|
// We need a lock as using multiple substores each with it's own DB
|
|
|
|
// can result in a DATARACE because some varibles in trivy-db are global
|
|
|
|
// https://github.com/project-zot/trivy-db/blob/main/pkg/db/db.go#L23
|
|
|
|
scanner.dbLock.Lock()
|
|
|
|
defer scanner.dbLock.Unlock()
|
|
|
|
|
|
|
|
if scanner.storeController.DefaultStore != nil {
|
2023-01-18 11:24:44 -05:00
|
|
|
dbDir := path.Join(scanner.storeController.DefaultStore.RootDir(), "_trivy")
|
2022-09-28 13:39:54 -05:00
|
|
|
|
|
|
|
err := scanner.updateDB(dbDir)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if scanner.storeController.SubStore != nil {
|
|
|
|
for _, storage := range scanner.storeController.SubStore {
|
2023-01-18 11:24:44 -05:00
|
|
|
dbDir := path.Join(storage.RootDir(), "_trivy")
|
|
|
|
|
|
|
|
err := scanner.updateDB(dbDir)
|
2022-09-28 13:39:54 -05:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-17 16:14:17 -05:00
|
|
|
scanner.cache.Purge()
|
|
|
|
|
2022-09-28 13:39:54 -05:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (scanner Scanner) updateDB(dbDir string) error {
|
|
|
|
scanner.log.Debug().Msgf("Download Trivy DB to destination dir: %s", dbDir)
|
|
|
|
|
2023-01-18 17:18:03 -05:00
|
|
|
err := operation.DownloadDB("dev", dbDir, scanner.dbRepository, false, false, false)
|
2022-09-28 13:39:54 -05:00
|
|
|
if err != nil {
|
|
|
|
scanner.log.Error().Err(err).Msgf("Error downloading Trivy DB to destination dir: %s", dbDir)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
scanner.log.Debug().Msgf("Finished downloading Trivy DB to destination dir: %s", dbDir)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (scanner Scanner) CompareSeverities(severity1, severity2 string) int {
|
|
|
|
return dbTypes.CompareSeverityString(severity1, severity2)
|
|
|
|
}
|