diff --git a/core/config.go b/core/config.go index 4976ae9..9cc0205 100644 --- a/core/config.go +++ b/core/config.go @@ -120,7 +120,7 @@ func getDefaultConfig() (*Config, error) { func loadConfigFile(configPath string) (*Config, error) { var ( - config *Config = &Config{} + config = &Config{} data []byte err error ) diff --git a/core/lock.go b/core/lock.go index 5eaf17a..1b0c041 100644 --- a/core/lock.go +++ b/core/lock.go @@ -25,7 +25,7 @@ func getBootId() ([]byte, error) { return bootId, nil } -// Acquires a shared lock on the file. +// LockFile Acquires a shared lock on the file. func (f *Flock) LockFile() error { f.m.Lock() defer f.m.Unlock() @@ -51,7 +51,7 @@ func (f *Flock) LockFile() error { return nil } -// Releases the lock on the file. +// UnlockFile Releases the lock on the file. func (f *Flock) UnlockFile() error { f.m.Lock() defer f.m.Unlock() diff --git a/core/match.go b/core/match.go index d14ec2c..bc4ac84 100644 --- a/core/match.go +++ b/core/match.go @@ -19,7 +19,6 @@ func NewMatchFile(path string) MatchFile { path = filepath.ToSlash(path) _, filename := filepath.Split(path) extension := filepath.Ext(path) - // contents, _ := ioutil.ReadFile(path) return MatchFile{ Path: path, @@ -29,7 +28,7 @@ func NewMatchFile(path string) MatchFile { } } -// IsSkippableFile Checks if the path is blacklisted +// IsSkippableDir Checks if the path is blacklisted func IsSkippableDir(path string, baseDir string) bool { hostMountPath := *session.Options.HostMountPath if hostMountPath != "" { @@ -92,8 +91,8 @@ func ContainsBlacklistedString(input []byte) bool { return false } -//// GetMatchingFiles Return the list of all applicable files inside the given directory for scanning -//func GetMatchingFiles(dir string, baseDir string) (*bytes.Buffer, *bytes.Buffer, error) { +// // GetMatchingFiles Return the list of all applicable files inside the given directory for scanning +// func GetMatchingFiles(dir string, baseDir string) (*bytes.Buffer, *bytes.Buffer, error) { // findCmd := "find " + dir // for _, skippableExt := range session.Config.BlacklistedExtensions { // findCmd += " -not -name \"*" + skippableExt + "\"" @@ -110,7 +109,7 @@ func ContainsBlacklistedString(input []byte) bool { // GetSession().Log.Info("find command: %s", findCmd) // // return ExecuteCommand(findCmd) -//} +// } // UpdateDirsPermissionsRW Update permissions for dirs in container images, so that they can be properly deleted func UpdateDirsPermissionsRW(dir string) { diff --git a/core/util.go b/core/util.go index b0cbabe..7e66216 100644 --- a/core/util.go +++ b/core/util.go @@ -85,9 +85,9 @@ func GetTmpDir(imageName string) (string, error) { dir := *session.Options.TempDirectory tempPath := filepath.Join(dir, "Deepfence", TempDirSuffix, scanId) - //if runtime.GOOS == "windows" { + // if runtime.GOOS == "windows" { // tempPath = dir + "\temp\Deepfence\SecretScanning\df_" + scanId - //} + // } completeTempPath := path.Join(tempPath, ExtractedImageFilesDir) diff --git a/signature/hs_pattens.go b/signature/hs_pattens.go index 14a2d96..5ef4112 100644 --- a/signature/hs_pattens.go +++ b/signature/hs_pattens.go @@ -9,6 +9,7 @@ import ( // Build hyperscan Databases for matching different parts in the beginning // This can be used for repeated scanning + func BuildHsDb() { for _, part := range []string{ContentsPart, FilenamePart, PathPart, ExtPart} { core.GetSession().Log.Info("Creating hyperscan database for %s", part) @@ -27,6 +28,7 @@ func BuildHsDb() { // @returns // []*hyperscan.Pattern - List of hyperscan patterns // error - Errors if any. Otherwise, returns nil + func CreateHsPatterns(part string) ([]*hyperscan.Pattern, error) { var hsPatterns []*hyperscan.Pattern @@ -56,6 +58,7 @@ func CreateHsPatterns(part string) ([]*hyperscan.Pattern, error) { // hsPatterns - List of hyperscan patterns // @returns // BlockDatabase - Hyperscan database for the given list of patterns + func CreateHsDb(hsPatterns []*hyperscan.Pattern) hyperscan.BlockDatabase { hyperscanBlockDb, err := hyperscan.NewBlockDatabase(hsPatterns...) if err != nil { @@ -71,6 +74,7 @@ func CreateHsDb(hsPatterns []*hyperscan.Pattern) hyperscan.BlockDatabase { // hsIOData - Metadata containing the contents being matched, filename, layerID etc. // @returns // Error - Errors if any. Otherwise, returns nil + func RunHyperscan(hyperscanBlockDb hyperscan.BlockDatabase, hsIOData HsInputOutputData) error { hyperscanScratch, err := hyperscan.NewScratch(hyperscanBlockDb) if err != nil { diff --git a/signature/signatures.go b/signature/signatures.go index 50c3c0a..c3c8a8a 100644 --- a/signature/signatures.go +++ b/signature/signatures.go @@ -28,6 +28,7 @@ const ( ) // Data structure for passing inputs and getting outputs for hyperscan + type HsInputOutputData struct { inputData []byte // Avoids extra memory during blacklist comparison, reduces memory pressure @@ -64,6 +65,7 @@ func init() { // layerID - layer ID of this file in the container image // @returns // []output.SecretFound - List of all secrets found + func MatchSimpleSignatures(path string, filename string, extension string, layerID string, numSecrets *uint) []output.SecretFound { var tempSecretsFound []output.SecretFound var matchingPart string @@ -99,6 +101,7 @@ func MatchSimpleSignatures(path string, filename string, extension string, layer // @returns // []output.SecretFound - List of all secrets found // Error - Errors if any. Otherwise, returns nil + func MatchPatternSignatures(contents []byte, path string, filename string, extension string, layerID string, numSecrets *uint, matchedRuleSet map[uint]uint) ([]output.SecretFound, error) { var tempSecretsFound []output.SecretFound @@ -152,6 +155,7 @@ func MatchPatternSignatures(contents []byte, path string, filename string, exten // store them in appropriate maps // @parameters // configSignatures - Extracted patterns from signature config file + func ProcessSignatures(configSignatures []core.ConfigSignature) { var simpleContentSignatures []core.ConfigSignature var simpleExtSignatures []core.ConfigSignature @@ -418,7 +422,7 @@ func printMatchedSignatures(sid int, from, to int, hsIOData HsInputOutputData) ( } coloredMatch := fmt.Sprintf("%s%s%s\n", inputData[start:from], color.RedString(string(inputData[from:to])), inputData[to:end]) - //core.GetSession().Log.Info("%s%s%s\n", inputData[start:from], color.RedString(string(inputData[from:to])), inputData[to:end]) + // core.GetSession().Log.Info("%s%s%s\n", inputData[start:from], color.RedString(string(inputData[from:to])), inputData[to:end]) core.GetSession().Log.Info(coloredMatch) secret := output.SecretFound{ @@ -474,6 +478,7 @@ func calculateSeverity(inputMatch []byte, severity string, severityScore float64 } // Find min of 2 int values + func Min(value_0, value_1 int) int { if value_0 < value_1 { return value_0 @@ -482,6 +487,7 @@ func Min(value_0, value_1 int) int { } // Find max of 2 int values + func Max(value_0, value_1 int) int { if value_0 > value_1 { return value_0