Turn off the offline pomxml extractor if we have network access.

PiperOrigin-RevId: 730869967
google · Feb 25, 2025 · 212517d · 212517d
1 parent 93fce00
commit 212517d
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 18 deletions.
diff --git a/binary/cli/cli.go b/binary/cli/cli.go
@@ -525,14 +525,14 @@ func (f *Flags) capabilities() *plugin.Capabilities {
 		// We're scanning a Linux container image whose filesystem is mounted to the host's disk.
 		return &plugin.Capabilities{
 			OS:            plugin.OSLinux,
-			Network:       true,
+			Network:       plugin.NetworkOnline,
 			DirectFS:      true,
 			RunningSystem: false,
 		}
 	}
 	return &plugin.Capabilities{
 		OS:            platform.OS(),
-		Network:       true,
+		Network:       plugin.NetworkOnline,
 		DirectFS:      true,
 		RunningSystem: true,
 	}

diff --git a/detector/govulncheck/binary/binary.go b/detector/govulncheck/binary/binary.go
@@ -53,7 +53,11 @@ func (Detector) Version() int { return 0 }
 
 // Requirements of the detector.
 func (d Detector) Requirements() *plugin.Capabilities {
-	return &plugin.Capabilities{Network: d.OfflineVulnDBPath == "", DirectFS: true}
+	net := plugin.NetworkOnline
+	if d.OfflineVulnDBPath == "" {
+		net = plugin.NetworkAny
+	}
+	return &plugin.Capabilities{Network: net, DirectFS: true}
 }
 
 // RequiredExtractors returns the go binary extractor.

diff --git a/extractor/filesystem/language/java/pomxml/pomxml.go b/extractor/filesystem/language/java/pomxml/pomxml.go
@@ -140,7 +140,7 @@ func (e Extractor) Version() int { return 0 }
 
 // Requirements of the extractor
 func (e Extractor) Requirements() *plugin.Capabilities {
-	return &plugin.Capabilities{}
+	return &plugin.Capabilities{Network: plugin.NetworkOffline}
 }
 
 // FileRequired returns true if the specified file matches Maven POM lockfile patterns.

diff --git a/extractor/filesystem/language/java/pomxmlnet/pomxmlnet.go b/extractor/filesystem/language/java/pomxmlnet/pomxmlnet.go
@@ -84,7 +84,7 @@ func (e Extractor) Version() int { return 0 }
 // Requirements of the extractor.
 func (e Extractor) Requirements() *plugin.Capabilities {
 	return &plugin.Capabilities{
-		Network:  true,
+		Network:  plugin.NetworkOnline,
 		DirectFS: true,
 	}
 }

diff --git a/plugin/plugin.go b/plugin/plugin.go
@@ -34,13 +34,26 @@ const (
 	OSUnix OS = iota
 )
 
+// Network is the network access of the scanner or the network
+// requirements of a plugin.
+type Network int
+
+// Network values
+const (
+	// NetworkAny is used only when specifying Plugin requirements. Specifies
+	// that the plugin doesn't care whether the scanner has network access or not.
+	NetworkAny     Network = iota
+	NetworkOffline Network = iota
+	NetworkOnline  Network = iota
+)
+
 // Capabilities lists capabilities that the scanning environment provides for the plugins.
 // A plugin can't be enabled if it has more requirements than what the scanning environment provides.
 type Capabilities struct {
 	// A specific OS type a Plugin needs to be run on.
 	OS OS
 	// Whether network access is provided.
-	Network bool
+	Network Network
 	// Whether the scanned artifacts can be access through direct filesystem calls.
 	// True on hosts where the scan target is mounted onto the host's filesystem directly.
 	// In these cases the plugin can open direct file paths with e.g. os.Open(path).
@@ -103,8 +116,12 @@ func ValidateRequirements(p Plugin, capabs *Capabilities) error {
 	} else if p.Requirements().OS != OSAny && p.Requirements().OS != capabs.OS {
 		errs = append(errs, "needs to run on a different OS than that of the scan environment")
 	}
-	if p.Requirements().Network && !capabs.Network {
-		errs = append(errs, "needs network access but scan environment doesn't provide it")
+	if p.Requirements().Network != NetworkAny && p.Requirements().Network != capabs.Network {
+		if capabs.Network == NetworkOffline {
+			errs = append(errs, "needs network access but scan environment doesn't provide it")
+		} else {
+			errs = append(errs, "should only run offline but the scan environment provides network access")
+		}
 	}
 	if p.Requirements().DirectFS && !capabs.DirectFS {
 		errs = append(errs, "needs direct filesystem access but scan environment doesn't provide it")

diff --git a/plugin/plugin_test.go b/plugin/plugin_test.go
@@ -45,22 +45,34 @@ func TestValidateRequirements(t *testing.T) {
 		},
 		{
 			desc:       "All requirements satisfied",
-			pluginReqs: &plugin.Capabilities{Network: true, DirectFS: true},
-			capabs:     &plugin.Capabilities{Network: true, DirectFS: true},
+			pluginReqs: &plugin.Capabilities{Network: plugin.NetworkOnline, DirectFS: true},
+			capabs:     &plugin.Capabilities{Network: plugin.NetworkOnline, DirectFS: true},
 			wantErr:    nil,
 		},
 		{
 			desc:       "One requirement not satisfied",
-			pluginReqs: &plugin.Capabilities{Network: true, DirectFS: true},
-			capabs:     &plugin.Capabilities{Network: true, DirectFS: false},
+			pluginReqs: &plugin.Capabilities{Network: plugin.NetworkOnline, DirectFS: true},
+			capabs:     &plugin.Capabilities{Network: plugin.NetworkOnline, DirectFS: false},
 			wantErr:    cmpopts.AnyError,
 		},
 		{
 			desc:       "No requirement satisfied",
-			pluginReqs: &plugin.Capabilities{Network: true, DirectFS: true},
-			capabs:     &plugin.Capabilities{Network: false, DirectFS: false},
+			pluginReqs: &plugin.Capabilities{Network: plugin.NetworkOnline, DirectFS: true},
+			capabs:     &plugin.Capabilities{Network: plugin.NetworkOffline, DirectFS: false},
 			wantErr:    cmpopts.AnyError,
 		},
+		{
+			desc:       "Any network 1",
+			pluginReqs: &plugin.Capabilities{Network: plugin.NetworkAny},
+			capabs:     &plugin.Capabilities{Network: plugin.NetworkOffline},
+			wantErr:    nil,
+		},
+		{
+			desc:       "Any network 2",
+			pluginReqs: &plugin.Capabilities{Network: plugin.NetworkAny},
+			capabs:     &plugin.Capabilities{Network: plugin.NetworkOnline},
+			wantErr:    nil,
+		},
 		{
 			desc:       "Wrong OS",
 			pluginReqs: &plugin.Capabilities{OS: plugin.OSLinux},

diff --git a/scalibr_test.go b/scalibr_test.go
@@ -279,7 +279,7 @@ func (e fakeExNeedsNetwork) ToPURL(i *extractor.Inventory) *purl.PackageURL { re
 func (e fakeExNeedsNetwork) Ecosystem(i *extractor.Inventory) string        { return "" }
 
 func (fakeExNeedsNetwork) Requirements() *plugin.Capabilities {
-	return &plugin.Capabilities{Network: true}
+	return &plugin.Capabilities{Network: plugin.NetworkOnline}
 }
 
 type fakeDetNeedsFS struct {
@@ -311,7 +311,7 @@ func TestValidatePluginRequirements(t *testing.T) {
 					&fakeDetNeedsFS{},
 				},
 				Capabilities: &plugin.Capabilities{
-					Network:  true,
+					Network:  plugin.NetworkOnline,
 					DirectFS: true,
 				},
 			},
@@ -327,7 +327,7 @@ func TestValidatePluginRequirements(t *testing.T) {
 					&fakeDetNeedsFS{},
 				},
 				Capabilities: &plugin.Capabilities{
-					Network:  false,
+					Network:  plugin.NetworkOffline,
 					DirectFS: true,
 				},
 			},
@@ -343,7 +343,7 @@ func TestValidatePluginRequirements(t *testing.T) {
 					&fakeDetNeedsFS{},
 				},
 				Capabilities: &plugin.Capabilities{
-					Network:  false,
+					Network:  plugin.NetworkOffline,
 					DirectFS: false,
 				},
 			},