Skip to content

Commit

Permalink
feat(cli): rename --vuln-type flag to --pkg-types flag (aquasecur…
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored and skahn007gl committed Jul 23, 2024
1 parent 4a6abdb commit 1406e23
Show file tree
Hide file tree
Showing 27 changed files with 161 additions and 200 deletions.
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ trivy filesystem [flags] PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand All @@ -89,7 +90,6 @@ trivy filesystem [flags] PATH
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ trivy image [flags] IMAGE_NAME
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down Expand Up @@ -109,7 +110,6 @@ trivy image [flags] IMAGE_NAME
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ trivy kubernetes [flags] [CONTEXT]
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand All @@ -103,7 +104,6 @@ trivy kubernetes [flags] [CONTEXT]
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand All @@ -89,7 +90,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ trivy rootfs [flags] ROOTDIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand All @@ -90,7 +91,6 @@ trivy rootfs [flags] ROOTDIR
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ trivy sbom [flags] SBOM_PATH
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand All @@ -61,7 +62,6 @@ trivy sbom [flags] SBOM_PATH
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--pkg-types strings comma-separated list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
Expand All @@ -76,7 +77,6 @@ trivy vm [flags] VM_IMAGE
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex string [EXPERIMENTAL] file path to VEX
--vuln-type strings comma-separated list of vulnerability types (os,library) (default [os,library])
```

### Options inherited from parent commands
Expand Down
13 changes: 7 additions & 6 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ severity:
- MEDIUM
- HIGH
- CRITICAL

# Same as '--pkg-types'
# Default is 'os,library'
pkg-types:
- os
- library


scan:
# Same as '--compliance'
Expand Down Expand Up @@ -261,12 +268,6 @@ Available with vulnerability scanning
```yaml
vulnerability:
# Same as '--vuln-type'
# Default is 'os,library'
type:
- os
- library

# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ Other common options are documented [here](../configuration/index.md).

### Enabling a subset of package types
It's possible to only enable certain package types if you prefer.
You can do so by passing the `--vuln-type` option.
You can do so by passing the `--pkg-types` option.
This flag takes a comma-separated list of package types.

Available values:
Expand All @@ -215,7 +215,7 @@ Available values:
- Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).

```bash
$ trivy image --vuln-type os ruby:2.4.0
$ trivy image --pkg-types os ruby:2.4.0
```


Expand Down
3 changes: 3 additions & 0 deletions pkg/commands/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,8 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
ScanFlagGroup: &flag.ScanFlagGroup{},
ReportFlagGroup: flag.NewReportFlagGroup(),
}
convertFlags.ReportFlagGroup.PkgTypes = nil // disable '--pkg-types'

cmd := &cobra.Command{
Use: "convert [flags] RESULT_JSON",
Aliases: []string{"conv"},
Expand Down Expand Up @@ -679,6 +681,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
configFlags.ReportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs'
configFlags.ReportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
configFlags.ReportFlagGroup.ShowSuppressed = nil // disable '--show-suppressed'
configFlags.ReportFlagGroup.PkgTypes = nil // disable '--pkg-types'
configFlags.ReportFlagGroup.ReportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
configFlags.CacheFlagGroup.CacheBackend.Default = string(cache.TypeMemory)

Expand Down
8 changes: 4 additions & 4 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ func (r *runner) scanFS(ctx context.Context, opts flag.Options) (types.Report, e

func (r *runner) ScanRepository(ctx context.Context, opts flag.Options) (types.Report, error) {
// Do not scan OS packages
opts.VulnType = []string{types.VulnTypeLibrary}
opts.PkgTypes = []string{types.PkgTypeLibrary}

// Disable the OS analyzers, individual package analyzers and SBOM analyzer
opts.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
Expand Down Expand Up @@ -405,7 +405,7 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
}

// Do not analyze programming language packages when not running in 'library'
if !slices.Contains(opts.VulnType, types.VulnTypeLibrary) {
if !slices.Contains(opts.PkgTypes, types.PkgTypeLibrary) {
analyzers = append(analyzers, analyzer.TypeLanguages...)
}

Expand Down Expand Up @@ -473,7 +473,7 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan
}

scanOptions := types.ScanOptions{
VulnType: opts.VulnType,
PkgTypes: opts.PkgTypes,
Scanners: opts.Scanners,
ImageConfigScanners: opts.ImageConfigScanners, // this is valid only for 'image' subcommand
ScanRemovedPackages: opts.ScanRemovedPkgs, // this is valid only for 'image' subcommand
Expand All @@ -488,7 +488,7 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan

if opts.Scanners.Enabled(types.VulnerabilityScanner) {
log.Info("Vulnerability scanning is enabled")
log.Debug("Vulnerability type", log.Any("type", scanOptions.VulnType))
log.Debug("Package types", log.Any("types", scanOptions.PkgTypes))
}

// ScannerOption is filled only when config scanning is enabled.
Expand Down
19 changes: 19 additions & 0 deletions pkg/flag/report_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,20 @@ var (
ConfigName: "scan.show-suppressed",
Usage: "[EXPERIMENTAL] show suppressed vulnerabilities",
}
PkgTypesFlag = Flag[[]string]{
Name: "pkg-types",
ConfigName: "pkg-types",
Default: types.PkgTypes,
Values: types.PkgTypes,
Usage: "comma-separated list of package types",
Aliases: []Alias{
{
Name: "vuln-type",
ConfigName: "vulnerability.type",
Deprecated: true, // --vuln-type was renamed to --pkg-types
},
},
}
)

// ReportFlagGroup composes common printer flag structs
Expand All @@ -125,6 +139,7 @@ type ReportFlagGroup struct {
Severity *Flag[[]string]
Compliance *Flag[string]
ShowSuppressed *Flag[bool]
PkgTypes *Flag[[]string]
}

type ReportOptions struct {
Expand All @@ -142,6 +157,7 @@ type ReportOptions struct {
Severities []dbTypes.Severity
Compliance spec.ComplianceSpec
ShowSuppressed bool
PkgTypes []string
}

func NewReportFlagGroup() *ReportFlagGroup {
Expand All @@ -160,6 +176,7 @@ func NewReportFlagGroup() *ReportFlagGroup {
Severity: SeverityFlag.Clone(),
Compliance: ComplianceFlag.Clone(),
ShowSuppressed: ShowSuppressedFlag.Clone(),
PkgTypes: PkgTypesFlag.Clone(),
}
}

Expand All @@ -183,6 +200,7 @@ func (f *ReportFlagGroup) Flags() []Flagger {
f.Severity,
f.Compliance,
f.ShowSuppressed,
f.PkgTypes,
}
}

Expand Down Expand Up @@ -252,6 +270,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
Severities: toSeverity(f.Severity.Value()),
Compliance: cs,
ShowSuppressed: f.ShowSuppressed.Value(),
PkgTypes: f.PkgTypes.Value(),
}, nil
}

Expand Down
25 changes: 25 additions & 0 deletions pkg/flag/report_flags_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
severities string
compliance string
debug bool
pkgTypes string
}
tests := []struct {
name string
Expand Down Expand Up @@ -159,6 +160,28 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
Severities: []dbTypes.Severity{dbTypes.SeverityLow},
},
},
{
name: "happy path for OS packages",
fields: fields{
pkgTypes: "os",
},
want: flag.ReportOptions{
PkgTypes: []string{
types.PkgTypeOS,
},
},
},
{
name: "happy path for library packages",
fields: fields{
pkgTypes: "library",
},
want: flag.ReportOptions{
PkgTypes: []string{
types.PkgTypeLibrary,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand All @@ -183,6 +206,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
setValue(flag.OutputPluginArgFlag.ConfigName, tt.fields.outputPluginArgs)
setValue(flag.SeverityFlag.ConfigName, tt.fields.severities)
setValue(flag.ComplianceFlag.ConfigName, tt.fields.compliance)
setValue(flag.PkgTypesFlag.ConfigName, tt.fields.pkgTypes)

// Assert options
f := &flag.ReportFlagGroup{
Expand All @@ -198,6 +222,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
OutputPluginArg: flag.OutputPluginArgFlag.Clone(),
Severity: flag.SeverityFlag.Clone(),
Compliance: flag.ComplianceFlag.Clone(),
PkgTypes: flag.PkgTypesFlag.Clone(),
}

got, err := f.ToOptions()
Expand Down
19 changes: 0 additions & 19 deletions pkg/flag/vulnerability_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,9 @@ import (

dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
)

var (
VulnTypeFlag = Flag[[]string]{
Name: "vuln-type",
ConfigName: "vulnerability.type",
Default: []string{
types.VulnTypeOS,
types.VulnTypeLibrary,
},
Values: []string{
types.VulnTypeOS,
types.VulnTypeLibrary,
},
Usage: "comma-separated list of vulnerability types",
}
IgnoreUnfixedFlag = Flag[bool]{
Name: "ignore-unfixed",
ConfigName: "vulnerability.ignore-unfixed",
Expand All @@ -42,21 +28,18 @@ var (
)

type VulnerabilityFlagGroup struct {
VulnType *Flag[[]string]
IgnoreUnfixed *Flag[bool]
IgnoreStatus *Flag[[]string]
VEXPath *Flag[string]
}

type VulnerabilityOptions struct {
VulnType []string
IgnoreStatuses []dbTypes.Status
VEXPath string
}

func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup {
return &VulnerabilityFlagGroup{
VulnType: VulnTypeFlag.Clone(),
IgnoreUnfixed: IgnoreUnfixedFlag.Clone(),
IgnoreStatus: IgnoreStatusFlag.Clone(),
VEXPath: VEXFlag.Clone(),
Expand All @@ -69,7 +52,6 @@ func (f *VulnerabilityFlagGroup) Name() string {

func (f *VulnerabilityFlagGroup) Flags() []Flagger {
return []Flagger{
f.VulnType,
f.IgnoreUnfixed,
f.IgnoreStatus,
f.VEXPath,
Expand Down Expand Up @@ -105,7 +87,6 @@ func (f *VulnerabilityFlagGroup) ToOptions() (VulnerabilityOptions, error) {
log.Debug("Ignore statuses", log.Any("statuses", ignoreStatuses))

return VulnerabilityOptions{
VulnType: f.VulnType.Value(),
IgnoreStatuses: ignoreStatuses,
VEXPath: f.VEXPath.Value(),
}, nil
Expand Down
Loading

0 comments on commit 1406e23

Please sign in to comment.