Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(secret): add line from dockerfile where secret was added to secret result #2780

Merged
merged 15 commits into from Sep 15, 2022
Merged

feat(secret): add line from dockerfile where secret was added to secret result #2780

merged 15 commits into from Sep 15, 2022

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Aug 25, 2022
edited

Description

For images: secrets contain the string from dockerfile where this secret was added from.
Also, this line is contained in the table report.
e.g.

/secret.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /secret.txt:1
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 This secret is added in 'echo "AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF" > secret.txt'
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ AWS_ACCESS_KEY_ID=********************
   2   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen changed the title feat(secrets): add line from dockerfile where secret was added to secret feat(secret): add line from dockerfile where secret was added to secret Aug 25, 2022
knqyf263
knqyf263 reviewed Aug 28, 2022
View reviewed changes
pkg/fanal/types/secret.go Outdated
Layer Layer `json:",omitempty"`
CreatedBy string
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if we put CreatedBy into Layer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DOne

pkg/report/table/secret_test.go Outdated
Comment on lines 118 to 120
my-file:3-4
────────────────────────────────────────
This secret is added in 'COPY my-file my-file'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After some consideration, I came up with another idea. One line looks better. If it has a file hash, what if we take the first 7 characters like git rev-parse --short HEAD?

Suggested change
my-file:3-4
────────────────────────────────────────
This secret is added in 'COPY my-file my-file'
my-file:3-4 (added by 'COPY my-file my-file')

Then, if it is still too long, we can cut it like the first 40 chars, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

pkg/fanal/artifact/image/image.go Outdated
layerKeyMap := map[string]string{}
var createdBy []string
// save createdBy fields in order of layers
for i := 0; i < len(configFile.History); i++ {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for i := 0; i < len(configFile.History); i++ {
for i, history := range configFile.History {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

pkg/fanal/artifact/image/image.go Outdated
layerKeyMap[blobKey] = diffID

c := ""
if len(createdBy) > 0 {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if len(createdBy) > 0 {
if len(createdBy) > i {

pkg/fanal/artifact/image/image.go
hookVersions := a.handlerManager.Versions()
var layerKeys []string
for _, diffID := range diffIDs {
for i, diffID := range diffIDs {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should compare len(diffIDs) and len(createdBy). They should be the same. If they don't match, we should warn it. It is probably our bug.

@CLAassistant
Copy link

CLAassistant commented Aug 29, 2022
edited

CLA assistant check
All committers have signed the CLA.

ankk13
ankk13 reviewed Aug 29, 2022
View reviewed changes
Copy link
Contributor

@ankk13 ankk13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The deleted secret can be removed from secret map, if respective OpaqueDirs/Whiteoutfiles are found.

@DmitriyLewen DmitriyLewen changed the title feat(secret): add line from dockerfile where secret was added to secret feat(secret): add line from dockerfile where secret was added to secret result Aug 30, 2022
@DmitriyLewen
Copy link
Contributor Author

Hello @ankk13
You want to remove secret from secretMap, if it was removed in upper layer, right?

if so - we can't do that, because image still contain this secret.
It is not safely. User needs to remove secret from layer where this secret was added

@DmitriyLewen DmitriyLewen self-assigned this Aug 31, 2022
@ankk13
Copy link
Contributor

ankk13 commented Sep 7, 2022

ove secret from secretMap, if it was removed in upper layer, right?

if so - we can't do that, because image still contain this secret.

Yes, even if image still contain layer. I believe it is correct to tag secret as "delete in intermediate layer", as we are not commenting that secret is deleted. Let me know if you feel otherwise

@knqyf263 knqyf263 marked this pull request as ready for review September 13, 2022 18:40
@knqyf263 knqyf263 added this to the v0.32.0 milestone Sep 15, 2022
@knqyf263 knqyf263 merged commit b6e394d into main Sep 15, 2022
@knqyf263 knqyf263 deleted the feat/dockerfile-line-for-secrets branch September 15, 2022 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@ankk13 ankk13 ankk13 approved these changes

@tonaim tonaim tonaim approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
v0.32.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@DmitriyLewen @CLAassistant @ankk13 @knqyf263 @tonaim