Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Support symlinks inside of tar archives #6556

Closed
2 tasks done
simar7 opened this issue Apr 24, 2024 Discussed in #6554 · 0 comments · Fixed by #6621
Closed
2 tasks done

feat(misconf): Support symlinks inside of tar archives #6556

simar7 opened this issue Apr 24, 2024 Discussed in #6554 · 0 comments · Fixed by #6621
Assignees
@nikpivkin
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@simar7
Copy link
Member

simar7 commented Apr 24, 2024

Discussed in #6554

Originally posted by fabpiaf April 24, 2024

Description

x.tar is a gunzipped docker image.

trivy filesystem --scanners misconfig x.tar
2024-04-24T10:27:06.161Z        INFO    Misconfiguration scanning is enabled
2024-04-24T10:27:06.808Z        FATAL   filesystem scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: helm scan error: scan config error: walk dir error: failed to add tar "x.tar" to FS: header type '2' is not supported

but:

tar xf x.tar
trivy filesystem --scanners misconfig taredfolder
2024-04-24T10:28:08.086Z        INFO    Misconfiguration scanning is enabled
2024-04-24T10:28:16.060Z        INFO    Detected config files: 16

somename/taredfolder/runtime/templates/deployment.yaml (helm)

Tests: 139 (SUCCESSES: 125, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (UNKNOWN: 0, LOW: 9, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

...

Desired Behavior

trivy scans tar successfully without prior manual extraction

Actual Behavior

trivy needs manual extraction prior to scanning

Reproduction Steps

see above

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-04-24T10:32:23.077Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-24T10:32:23.078Z        DEBUG   Ignore statuses {"statuses": null}
2024-04-24T10:32:23.083Z        DEBUG   cache dir:  /home/test/.cache/trivy
2024-04-24T10:32:23.083Z        INFO    Misconfiguration scanning is enabled
2024-04-24T10:32:23.083Z        DEBUG   Policies successfully loaded from disk
2024-04-24T10:32:23.083Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-24T10:32:23.104Z        DEBUG   Walk the file tree rooted at 'x.tar' in parallel
2024-04-24T10:32:23.104Z        DEBUG   Scanning Helm files for misconfigurations...
2024-04-24T10:32:23.104Z        DEBUG   [misconf] 32:23.104727510 helm.scanner.rego                Overriding filesystem for policies!
2024-04-24T10:32:23.171Z        DEBUG   [misconf] 32:23.171272797 helm.scanner.rego                Loaded 194 policies from disk.
2024-04-24T10:32:23.171Z        DEBUG   [misconf] 32:23.171696638 helm.scanner.rego                Overriding filesystem for data!
2024-04-24T10:32:23.744Z        FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:429
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:710
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        github.com/aquasecurity/trivy/pkg/scanner/scan.go:148
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:164
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:496
  - helm scan error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/config.go:47
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        github.com/aquasecurity/trivy/pkg/misconf/scanner.go:162
  - walk dir error: failed to add tar "x.tar" to FS: header type '2' is not supported

Operating System

archlinux

Version

Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-24 06:10:39.74901266 +0000 UTC
  NextUpdate: 2024-04-24 12:10:39.749012299 +0000 UTC
  DownloadedAt: 2024-04-24 06:16:07.509008473 +0000 UTC
Policy Bundle:
  Digest: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590
  DownloadedAt: 2024-04-23 10:57:09.408356928 +0000 UTC

Checklist
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Apr 24, 2024
@nikpivkin nikpivkin self-assigned this May 3, 2024
@nikpivkin nikpivkin mentioned this issue May 3, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.52.0 milestone May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

feat(misconf): support symlinks inside of Helm archives nikpivkin/trivy
2 participants
@simar7 @nikpivkin