refactor(deps): Merge trivy-iac into Trivy (aquasecurity#6005)

Author: simar7

.github/CODEOWNERS

@@ -6,6 +6,7 @@ docs/docs/scanner/misconfiguration  @knqyf263 @simar7
 docs/docs/target/aws.md             @knqyf263 @simar7
 pkg/fanal/analyzer/config           @knqyf263 @simar7
 pkg/cloud                           @knqyf263 @simar7
+pkg/iac                             @knqyf263 @simar7
 
 # Helm chart
 helm/trivy/ @chen-keinan

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.31.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.94.1
+	github.com/aquasecurity/defsec v0.94.2-0.20240119001230-c2d65f49dfeb
 	github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
@@ -25,7 +25,6 @@ require (
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-aws v0.7.1
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
-	github.com/aquasecurity/trivy-iac v0.8.0
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1
 	github.com/aquasecurity/trivy-policies v0.8.0
@@ -117,7 +116,22 @@ require (
 	modernc.org/sqlite v1.28.0
 )
 
-require github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
+require (
+	github.com/apparentlymart/go-cidr v1.1.0
+	github.com/aws/smithy-go v1.19.0
+	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/liamg/iamgo v0.0.9
+	github.com/liamg/jfather v0.0.7
+	github.com/liamg/memoryfs v1.6.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/olekukonko/tablewriter v0.0.5
+	github.com/zclconf/go-cty v1.13.0
+	github.com/zclconf/go-cty-yaml v1.0.3
+	golang.org/x/crypto v0.18.0
+	helm.sh/helm/v3 v3.14.0
+)
 
 require (
 	cloud.google.com/go v0.110.10 // indirect
@@ -141,7 +155,6 @@ require (
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
@@ -154,7 +167,6 @@ require (
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -204,7 +216,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/workspaces v1.35.6 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
@@ -281,11 +292,9 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -299,9 +308,6 @@ require (
 	github.com/klauspost/compress v1.17.2 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/liamg/iamgo v0.0.9 // indirect
-	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/liamg/memoryfs v1.6.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
@@ -313,7 +319,6 @@ require (
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/miekg/dns v1.1.53 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -332,7 +337,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
@@ -371,8 +375,6 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yuin/gopher-lua v1.1.0 // indirect
-	github.com/zclconf/go-cty v1.13.0 // indirect
-	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
@@ -383,7 +385,6 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/oauth2 v0.15.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
@@ -400,7 +401,6 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	helm.sh/helm/v3 v3.14.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/apimachinery v0.29.1 // indirect
 	k8s.io/apiserver v0.29.0 // indirect

go.sum

@@ -249,8 +249,6 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
-github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
@@ -323,8 +321,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.94.1 h1:lk44bfUltm0f0Dw4DbO3Ka9d/bf3N8cWclSdHXMyKF4=
-github.com/aquasecurity/defsec v0.94.1/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA=
+github.com/aquasecurity/defsec v0.94.2-0.20240119001230-c2d65f49dfeb h1:7x3aMSnQhXJLcFOCivOmNBk0zAVLKkEk5UWkrRxxHIk=
+github.com/aquasecurity/defsec v0.94.2-0.20240119001230-c2d65f49dfeb/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA=
 github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4 h1:6qs80w4qPbPnF6GhbIifSANqfCrq90CKtSUBaw6p0z0=
 github.com/aquasecurity/go-dep-parser v0.0.0-20240208080026-8cc7d408bce4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -350,8 +348,6 @@ github.com/aquasecurity/trivy-aws v0.7.1 h1:XElKZsP9Hqe2JVekQgGCIkFtgRgVlP+80wKL
 github.com/aquasecurity/trivy-aws v0.7.1/go.mod h1:bJT7pzsqo9q5yi3arJSt789bAH0eDb7c+niFYMBNcMQ=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
-github.com/aquasecurity/trivy-iac v0.8.0 h1:NKFhk/BTwQ0jIh4t74V8+6UIGUvPlaxO9HPlSMQi3fo=
-github.com/aquasecurity/trivy-iac v0.8.0/go.mod h1:ARiMeNqcaVWOXJmp8hmtMnNm/Jd836IOmDBUW5r4KEk=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1 h1:/LsIHMQJ4SOxZeib/bvLP7S3YDTXJVIsQyS4kIIP0GQ=

internal/testutil/util.go

@@ -0,0 +1,114 @@
+package testutil
+
+import (
+	"encoding/json"
+	"io/fs"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/liamg/memoryfs"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/defsec/pkg/scan"
+)
+
+func AssertRuleFound(t *testing.T, ruleID string, results scan.Results, message string, args ...interface{}) {
+	found := ruleIDInResults(ruleID, results.GetFailed())
+	assert.True(t, found, append([]interface{}{message}, args...)...)
+	for _, result := range results.GetFailed() {
+		if result.Rule().LongID() == ruleID {
+			m := result.Metadata()
+			meta := &m
+			for meta != nil {
+				assert.NotNil(t, meta.Range(), 0)
+				assert.Greater(t, meta.Range().GetStartLine(), 0)
+				assert.Greater(t, meta.Range().GetEndLine(), 0)
+				meta = meta.Parent()
+			}
+		}
+	}
+}
+
+func AssertRuleNotFound(t *testing.T, ruleID string, results scan.Results, message string, args ...interface{}) {
+	found := ruleIDInResults(ruleID, results.GetFailed())
+	assert.False(t, found, append([]interface{}{message}, args...)...)
+}
+
+func ruleIDInResults(ruleID string, results scan.Results) bool {
+	for _, res := range results {
+		if res.Rule().LongID() == ruleID {
+			return true
+		}
+	}
+	return false
+}
+
+func CreateFS(t *testing.T, files map[string]string) fs.FS {
+	memfs := memoryfs.New()
+	for name, content := range files {
+		name := strings.TrimPrefix(name, "/")
+		err := memfs.MkdirAll(filepath.Dir(name), 0o700)
+		require.NoError(t, err)
+		err = memfs.WriteFile(name, []byte(content), 0o644)
+		require.NoError(t, err)
+	}
+	return memfs
+}
+
+func AssertDefsecEqual(t *testing.T, expected, actual interface{}) {
+	expectedJson, err := json.MarshalIndent(expected, "", "\t")
+	require.NoError(t, err)
+	actualJson, err := json.MarshalIndent(actual, "", "\t")
+	require.NoError(t, err)
+
+	if expectedJson[0] == '[' {
+		var expectedSlice []map[string]interface{}
+		require.NoError(t, json.Unmarshal(expectedJson, &expectedSlice))
+		var actualSlice []map[string]interface{}
+		require.NoError(t, json.Unmarshal(actualJson, &actualSlice))
+		expectedSlice = purgeMetadataSlice(expectedSlice)
+		actualSlice = purgeMetadataSlice(actualSlice)
+		assert.Equal(t, expectedSlice, actualSlice, "defsec adapted and expected values do not match")
+	} else {
+		var expectedMap map[string]interface{}
+		require.NoError(t, json.Unmarshal(expectedJson, &expectedMap))
+		var actualMap map[string]interface{}
+		require.NoError(t, json.Unmarshal(actualJson, &actualMap))
+		expectedMap = purgeMetadata(expectedMap)
+		actualMap = purgeMetadata(actualMap)
+		assert.Equal(t, expectedMap, actualMap, "defsec adapted and expected values do not match")
+	}
+}
+
+func purgeMetadata(input map[string]interface{}) map[string]interface{} {
+	for k, v := range input {
+		if k == "metadata" || k == "Metadata" {
+			delete(input, k)
+			continue
+		}
+		if v, ok := v.(map[string]interface{}); ok {
+			input[k] = purgeMetadata(v)
+		}
+		if v, ok := v.([]interface{}); ok {
+			if len(v) > 0 {
+				if _, ok := v[0].(map[string]interface{}); ok {
+					maps := make([]map[string]interface{}, len(v))
+					for i := range v {
+						maps[i] = v[i].(map[string]interface{})
+					}
+					input[k] = purgeMetadataSlice(maps)
+				}
+			}
+		}
+	}
+	return input
+}
+
+func purgeMetadataSlice(input []map[string]interface{}) []map[string]interface{} {
+	for i := range input {
+		input[i] = purgeMetadata(input[i])
+	}
+	return input
+}

pkg/extrafs/extrafs.go

@@ -0,0 +1,54 @@
+package extrafs
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+)
+
+/*
+   Go does not currently support symlinks in io/fs.
+   We work around this by wrapping the fs.FS returned by os.DirFS with our own type which bolts on the ReadLinkFS
+*/
+
+type OSFS interface {
+	fs.FS
+	fs.StatFS
+}
+
+type ReadLinkFS interface {
+	ResolveSymlink(name, dir string) (string, error)
+}
+
+type FS interface {
+	OSFS
+	ReadLinkFS
+}
+
+type filesystem struct {
+	root       string
+	underlying OSFS
+}
+
+func OSDir(path string) FS {
+	return &filesystem{
+		root:       path,
+		underlying: os.DirFS(path).(OSFS),
+	}
+}
+
+func (f *filesystem) Open(name string) (fs.File, error) {
+	return f.underlying.Open(name)
+}
+
+func (f *filesystem) Stat(name string) (fs.FileInfo, error) {
+	return f.underlying.Stat(name)
+}
+
+func (f *filesystem) ResolveSymlink(name, dir string) (string, error) {
+	link, err := os.Readlink(filepath.Join(f.root, dir, name))
+	if err == nil {
+		return filepath.Join(dir, link), nil
+	}
+	return name, nil
+}

pkg/fanal/analyzer/config/terraform/terraform.go

@@ -3,9 +3,9 @@ package terraform
 import (
 	"os"
 
-	"github.com/aquasecurity/trivy-iac/pkg/detection"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 

pkg/fanal/analyzer/const.go

@@ -1,6 +1,8 @@
 package analyzer
 
-import "github.com/aquasecurity/trivy-iac/pkg/detection"
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
+)
 
 type Type string