temp: disable config scanning

Author: knqyf263

pkg/commands/app.go

@@ -18,9 +18,9 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands/plugin"
 	"github.com/aquasecurity/trivy/pkg/commands/server"
 	tdb "github.com/aquasecurity/trivy/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils"
+	"github.com/aquasecurity/trivy/pkg/vulnerability"
 )
 
 // VersionInfo holds the trivy DB version Info
@@ -163,7 +163,7 @@ var (
 
 	ignoreFileFlag = cli.StringFlag{
 		Name:    "ignorefile",
-		Value:   result.DefaultIgnoreFile,
+		Value:   vulnerability.DefaultIgnoreFile,
 		Usage:   "specify .trivyignore file",
 		EnvVars: []string{"TRIVY_IGNOREFILE"},
 	}
@@ -218,40 +218,6 @@ var (
 		EnvVars: []string{"TRIVY_SKIP_DIRS"},
 	}
 
-	configPolicy = cli.StringSliceFlag{
-		Name:    "config-policy",
-		Usage:   "specify paths to the Rego policy files directory, applying config files",
-		EnvVars: []string{"TRIVY_CONFIG_POLICY"},
-	}
-
-	configPolicyAlias = cli.StringSliceFlag{
-		Name:    "policy",
-		Aliases: []string{"config-policy"},
-		Usage:   "specify paths to the Rego policy files directory, applying config files",
-		EnvVars: []string{"TRIVY_POLICY"},
-	}
-
-	filePatterns = cli.StringSliceFlag{
-		Name:    "file-patterns",
-		Usage:   "specify file patterns",
-		EnvVars: []string{"TRIVY_FILE_PATTERNS"},
-	}
-
-	policyNamespaces = cli.StringSliceFlag{
-		Name:    "policy-namespaces",
-		Aliases: []string{"namespaces"},
-		Usage:   "Rego namespaces",
-		Value:   cli.NewStringSlice("users"),
-		EnvVars: []string{"TRIVY_POLICY_NAMESPACES"},
-	}
-
-	showSuccesses = cli.BoolFlag{
-		Name:    "show-successes",
-		Usage:   "show successes",
-		Value:   false,
-		EnvVars: []string{"TRIVY_SHOW_SUCCESSES"},
-	}
-
 	globalFlags = []cli.Flag{
 		&quietFlag,
 		&debugFlag,
@@ -282,8 +248,6 @@ var (
 		&skipFiles,
 		&skipDirs,
 		&cacheBackendFlag,
-		&configPolicy,
-		&policyNamespaces,
 	}
 
 	// deprecated options
@@ -329,7 +293,6 @@ func NewApp(version string) *cli.App {
 		NewRepositoryCommand(),
 		NewClientCommand(),
 		NewServerCommand(),
-		NewConfigCommand(),
 		NewPluginCommand(),
 	}
 	app.Commands = append(app.Commands, plugin.LoadCommands()...)
@@ -460,7 +423,6 @@ func NewFilesystemCommand() *cli.Command {
 			&listAllPackages,
 			&skipFiles,
 			&skipDirs,
-			&configPolicy,
 		},
 	}
 }
@@ -521,7 +483,6 @@ func NewClientCommand() *cli.Command {
 			&ignoreFileFlag,
 			&timeoutFlag,
 			&ignorePolicy,
-			&configPolicy,
 
 			// original flags
 			&token,
@@ -567,38 +528,6 @@ func NewServerCommand() *cli.Command {
 	}
 }
 
-// NewConfigCommand adds config command
-func NewConfigCommand() *cli.Command {
-	return &cli.Command{
-		Name:      "config",
-		Aliases:   []string{"conf"},
-		ArgsUsage: "dir",
-		Usage:     "scan config files",
-		Action:    artifact.ConfigRun,
-		Flags: []cli.Flag{
-			&templateFlag,
-			&formatFlag,
-			&severityFlag,
-			&outputFlag,
-			&exitCodeFlag,
-			&skipUpdateFlag,
-			&clearCacheFlag,
-			&ignoreUnfixedFlag,
-			&ignoreFileFlag,
-			&cacheBackendFlag,
-			&timeoutFlag,
-			&noProgressFlag,
-			&ignorePolicy,
-			&skipFiles,
-			&skipDirs,
-			&configPolicyAlias,
-			&filePatterns,
-			&policyNamespaces,
-			&showSuccesses,
-		},
-	}
-}
-
 // NewPluginCommand is the factory method to add plugin command
 func NewPluginCommand() *cli.Command {
 	return &cli.Command{

pkg/commands/artifact/config.go

@@ -11,8 +11,8 @@ import (
 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
 	"github.com/aquasecurity/fanal/cache"
-	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/scanner"
+	"github.com/aquasecurity/trivy/pkg/vulnerability"
 )
 
 func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
@@ -43,7 +43,7 @@ func initializeRepositoryScanner(ctx context.Context, url string, artifactCache
 	return scanner.Scanner{}, nil, nil
 }
 
-func initializeResultClient() result.Client {
-	wire.Build(result.SuperSet)
-	return result.Client{}
+func initializeResultClient() vulnerability.Client {
+	wire.Build(vulnerability.SuperSet)
+	return vulnerability.Client{}
 }

pkg/commands/artifact/inject.go

@@ -15,7 +15,6 @@ type Option struct {
 	option.ImageOption
 	option.ReportOption
 	option.CacheOption
-	option.ConfigOption
 
 	// deprecated
 	onlyUpdate string
@@ -39,7 +38,6 @@ func NewOption(c *cli.Context) (Option, error) {
 		ImageOption:    option.NewImageOption(c),
 		ReportOption:   option.NewReportOption(c),
 		CacheOption:    option.NewCacheOption(c),
-		ConfigOption:   option.NewConfigOption(c),
 
 		onlyUpdate:  c.String("only-update"),
 		refresh:     c.Bool("refresh"),

pkg/commands/artifact/option.go

@@ -42,24 +42,6 @@ func TestOption_Init(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "config scanning",
-			args: []string{"--severity", "CRITICAL", "--security-checks", "config", "--quiet", "alpine:3.10"},
-			want: Option{
-				GlobalOption: option.GlobalOption{
-					Quiet: true,
-				},
-				ArtifactOption: option.ArtifactOption{
-					Target: "alpine:3.10",
-				},
-				ReportOption: option.ReportOption{
-					Severities:     []dbTypes.Severity{dbTypes.SeverityCritical},
-					VulnType:       []string{types.VulnTypeOS, types.VulnTypeLibrary},
-					SecurityChecks: []string{types.SecurityCheckConfig},
-					Output:         os.Stdout,
-				},
-			},
-		},
 		{
 			name: "happy path: reset",
 			args: []string{"--reset"},

pkg/commands/artifact/option_test.go

@@ -148,21 +148,10 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
 		disabledAnalyzers = []analyzer.Type{}
 	}
 
-	// ScannerOptions is filled only when config scanning is enabled.
-	var configScannerOptions config.ScannerOption
-	if utils.StringInSlice(types.SecurityCheckConfig, opt.SecurityChecks) {
-		defaultPolicyPaths, err := operation.InitDefaultPolicies(ctx)
-		if err != nil {
-			return nil, xerrors.Errorf("failed to initialize default policies: %w", err)
-		}
-
-		configScannerOptions = config.ScannerOption{
-			Namespaces:   append(opt.PolicyNamespaces, defaultPolicyNamespace),
-			PolicyPaths:  append(opt.PolicyPaths, defaultPolicyPaths...),
-			DataPaths:    opt.DataPaths,
-			FilePatterns: opt.FilePatterns,
-		}
-	}
+	// TODO: fix the scanner option and enable config analyzers once we finalize the specification of config scanning.
+	configScannerOptions := config.ScannerOption{}
+	disabledAnalyzers = append(disabledAnalyzers, analyzer.TypeYaml, analyzer.TypeTOML, analyzer.TypeJSON,
+		analyzer.TypeDockerfile, analyzer.TypeHCL)
 
 	s, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, opt.Timeout,
 		disabledAnalyzers, configScannerOptions)
@@ -181,14 +170,13 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
 func filter(ctx context.Context, opt Option, results report.Results) (report.Results, error) {
 	resultClient := initializeResultClient()
 	for i := range results {
-		resultClient.FillVulnerabilityInfo(results[i].Vulnerabilities, results[i].Type)
-		vulns, misconfs, err := resultClient.Filter(ctx, results[i].Vulnerabilities, results[i].Misconfigurations,
-			opt.Severities, opt.IgnoreUnfixed, opt.ShowSuccesses, opt.IgnoreFile, opt.IgnorePolicy)
+		resultClient.FillInfo(results[i].Vulnerabilities, results[i].Type)
+		vulns, err := resultClient.Filter(ctx, results[i].Vulnerabilities,
+			opt.Severities, opt.IgnoreUnfixed, opt.IgnoreFile, opt.IgnorePolicy)
 		if err != nil {
 			return nil, xerrors.Errorf("unable to filter vulnerabilities: %w", err)
 		}
 		results[i].Vulnerabilities = vulns
-		results[i].Misconfigurations = misconfs
 	}
 	return results, nil
 }

pkg/commands/artifact/run.go

@@ -11,9 +11,9 @@ import (
 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
 	"github.com/aquasecurity/fanal/cache"
-	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/rpc/client"
 	"github.com/aquasecurity/trivy/pkg/scanner"
+	"github.com/aquasecurity/trivy/pkg/vulnerability"
 )
 
 func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache, customHeaders client.CustomHeaders,
@@ -30,7 +30,7 @@ func initializeArchiveScanner(ctx context.Context, filePath string, artifactCach
 	return scanner.Scanner{}, nil
 }
 
-func initializeResultClient() result.Client {
-	wire.Build(result.SuperSet)
-	return result.Client{}
+func initializeResultClient() vulnerability.Client {
+	wire.Build(vulnerability.SuperSet)
+	return vulnerability.Client{}
 }

pkg/commands/artifact/wire_gen.go

@@ -16,7 +16,6 @@ type Option struct {
 	option.ArtifactOption
 	option.ImageOption
 	option.ReportOption
-	option.ConfigOption
 
 	RemoteAddr    string
 	token         string
@@ -39,7 +38,6 @@ func NewOption(c *cli.Context) (Option, error) {
 		ArtifactOption: option.NewArtifactOption(c),
 		ImageOption:    option.NewImageOption(c),
 		ReportOption:   option.NewReportOption(c),
-		ConfigOption:   option.NewConfigOption(c),
 		RemoteAddr:     c.String("remote"),
 		token:          c.String("token"),
 		tokenHeader:    c.String("token-header"),

pkg/commands/client/inject.go

@@ -44,25 +44,6 @@ func TestConfig_Init(t *testing.T) {
 				CustomHeaders: http.Header{},
 			},
 		},
-		{
-			name: "config scanning",
-			args: []string{"--severity", "CRITICAL", "--security-checks", "config", "--quiet", "alpine:3.10"},
-			want: Option{
-				GlobalOption: option.GlobalOption{
-					Quiet: true,
-				},
-				ArtifactOption: option.ArtifactOption{
-					Target: "alpine:3.10",
-				},
-				ReportOption: option.ReportOption{
-					Severities:     []dbTypes.Severity{dbTypes.SeverityCritical},
-					VulnType:       []string{types.VulnTypeOS, types.VulnTypeLibrary},
-					SecurityChecks: []string{types.SecurityCheckConfig},
-					Output:         os.Stdout,
-				},
-				CustomHeaders: http.Header{},
-			},
-		},
 		{
 			name: "happy path with token and token header",
 			args: []string{"--token", "secret", "--token-header", "X-Trivy-Token", "alpine:3.11"},