Skip to content

fix(fs): check postAnalyzers for StaticPaths #8543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
knqyf263 merged 3 commits into from
Mar 13, 2025
Merged

fix(fs): check postAnalyzers for StaticPaths #8543

knqyf263 merged 3 commits into from
Mar 13, 2025

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Mar 13, 2025
edited
Loading

Description

To enable StaticPaths mode - all enabled analyzers must implement the StaticPathAnalyzer interface.
For this we need to check analyzers. And also postAnalyzers (changes in this PR)
Otherwise there may be cases when only postAnalyzser is enabled => we enable StaticPaths mode and skip files.

example:
Before:

➜  ./trivy -d conf ./integration/testdata/fixtures/k8s --table-mode summary
...
2025-03-13T13:55:11+06:00       DEBUG   [fs] Analyzing...       root="integration/testdata/fixtures/k8s"
2025-03-13T13:55:11+06:00       DEBUG   [fs] Analyzing files in static paths
...

Report Summary

┌────────┬──────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────┼──────┼───────────────────┤
│   -    │  -   │         -         │
└────────┴──────┴───────────────────┘

After:

➜  ./trivy -d conf ./integration/testdata/fixtures/k8s --table-mode summary
...
2025-03-13T13:55:46+06:00       DEBUG   [fs] Analyzing...       root="integration/testdata/fixtures/k8s"
2025-03-13T13:55:46+06:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Kubernetes"
...

Report Summary

┌──────────────────────┬────────────┬───────────────────┐
│        Target        │    Type    │ Misconfigurations │
├──────────────────────┼────────────┼───────────────────┤
│ limited-binding.yaml │ kubernetes │         0         │
├──────────────────────┼────────────┼───────────────────┤
│ limited-pod.yaml     │ kubernetes │        15         │
├──────────────────────┼────────────┼───────────────────┤
│ limited-role.yaml    │ kubernetes │         2         │
├──────────────────────┼────────────┼───────────────────┤
│ test_nginx.yaml      │ kubernetes │        16         │
└──────────────────────┴────────────┴───────────────────┘

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(analyzer): check postAnalyzers for StaticPaths
5e2ccd6 
- merge `analyzers` + `postAnalyzers`
- check this map in StaticPaths function (to check in staticPath mode)
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 13, 2025 07:57
@DmitriyLewen DmitriyLewen self-assigned this Mar 13, 2025
@DmitriyLewen DmitriyLewen marked this pull request as draft March 13, 2025 08:22
@DmitriyLewen
refactor: add new interface for Type function
4b8d197 
- create AnalyzerType interface and use it in analyzer and PostAnalyzer
- add toAnalyzerType function to convert []analyzer and []PostAnalyzer to []AnalyzerType
DmitriyLewen
DmitriyLewen commented Mar 13, 2025
View reviewed changes
pkg/fanal/analyzer/analyzer.go Outdated
Comment on lines 567 to 573
func toAnalyzerType[T AnalyzerType](aa []T) []AnalyzerType {
var at []AnalyzerType
for _, a := range aa {
at = append(at, a)
}
return at
}
Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tell me - if you have better way.

@DmitriyLewen DmitriyLewen marked this pull request as ready for review March 13, 2025 09:27
@DmitriyLewen
refactor: just check that postAnalyzers are enabled
e5fe2fa 
- remove AnalyzerType interface
- StaticPaths returns error if one postAnalyzer is enabled
DmitriyLewen
DmitriyLewen commented Mar 13, 2025
View reviewed changes
pkg/fanal/analyzer/analyzer.go
Comment on lines +559 to +566
// PostAnalyzers don't implement StaticPathAnalyzer.
// So if at least one postAnalyzer is enabled - we should not use StaticPath.
if allPostAnalyzersDisabled := lo.EveryBy(ag.postAnalyzers, func(a PostAnalyzer) bool {
return slices.Contains(disabled, a.Type())
}); !allPostAnalyzersDisabled {
return nil, false
}

Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

postAnalyzers don't implement StaticPaths now.
Also it looks like will be hard to implement StaticPaths for them.

So looks like we can just check that PostAnalyzers are enabled.

knqyf263
knqyf263 approved these changes Mar 13, 2025
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing it.

@knqyf263 knqyf263 added this pull request to the merge queue Mar 13, 2025
Merged via the queue into aquasecurity:main with commit c228307 Mar 13, 2025
13 checks passed
@aqua-bot aqua-bot mentioned this pull request Mar 13, 2025
Merged
0intro pushed a commit to DataDog/trivy that referenced this pull request Mar 20, 2025
@DmitriyLewen @0intro
fix(fs): check postAnalyzers for StaticPaths (aquasecurity#8543)
95c7d6f
0intro pushed a commit to DataDog/trivy that referenced this pull request Mar 21, 2025
@DmitriyLewen @0intro
fix(fs): check postAnalyzers for StaticPaths (aquasecurity#8543)
39a4b77
0intro pushed a commit to DataDog/trivy that referenced this pull request Mar 24, 2025
@DmitriyLewen @0intro
fix(fs): check postAnalyzers for StaticPaths (aquasecurity#8543)
54d696a
0intro pushed a commit to DataDog/trivy that referenced this pull request Mar 24, 2025
@DmitriyLewen @0intro
fix(fs): check postAnalyzers for StaticPaths (aquasecurity#8543)
58997d1
paulcacheux pushed a commit to DataDog/trivy that referenced this pull request Mar 25, 2025
@DmitriyLewen @paulcacheux
fix(fs): check postAnalyzers for StaticPaths (aquasecurity#8543)
8e8e9d7
This was referenced May 23, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DmitriyLewen @knqyf263