add Library Scan (with image scan) (#829)

* add static container image scan * server has many staticContainers * use go module * for staticContainer * fix typo * fix setErrs error * change name : StaticContainer -> Image * add scan -images-only flag * fix makefile * fix makefile for go module * use rpmcmd instead of rpm * add scrutinizer.yml * change scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * delete scrutinizer * add report test * add sourcePackages and Arch * fix for sider * fix staticContainer -> image * init scan library * add library scan for servers * fix tui bug * fix lint error * divide WpPackageFixStats and LibraryPackageFixedIns * fix error * Delete libManager_test.go * stop use alpine os if err occurred in container * merge upstream/master * Delete libManager.go * update goval-dictionary * fix go.mod * update Readme * add feature : auto detect lockfiles
2019-06-12 18:50:07 +09:00
parent 10942f7c08
commit abcea1a14d
22 changed files with 1531 additions and 1161 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -27,10 +27,10 @@ import (
 	"strings"

 	syslog "github.com/RackSec/srslog"
-	"golang.org/x/xerrors"
-
 	valid "github.com/asaskevich/govalidator"
+	"github.com/knqyf263/fanal/types"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/xerrors"
 )

 // Version of Vuls
@@ -118,6 +118,7 @@ type Config struct {
 	SSHNative      bool   `json:"sshNative,omitempty"`
 	SSHConfig      bool   `json:"sshConfig,omitempty"`
 	ContainersOnly bool   `json:"containersOnly,omitempty"`
+	ImagesOnly     bool   `json:"imagesOnly,omitempty"`
 	SkipBroken     bool   `json:"skipBroken,omitempty"`
 	CacheDBPath    string `json:"cacheDBPath,omitempty"`
 	Vvv            bool   `json:"vvv,omitempty"`
@@ -1059,12 +1060,14 @@ type ServerInfo struct {
 	IgnoreCves             []string                    `toml:"ignoreCves,omitempty" json:"ignoreCves,omitempty"`
 	IgnorePkgsRegexp       []string                    `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
 	GitHubRepos            map[string]GitHubConf       `toml:"githubs" json:"githubs,omitempty"` // key: owner/repo
+	Images                 map[string]Image            `toml:"images" json:"images,omitempty"`
 	UUIDs                  map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo                   string                      `toml:"memo,omitempty" json:"memo,omitempty"`
 	Enablerepo             []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, RHEL, Amazon
 	Optional               map[string]interface{}      `toml:"optional,omitempty" json:"optional,omitempty"`     // Optional key-value set that will be outputted to JSON
-
-	Type string `toml:"type,omitempty" json:"type,omitempty"` // "pseudo" or ""
+	Lockfiles              []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`   // ie) path/to/package-lock.json
+	FindLock               bool                        `toml:"findLock,omitempty" json:"findLock,omitempty"`
+	Type                   string                      `toml:"type,omitempty" json:"type,omitempty"` // "pseudo" or ""

 	WordPress WordPressConf `toml:"wordpress,omitempty" json:"wordpress,omitempty"`

@@ -1074,6 +1077,7 @@ type ServerInfo struct {

 	LogMsgAnsiColor string    `toml:"-" json:"-"` // DebugLog Color
 	Container       Container `toml:"-" json:"-"`
+	Image           Image     `toml:"-" json:"-"`
 	Distro          Distro    `toml:"-" json:"-"`
 	Mode            ScanMode  `toml:"-" json:"-"`
 }
@@ -1095,6 +1099,17 @@ type WordPressConf struct {
 	IgnoreInactive bool   `json:"ignoreInactive,omitempty"`
 }

+// Image is a scan container image info
+type Image struct {
+	Name             string             `json:"name"`
+	Tag              string             `json:"tag"`
+	DockerOption     types.DockerOption `json:"dockerOption,omitempty"`
+	Cpes             []string           `json:"cpes,omitempty"`
+	OwaspDCXMLPath   string             `json:"owaspDCXMLPath"`
+	IgnorePkgsRegexp []string           `json:"ignorePkgsRegexp,omitempty"`
+	IgnoreCves       []string           `json:"ignoreCves,omitempty"`
+}
+
 // GitHubConf is used for GitHub integration
 type GitHubConf struct {
 	Token string `json:"-"`
--- a/config/tomlloader.go
+++ b/config/tomlloader.go
@@ -69,6 +69,16 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 		}

 		s := ServerInfo{ServerName: serverName}
+		s.Images = make(map[string]Image)
+
+		// image are able to set any server type
+		for name, image := range v.Images {
+			if err := IsValidImage(image); err != nil {
+				return err
+			}
+			s.Images[name] = image
+		}
+
 		if v.Type != ServerTypePseudo {
 			s.Host = v.Host
 			if len(s.Host) == 0 {
@@ -142,6 +152,13 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 			s.CpeNames = d.CpeNames
 		}

+		s.Lockfiles = v.Lockfiles
+		if len(s.Lockfiles) == 0 {
+			s.Lockfiles = d.Lockfiles
+		}
+
+		s.FindLock = v.FindLock
+
 		for i, n := range s.CpeNames {
 			uri, err := toCpeURI(n)
 			if err != nil {
@@ -300,3 +317,14 @@ func toCpeURI(cpename string) (string, error) {
 	}
 	return "", xerrors.Errorf("Unknow CPE format: %s", cpename)
 }
+
+// IsValidImage checks a container configuration
+func IsValidImage(c Image) error {
+	if c.Name == "" {
+		return xerrors.New("Invalid arguments : no image name")
+	}
+	if c.Tag == "" {
+		return xerrors.New("Invalid arguments : no image tag")
+	}
+	return nil
+}