Skip to content

Commit

Permalink
feat(secret): add secret config file for cache calculation (#4837)
Browse files Browse the repository at this point in the history
* move parse secret config to initScannerConfig + add secret to cache key

* add calc cache test

* just read config file and add to cache

* refactor comments

* refactor
  • Loading branch information
DmitriyLewen authored Jul 23, 2023
1 parent 5d349d8 commit 4aa9ea0
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 12 deletions.
27 changes: 15 additions & 12 deletions pkg/fanal/cache/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,24 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
return "", xerrors.Errorf("json encode error: %w", err)
}

// Write policy and data contents
for _, paths := range [][]string{artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths} {
for _, p := range paths {
hash, err := hashContents(p)
if err != nil {
return "", err
}
// Write policy, data contents and secret config file
paths := append(artifactOpt.MisconfScannerOption.PolicyPaths, artifactOpt.MisconfScannerOption.DataPaths...)

if _, err := h.Write([]byte(hash)); err != nil {
return "", xerrors.Errorf("sha256 write error: %w", err)
}
}
// Check if the secret config exists.
if _, err := os.Stat(artifactOpt.SecretScannerOption.ConfigPath); err == nil {
paths = append(paths, artifactOpt.SecretScannerOption.ConfigPath)
}

// TODO: add secret scanner option here
for _, p := range paths {
hash, err := hashContents(p)
if err != nil {
return "", err
}

if _, err := h.Write([]byte(hash)); err != nil {
return "", xerrors.Errorf("sha256 write error: %w", err)
}
}

return fmt.Sprintf("sha256:%x", h.Sum(nil)), nil
}
Expand Down
41 changes: 41 additions & 0 deletions pkg/fanal/cache/key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ func TestCalcKey(t *testing.T) {
patterns []string
policy []string
data []string
secretConfigPath string
}
tests := []struct {
name string
Expand Down Expand Up @@ -175,6 +176,42 @@ func TestCalcKey(t *testing.T) {
},
want: "sha256:363f70f4ee795f250873caea11c2fc94ef12945444327e7e2f8a99e3884695e0",
},
{

name: "secret config",
args: args{
key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e",
analyzerVersions: analyzer.Versions{
Analyzers: map[string]int{
"alpine": 1,
"debian": 1,
},
},
hookVersions: map[string]int{
"python-pkg": 1,
},
secretConfigPath: "testdata/trivy-secret.yaml",
},
want: "sha256:d3fb9503f2851ae9bdb250b7ef55c00c0bfa1250b19d4d398a9219c2c0e20958",
},
{

name: "secret config file doesn't exist",
args: args{
key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e",
analyzerVersions: analyzer.Versions{
Analyzers: map[string]int{
"alpine": 1,
"debian": 1,
},
},
hookVersions: map[string]int{
"python-pkg": 1,
},
secretConfigPath: "trivy-secret.yaml",
},
want: "sha256:c720b502991465ea11929cfefc71cf4b5aeaa9a8c0ae59fdaf597f957f5cdb18",
},
{
name: "with policy/non-existent dir",
args: args{
Expand All @@ -201,6 +238,10 @@ func TestCalcKey(t *testing.T) {
PolicyPaths: tt.args.policy,
DataPaths: tt.args.data,
},

SecretScannerOption: analyzer.SecretScannerOption{
ConfigPath: tt.args.secretConfigPath,
},
}
got, err := CalcKey(tt.args.key, tt.args.analyzerVersions, tt.args.hookVersions, artifactOpt)
if tt.wantErr != "" {
Expand Down
4 changes: 4 additions & 0 deletions pkg/fanal/cache/testdata/trivy-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
disable-allow-rules:
- usr-dirs
- examples

0 comments on commit 4aa9ea0

Please sign in to comment.