aquasecurity · afdesk · Oct 21, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
@@ -3,6 +3,7 @@ package scanner
 import (
  "fmt"
  "os"
+ "path/filepath"
  "regexp"
  "runtime"
 
@@ -15,29 +16,56 @@ import (
 
 var r = regexp.MustCompile("\\\\|/|:|\\*|\\?|<|>")
 
-func createTempFile(artifact *artifacts.Artifact) (string, error) {
+func generateTempFileByArtifact(artifact *artifacts.Artifact, tempFolder string) (string, error) {
  filename := fmt.Sprintf("%s-%s-%s-*.yaml", artifact.Namespace, artifact.Kind, artifact.Name)
-
  if runtime.GOOS == "windows" {
  // removes characters not permitted in file/directory names on Windows
  filename = filenameWindowsFriendly(filename)
  }
- file, err := os.CreateTemp("", filename)
+ file, err := os.CreateTemp(tempFolder, filename)
  if err != nil {
- return "", xerrors.Errorf("creating tmp file error: %w", err)
+ return "", xerrors.Errorf("failed to create temporary file: %w", err)
  }
+ shouldRemove := false
  defer func() {
  if err := file.Close(); err != nil {
- log.Error("Failed to close temp file", log.String("path", file.Name()), log.Err(err))
+ log.Error("Failed to close temp file", log.FilePath(file.Name()), log.Err(err))
+ }
+ if shouldRemove {
+ removeFile(file.Name())
  }
  }()
-
  if err := yaml.NewEncoder(file).Encode(artifact.RawResource); err != nil {
- removeFile(filename)
- return "", xerrors.Errorf("marshaling resource error: %w", err)
+ shouldRemove = true
+ return "", xerrors.Errorf("failed to encode artifact: %w", err)
+ }
+ return filepath.Base(file.Name()), nil
+}
+
+// generateTempFolder creates a folder with yaml files generated from kubernetes artifacts
+// returns a folder name, a map for mapping a temp target file to k8s artifact and error
+func generateTempFolder(arts []*artifacts.Artifact) (string, map[string]*artifacts.Artifact, error) {
+ tempFolder, err := os.MkdirTemp("", "trivyk8s*")
+ if err != nil {
+ return "", nil, xerrors.Errorf("failed to create temp folder: %w", err)
+ }
+
+ m := make(map[string]*artifacts.Artifact)
+ for _, artifact := range arts {
+ filename, err := generateTempFileByArtifact(artifact, tempFolder)
+ if err != nil {
+ log.Error("Failed to create temp file", log.FilePath(filename), log.Err(err))
+ continue
+ }
+ m[filename] = artifact
  }
+ return tempFolder, m, nil
+}
 
- return file.Name(), nil
+func removeFolder(foldername string) {
+ if err := os.RemoveAll(foldername); err != nil {
+ log.Error("Failed to remove temp folder", log.String("path", foldername), log.Err(err))
+ }
 }
 
 func removeFile(filename string) {

@@ -82,14 +82,18 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)
 
  var resources []report.Resource
 
- type scanResult struct {
- vulns []report.Resource
- misconfig report.Resource
+ // scans kubernetes artifacts as a scope of yaml files
+ if local.ShouldScanMisconfigOrRbac(s.opts.Scanners) {
+ misconfigs, err := s.scanMisconfigs(ctx, resourceArtifacts)
+ if err != nil {
+ return report.Report{}, xerrors.Errorf("scanning misconfigurations error: %w", err)
+ }
+ resources = append(resources, misconfigs...)
  }
 
- onItem := func(ctx context.Context, artifact *artifacts.Artifact) (scanResult, error) {
-  scanResults := scanResult{}
- if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages {
+ // scan images from kubernetes cluster in parallel
+ if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner, types.SecretScanner) && !s.opts.SkipImages {
+ onItem := func(ctx context.Context, artifact *artifacts.Artifact) ([]report.Resource, error) {
  opts := s.opts
  opts.Credentials = make([]ftypes.Credential, len(s.opts.Credentials))
  copy(opts.Credentials, s.opts.Credentials)
@@ -106,33 +110,22 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)
  }
  vulns, err := s.scanVulns(ctx, artifact, opts)
  if err != nil {
- return scanResult{}, xerrors.Errorf("scanning vulnerabilities error: %w", err)
+ return nil, xerrors.Errorf("scanning vulnerabilities error: %w", err)
  }
- scanResults.vulns = vulns
+ return vulns, nil
  }
- if local.ShouldScanMisconfigOrRbac(s.opts.Scanners) {
- misconfig, err := s.scanMisconfigs(ctx, artifact)
- if err != nil {
- return scanResult{}, xerrors.Errorf("scanning misconfigurations error: %w", err)
- }
- scanResults.misconfig = misconfig
+
+ onResult := func(result []report.Resource) error {
+ resources = append(resources, result...)
+ return nil
  }
- return scanResults, nil
- }
 
- onResult := func(result scanResult) error {
- resources = append(resources, result.vulns...)
- // don't add empty misconfig results to resources slice to avoid an empty resource
- if result.misconfig.Results != nil {
- resources = append(resources, result.misconfig)
+ p := parallel.NewPipeline(s.opts.Parallel, !s.opts.Quiet, resourceArtifacts, onItem, onResult)
+ if err := p.Do(ctx); err != nil {
+ return report.Report{}, err
  }
- return nil
  }
 
- p := parallel.NewPipeline(s.opts.Parallel, !s.opts.Quiet, resourceArtifacts, onItem, onResult)
- if err := p.Do(ctx); err != nil {
- return report.Report{}, err
- }
  if s.opts.Scanners.AnyEnabled(types.VulnerabilityScanner) {
  k8sResource, err := s.scanK8sVulns(ctx, k8sCoreArtifacts)
  if err != nil {
@@ -173,22 +166,43 @@ func (s *Scanner) scanVulns(ctx context.Context, artifact *artifacts.Artifact, o
  return resources, nil
 }
 
-func (s *Scanner) scanMisconfigs(ctx context.Context, artifact *artifacts.Artifact) (report.Resource, error) {
- configFile, err := createTempFile(artifact)
+func (s *Scanner) scanMisconfigs(ctx context.Context, k8sArtifacts []*artifacts.Artifact) ([]report.Resource, error) {
+ folder, artifactsByFilename, err := generateTempFolder(k8sArtifacts)
  if err != nil {
- return report.Resource{}, xerrors.Errorf("scan error: %w", err)
+ return nil, xerrors.Errorf("failed to generate temp folder: %w", err)
  }
 
- s.opts.Target = configFile
+ s.opts.Target = folder
 
  configReport, err := s.runner.ScanFilesystem(ctx, s.opts)
- // remove config file after scanning
- removeFile(configFile)
+ // remove config files after scanning
+ removeFolder(folder)
+
  if err != nil {
- return report.CreateResource(artifact, configReport, err), err
+ return nil, xerrors.Errorf("failed to scan filesystem: %w", err)
+ }
+ resources := make([]report.Resource, 0, len(k8sArtifacts))
- resources := make([]report.Resource, 0, len(k8sArtifacts))
+ var resources []report.Resource
- resources := make([]report.Resource, 0, len(k8sArtifacts))
+ var resources []report.Resource
+
+ for _, res := range configReport.Results {
+ artifact := artifactsByFilename[res.Target]
+
+ singleReport := types.Report{
+ SchemaVersion: configReport.SchemaVersion,
+ CreatedAt: configReport.CreatedAt,
+ ArtifactName: res.Target,
+ ArtifactType: configReport.ArtifactType,
+ Metadata: configReport.Metadata,
+ Results: types.Results{res},
+ }
+
+ resource, err := s.filter(ctx, singleReport, artifact)
+ if err != nil {
+ resource = report.CreateResource(artifact, singleReport, err)
+ }
+ resources = append(resources, resource)
  }
 
- return s.filter(ctx, configReport, artifact)
+ return resources, nil
 }
 func (s *Scanner) filter(ctx context.Context, r types.Report, artifact *artifacts.Artifact) (report.Resource, error) {
  var err error