diff --git a/Changelog.md b/Changelog.md index bf1e8ff84a..24f0bc86b0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 3.9.28 - Container Scanning: Distroless containers will now return results for non-system dependencies. ([#1448](https://github.com/fossas/fossa-cli/pull/1448)) +- Warnings: Remove warnings about native container scanning and Go packages analysis. ([#1446](https://github.com/fossas/fossa-cli/pull/1446)) ## 3.9.27 diff --git a/docs/references/subcommands/container/scanner.md b/docs/references/subcommands/container/scanner.md index ca8af18965..915c5794b3 100644 --- a/docs/references/subcommands/container/scanner.md +++ b/docs/references/subcommands/container/scanner.md @@ -1,6 +1,6 @@ -# FOSSA's new container scanner +# FOSSA's container scanner -- [FOSSA's new container scanner](#fossas-new-container-scanner) +- [FOSSA's container scanner](#fossas-new-container-scanner) - [What's new in this scanner?](#whats-new-in-this-scanner) - [Documentation](#documentation) - [Container image source](#container-image-source) @@ -21,20 +21,16 @@ - [How do I exclude specific projects from container scanning?](#how-do-i-exclude-specific-projects-from-container-scanning) - [Limitations & Workarounds](#limitations--workarounds) -## What's new in this scanner? +## What's supported in FOSSA's container scanner? -FOSSA's new container scanner adds support for compliance and vulnerability checks for application dependencies inside of containers. +FOSSA's container scanner adds support for compliance and vulnerability checks for application dependencies inside of containers. The performance of analysis and support for container image sources is improved, and is more robust for future enhancement. -FOSSA's new container scanner brings support for standard FOSSA CLI features into containers: +FOSSA's container scanner brings support for standard FOSSA CLI features into containers: - Support for configuration via `.fossa.yml`. - Support for path filtering (exclusion and inclusion). -Finally, FOSSA's new container scanner improves the user experience and reports more information to FOSSA servers, -improving both the information available to users and the ability for FOSSA to debug questions or issues. -For example, images scanned with the container scanner show the origin path for each dependency discovered inside the image, just like analysis of a local project. - -Like the legacy container scanner, the container scanner fully supports the detection of OS dependencies (`apk`, `deb`, etc). +The container scanner fully supports the detection of OS dependencies (`apk`, `deb`, etc). Refer to following guides for integrating container scanning in your CI, @@ -42,7 +38,7 @@ Refer to following guides for integrating container scanning in your CI, # Documentation -FOSSA's new container scanner scans the base layer of the image, squashes all other layers, and scans those as well. +FOSSA's container scanner scans the base layer of the image, squashes all other layers, and scans those as well. Scans report compliance and security issues for operating system dependencies and application dependencies. To scan a container image with `fossa-cli`, use the `container analyze` command: @@ -203,7 +199,7 @@ All `GET` request from step 2 to step 5, will make `HEAD` call prior to confirm ## Container image analysis -The new container scanner scans in two steps: +The container scanner scans in two steps: 1. The base layer. 2. The rest of the layers, squashed. @@ -289,7 +285,7 @@ Example output: ### Utilize analysis target configuration -The new container scanner supports configuring analysis targets via `.fossa.yml`, as with a standard `fossa analyze` command. +The container scanner supports configuring analysis targets via `.fossa.yml`, as with a standard `fossa analyze` command. For more information on configuring analysis targets, see [analysis target configuration](../../files/fossa-yml.md#analysis-target-configuration). For example, the following `fossa.yml` excludes all `setuptools` targets: @@ -366,7 +362,7 @@ fossa container analyze -c .fossa.config.yaml --output ## Limitations & Workarounds -`fossa-cli` using the container scanner does not support [v1 docker manifest format](https://docs.docker.com/registry/spec/manifest-v2-1/). +`fossa-cli` does not support [v1 docker manifest format](https://docs.docker.com/registry/spec/manifest-v2-1/). This manifest format is officially deprecated, but is still found in some registries. The recommended workaround is to export the image to an archive, then analyze that: diff --git a/src/App/Fossa/Container.hs b/src/App/Fossa/Container.hs index 114122a453..c2d8cd35e5 100644 --- a/src/App/Fossa/Container.hs +++ b/src/App/Fossa/Container.hs @@ -2,7 +2,6 @@ module App.Fossa.Container ( containerSubCommand, ) where -import App.Docs (fossaContainerScannerUrl) import App.Fossa.Config.Container ( ContainerAnalyzeConfig (usesExperimentalScanner), ContainerCommand, @@ -13,19 +12,16 @@ import App.Fossa.Container.AnalyzeNative qualified as AnalyzeNative import App.Fossa.Container.ListTargets (listTargets) import App.Fossa.Container.Test qualified as Test import App.Fossa.Subcommand (SubCommand) -import App.Support (supportUrl) import Control.Effect.Diagnostics ( Diagnostics, Has, ) import Control.Effect.Lift (Lift) import Control.Effect.Telemetry (Telemetry) -import Control.Monad (void) +import Control.Monad (void, when) import Effect.Exec (Exec) import Effect.Logger ( Logger, - Pretty (pretty), - indent, logWarn, vsep, ) @@ -46,37 +42,18 @@ dispatch :: m () dispatch = \case AnalyzeCfg cfg -> do - if (usesExperimentalScanner cfg) - then - logWarn $ - vsep - [ "DEPRECATION NOTICE" - , "" - , "The 'experimental' container scanner is now the only available scanner, and is enabled automatically." - , "" - , "The --experimental-scanner flag is now deprecated, and has no effect." - , "In the future, using this flag will cause a fatal error." - , "To avoid these errors, remove the flag from your fossa commands." - , "" - ] - else - logWarn $ - vsep - [ "NOTICE" - , "" - , "FOSSA CLI is using new native container scanner, which scans for application" - , "dependencies in the container image by default. To only scan for system" - , "dependencies, provide `--only-system-deps` flag." - , "" - , "To learn more," - , indent 4 $ pretty fossaContainerScannerUrl - , "" - , "In future release of FOSSA CLI, this notice will not be displayed." - , "" - , "If you are running into a performance issue or poor results on image analysis" - , "with new scanner, please contact FOSSA support at:" - , indent 4 $ pretty supportUrl - ] + when (usesExperimentalScanner cfg) $ + logWarn $ + vsep + [ "DEPRECATION NOTICE" + , "" + , "The 'experimental' container scanner is now the only available scanner, and is enabled automatically." + , "" + , "The --experimental-scanner flag is now deprecated, and has no effect." + , "In the future, using this flag will cause a fatal error." + , "To avoid these errors, remove the flag from your fossa commands." + , "" + ] void $ AnalyzeNative.analyzeExperimental cfg TestCfg cfg -> Test.test cfg diff --git a/src/Strategy/Gomodules.hs b/src/Strategy/Gomodules.hs index 34d2f82f79..c8653dae4b 100644 --- a/src/Strategy/Gomodules.hs +++ b/src/Strategy/Gomodules.hs @@ -13,7 +13,6 @@ import Control.Effect.Diagnostics (Diagnostics, context, fatalText, recover, (<| import Control.Effect.Reader (Reader, asks) import Control.Monad (when) import Data.Aeson (ToJSON) -import Data.String.Conversion (toText) import Data.Text (Text) import Discovery.Filters (AllFilters) import Discovery.Simple (simpleDiscover) @@ -23,12 +22,10 @@ import Discovery.Walk ( walkWithFilters', ) import Effect.Exec (Exec, Has) -import Effect.Logger (Logger, logInfo, redText) import Effect.ReadFS (ReadFS) import GHC.Generics (Generic) import Graphing (Graphing) import Path (Abs, Dir, File, Path) -import Prettyprinter (line, nest, pretty) import Strategy.Go.GoListPackages qualified as GoListPackages import Strategy.Go.Gomod qualified as Gomod import Strategy.Go.Gostd (GoStdlibDep, filterGoStdlibPackages, listGoStdlibPackages) @@ -70,7 +67,7 @@ mkProject project = , projectData = project } -getDeps :: (Has Exec sig m, Has ReadFS sig m, Has Logger sig m, Has Diagnostics sig m) => GomodulesProject -> GoDynamicTactic -> m DependencyResults +getDeps :: (Has Exec sig m, Has ReadFS sig m, Has Diagnostics sig m) => GomodulesProject -> GoDynamicTactic -> m DependencyResults getDeps project goDynamicTactic = do (graph, graphBreadth) <- context "Gomodules" $ dynamicAnalysis <||> staticAnalysis stdlib <- recover . context "Collect go standard library information" . listGoStdlibPackages $ gomodulesDir project @@ -90,7 +87,7 @@ getDeps project goDynamicTactic = do staticAnalysis :: (Has Exec sig m, Has ReadFS sig m, Has Diagnostics sig m) => m (Graphing Dependency, GraphBreadth) staticAnalysis = context "Static analysis" (Gomod.analyze' (gomodulesGomod project)) - dynamicAnalysis :: (Has Exec sig m, Has Logger sig m, Has Diagnostics sig m) => m (Graphing Dependency, GraphBreadth) + dynamicAnalysis :: (Has Exec sig m, Has Diagnostics sig m) => m (Graphing Dependency, GraphBreadth) dynamicAnalysis = context "Dynamic analysis" $ do when (goDynamicTactic == GoPackagesBasedTactic) $ @@ -98,17 +95,4 @@ getDeps project goDynamicTactic = do "--experimental-use-v3-go-resolver is now deprecated because the v3 resolver is the default. \ \This option will be removed in a future release and result in an error." - res <- context "analysis using go list (V3 Resolver)" (GoListPackages.analyze (gomodulesDir project)) - - logInfo $ - redText "NOTE: " - <> nest - 1 - ( pretty (toText . gomodulesDir $ project) - <> " analyzed using V3 Go Resolver." - <> line - <> "As of v3.8.5 we have changed our dynamic Go strategy. If you've analyzed this project before, results may have changed." - <> line - <> "See https://github.com/fossas/fossa-cli/blob/master/docs/references/strategies/languages/golang/v3-go-resolver-transition-qa.md for more information." - ) - pure res + context "analysis using go list (V3 Resolver)" (GoListPackages.analyze (gomodulesDir project))