trivy
trivy copied to clipboard
aquasecurity
feat(os): Add Windows support
Description
It started to feel that #1469 was too big PR and has not got any feedback because of that. This one replaces it.
However when I tried to reproduce #73 with latest code base I was not able to do so I think that it have been already fixed as part of other Trivy or library updates so it should safe to re-enable Windows releases.
Test with pure Windows containers:
docker pull mcr.microsoft.com/dotnet/samples:aspnetapp
trivy.exe image mcr.microsoft.com/dotnet/samples:aspnetapp
2022-07-26T01:25:25.821-0700 INFO Vulnerability scanning is enabled
2022-07-26T01:25:25.821-0700 INFO Secret scanning is enabled
2022-07-26T01:25:25.822-0700 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-26T01:25:25.822-0700 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-07-26T01:25:25.832-0700 INFO Number of language-specific files: 2
2022-07-26T01:25:25.832-0700 INFO Detecting dotnet-core vulnerabilities...
Test with Windows CLI + Linux Docker engine with environment variable $env:DOCKER_HOST="ssh://<user>@<ip>"
docker pull mcr.microsoft.com/dotnet/samples:aspnetapp
trivy.exe image mcr.microsoft.com/dotnet/samples:aspnetapp
2022-07-26T01:25:41.445-0700 INFO Vulnerability scanning is enabled
2022-07-26T01:25:41.445-0700 INFO Secret scanning is enabled
2022-07-26T01:25:41.446-0700 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-26T01:25:41.446-0700 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-07-26T01:25:42.424-0700 INFO Number of language-specific files: 2
2022-07-26T01:25:42.424-0700 INFO Detecting dotnet-core vulnerabilities...
I also uploaded Windows version of Trivy v0.30.3 to here in case someone want to test.
Related issues
- Close #2058
Related PRs
- [X] #278
- [X] #1469
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
Afaiu "Lint PR title" error in CI is false alarm because ".github/workflows/semantic-pr.yaml" is not effective before it is merged to master.
Afaiu "Lint PR title" error in CI is false alarm because ".github/workflows/semantic-pr.yaml" is not effective before it is merged to master.
Why not? it is useful since the PR title is used as a commit message in main.
Why not? it is useful since the PR title is used as a commit message in main.
I mean that CI fails to error Unknown scope "windows" found even when I added new scope windows on as part of this PR as far I understand it would works if that change would be merged first as separate PR but cannot be sure as I'm not familiar with this tooling.
Just noticed that there is existing scope os which works fine in here to updated title to it.
CI 🟢 so would be nice to get PR review.
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
@knqyf263 it should be possible to use GitHub action runner windows-2022 for that purpose.
It will need some work because images on ghcr.io/aquasecurity/trivy-test-images cannot be used but we need separate repository for those images. And make it fast those most probably should be based on cached images.
Another issue which I find out was that we need duplicate golden files because all / marks will be replaced with \\ when running on Windows so example https://github.com/aquasecurity/trivy/blob/main/integration/testdata/gomod.json.golden#L3 does not match.
However as Trivy is already released for multiple operating systems but tested only in ubuntu-latest it probably would make sense to cherry-pick just those platform specific tests to be run? Do you have something in might which at least should be included?
However as Trivy is already released for multiple operating systems but tested only in ubuntu-latest it probably would make sense to cherry-pick just those platform specific tests to be run? Do you have something in might which at least should be included?
We used to release binaries for all the platforms as much as possible. Then, we got a report that Trivy didn't work on Windows (and some platforms) and then removed those supports. If you confirm it worked now (though I don't know the reason as we didn't fix the issue), we can merge this PR.
Also, @owenrumney is trying to add testing on Windows. https://github.com/aquasecurity/trivy/pull/2833
If you confirm it worked now
Yes, it worked on those scenarios which I tested.
(though I don't know the reason as we didn't fix the issue),
That was quite many years ago and afaik there have been quite a lot improvements done in Golang itself to make it easier port apps for Windows. Might be some of those also which have fixed that issue.
we can merge this PR.
Please do so and to be safe side you can always mark that support as beta first.
I'm working through the tests on a windows machine to resolve issues. I have uncovered an issues with License scanning which won't work in Windows at the moment - this PR https://github.com/google/licenseclassifier/pull/50 resolves that, if they don't accept soon then I'll look to add a temporary replace to the PR's commit
I'd suggest we hold off merging this till we've uncovered any other functionality that is broken or degraded on Windows
