trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

fix(cli): secret scanning perf link fix

Open Moulick opened this issue 3 years ago • 10 comments

Description

Fixes the URL in the logs of the scanner

Related issues

  • Close #2606

Before

2022-07-27T18:57:49.498+0530	INFO	Vulnerability scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	Secret scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-27T18:57:49.498+0530	INFO	Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection

After

2022-07-27T18:57:49.498+0530	INFO	Vulnerability scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	Secret scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-27T18:57:49.498+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Moulick avatar Jul 27 '22 13:07 Moulick

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jul 27 '22 13:07 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Jul 27 '22 13:07 CLAassistant

Hmm. We fixed it before. https://github.com/aquasecurity/trivy/pull/2422

@DmitriyLewen Could you look into what causes?

knqyf263 avatar Jul 27 '22 14:07 knqyf263

My first thought was to add an if-else like

ver := fmt.Sprintf("v%s", opt.AppVersion)
if opt.AppVersion == "dev" {
  ver = opt.AppVersion
  }

which is like essentially reverting https://github.com/aquasecurity/trivy/pull/2422

There are three sources of the version I see

  1. If you simply do go build ./cmd/trivy, It defaults to dev. This produces a correct URL for dev.
  2. If you do make build, make take the version from VERSION := $(shell git describe --tags --always), but this also creates an incorrect URL as this returns eg v0.30.4-3-g4be15455
  3. If the build is produced by goreleaser, it strips the v and hence URL is broken

Currently, I have fixed it for goreleaser, I can also fix it for makefile

Moulick avatar Jul 27 '22 14:07 Moulick

Hello @knqyf263 we have 2 cases:

  1. binaries built with goreleaser don't have v prefix:
➜  29.1 ./trivy -v
Version: 0.29.1
  1. binaries built with make build have v prefix(looks like in #2422 used this case):
➜  git checkout v0.29.1
Note: switching to 'v0.29.1'.
...
➜  make build
go build -ldflags "-s -w -X=main.version=v0.29.1" ./cmd/trivy
➜  ./trivy -v
Version: v0.29.1

I think we need to create same logic for both cases: add v prefix to goreleaser (as @Moulick did) or remove v prefix from Makefile and return this logic:

ver := fmt.Sprintf("v%s", opt.AppVersion)
if opt.AppVersion == "dev" {
  ver = opt.AppVersion
  }

I think logic of this PR better.

UPD. I built image with goreleaser. Version number has v prefix.

➜  ./trivy -v
Version: v0.30.4-SNAPSHOT-4be15455

DmitriyLewen avatar Jul 28 '22 04:07 DmitriyLewen

Version: v0.29.1

It's no big deal, but it looks weird to me. v means version,so it is like Version: version 0.29.1.

What if we remove v here? https://github.com/aquasecurity/trivy/blob/c2a7ad5c014e3e1861b8bf79b6ef321573cb8983/Makefile#L1

knqyf263 avatar Jul 28 '22 07:07 knqyf263

And add v of course.

add v prefix to goreleaser (as @Moulick did) or remove v prefix from Makefile and return this logic:

knqyf263 avatar Jul 28 '22 07:07 knqyf263

Version: v0.29.1

It's no big deal, but it looks weird to me. v means version,so it is like Version: version 0.29.1.

What if we remove v here?

https://github.com/aquasecurity/trivy/blob/c2a7ad5c014e3e1861b8bf79b6ef321573cb8983/Makefile#L1

Yes, doable. The documentation links will need to be updated to remove the v as well.

Moulick avatar Jul 29 '22 08:07 Moulick

@Moulick Could you fix it as below?

  1. Remove v here. https://github.com/aquasecurity/trivy/blob/c2a7ad5c014e3e1861b8bf79b6ef321573cb8983/Makefile#L1

  2. Add v here as Dmitriy suggested, considering dev. https://github.com/aquasecurity/trivy/blob/e393ce1477901ea566b43ccd2d29a239c1a4c7e8/pkg/commands/artifact/run.go#L471

knqyf263 avatar Jul 31 '22 06:07 knqyf263

Should work as expected now.

Moulick avatar Jul 31 '22 19:07 Moulick

@Moulick Thanks for your great contribution and patience!

knqyf263 avatar Aug 15 '22 13:08 knqyf263

@knqyf263 I'd be curious about the comment I added above 🤔.

Moulick avatar Aug 15 '22 13:08 Moulick

Which comment?

knqyf263 avatar Aug 15 '22 13:08 knqyf263

I had added a review comment, I suppose GitHub did not send a notification. Attached a screenshot in case it's not visible for some reason 😅 image

Moulick avatar Aug 15 '22 13:08 Moulick

aquasecurity/go-version is already used directly, while hashicorp/go-version is an indirect dependency. Also, we can easily modify that library as it is maintained by us.

knqyf263 avatar Aug 15 '22 14:08 knqyf263