github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/fanal/handler/sysfile/filter.go (about) 1 package nodejs 2 3 import ( 4 "context" 5 "strings" 6 7 "golang.org/x/exp/slices" 8 9 "github.com/devseccon/trivy/pkg/fanal/analyzer" 10 "github.com/devseccon/trivy/pkg/fanal/artifact" 11 "github.com/devseccon/trivy/pkg/fanal/handler" 12 "github.com/devseccon/trivy/pkg/fanal/types" 13 ) 14 15 func init() { 16 handler.RegisterPostHandlerInit(types.SystemFileFilteringPostHandler, newSystemFileFilteringPostHandler) 17 } 18 19 const version = 1 20 21 var ( 22 defaultSystemFiles = []string{ 23 // TODO: Google Distroless removes /var/lib/dpkg/info/*.list, so we cannot know which files are installed by dpkg. 24 // We have to hardcode these files at the moment, but should look for the better way. 25 "/usr/lib/python2.7/argparse.egg-info", 26 "/usr/lib/python2.7/lib-dynload/Python-2.7.egg-info", 27 "/usr/lib/python2.7/wsgiref.egg-info", 28 } 29 30 affectedTypes = []types.LangType{ 31 // ruby 32 types.GemSpec, 33 34 // python 35 types.PythonPkg, 36 37 // conda 38 types.CondaPkg, 39 40 // node.js 41 types.NodePkg, 42 43 // Go binaries 44 types.GoBinary, 45 } 46 ) 47 48 type systemFileFilteringPostHandler struct{} 49 50 func newSystemFileFilteringPostHandler(artifact.Option) (handler.PostHandler, error) { 51 return systemFileFilteringPostHandler{}, nil 52 } 53 54 // Handle removes files installed by OS package manager such as yum. 55 func (h systemFileFilteringPostHandler) Handle(_ context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error { 56 var systemFiles []string 57 for _, file := range append(result.SystemInstalledFiles, defaultSystemFiles...) { 58 // Trim leading slashes to be the same format as the path in container images. 59 systemFile := strings.TrimPrefix(file, "/") 60 // We should check the root filepath ("/") and ignore it. 61 // Otherwise libraries with an empty filePath will be removed. 62 if systemFile != "" { 63 systemFiles = append(systemFiles, systemFile) 64 } 65 } 66 67 var apps []types.Application 68 for _, app := range blob.Applications { 69 // If the lang-specific package was installed by OS package manager, it should not be taken. 70 // Otherwise, the package version will be wrong, then it will lead to false positive. 71 if slices.Contains(systemFiles, app.FilePath) && slices.Contains(affectedTypes, app.Type) { 72 continue 73 } 74 75 var pkgs []types.Package 76 for _, lib := range app.Libraries { 77 // If the lang-specific package was installed by OS package manager, it should not be taken. 78 // Otherwise, the package version will be wrong, then it will lead to false positive. 79 if slices.Contains(systemFiles, lib.FilePath) { 80 continue 81 } 82 pkgs = append(pkgs, lib) 83 } 84 85 // Overwrite Libraries 86 app.Libraries = pkgs 87 apps = append(apps, app) 88 } 89 90 // Iterate and delete unnecessary customResource 91 i := 0 92 for _, res := range blob.CustomResources { 93 if slices.Contains(systemFiles, res.FilePath) { 94 continue 95 } 96 blob.CustomResources[i] = res 97 i++ 98 } 99 blob.CustomResources = blob.CustomResources[:i] 100 101 // Overwrite Applications 102 blob.Applications = apps 103 104 return nil 105 } 106 107 func (h systemFileFilteringPostHandler) Version() int { 108 return version 109 } 110 111 func (h systemFileFilteringPostHandler) Type() types.HandlerType { 112 return types.SystemFileFilteringPostHandler 113 } 114 115 func (h systemFileFilteringPostHandler) Priority() int { 116 return types.SystemFileFilteringPostHandlerPriority 117 }