diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index d9c312602190..952f1892843f 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -79,6 +79,7 @@ trivy image [flags] IMAGE_NAME --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs output all packages in the JSON report regardless of vulnerability + --max-image-size string maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --no-progress suppress progress bar diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index fe6332522ee0..cb5555e02007 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -137,6 +137,9 @@ image: # Same as '--input' input: "" + # Same as '--max-image-size' + max-size: "" + # Same as '--platform' platform: "" diff --git a/go.mod b/go.mod index d3f25c355534..e0e4b58566bf 100644 --- a/go.mod +++ b/go.mod @@ -45,6 +45,7 @@ require ( github.com/docker/cli v27.4.1+incompatible github.com/docker/docker v27.4.1+incompatible github.com/docker/go-connections v0.5.0 + github.com/docker/go-units v0.5.0 github.com/fatih/color v1.18.0 github.com/go-git/go-git/v5 v5.12.0 github.com/go-openapi/runtime v0.28.0 // indirect @@ -217,7 +218,6 @@ require ( github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-metrics v0.0.1 // indirect - github.com/docker/go-units v0.5.0 // indirect github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect github.com/dsnet/compress v0.0.1 // indirect github.com/dustin/go-humanize v1.0.1 // indirect diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 8769ede2b8cb..80d2f77710ee 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -587,6 +587,7 @@ func (r *runner) initScannerConfig(ctx context.Context, opts flag.Options) (Scan Host: opts.PodmanHost, }, ImageSources: opts.ImageSources, + MaxImageSize: opts.MaxImageSize, }, // For misconfiguration scanning diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go index b4350b25b866..e9b75a6888c0 100644 --- a/pkg/fanal/artifact/image/image.go +++ b/pkg/fanal/artifact/image/image.go @@ -5,11 +5,13 @@ import ( "errors" "io" "os" + "path/filepath" "reflect" "slices" "strings" "sync" + "github.com/docker/go-units" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/samber/lo" "golang.org/x/xerrors" @@ -36,6 +38,8 @@ type Artifact struct { handlerManager handler.Manager artifactOption artifact.Option + + cacheDir string } type LayerInfo struct { @@ -70,6 +74,7 @@ func NewArtifact(img types.Image, c cache.ArtifactCache, opt artifact.Option) (a handlerManager: handlerManager, artifactOption: opt, + cacheDir: os.TempDir(), }, nil } @@ -88,6 +93,11 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) { diffIDs := a.diffIDs(configFile) a.logger.Debug("Detected diff ID", log.Any("diff_ids", diffIDs)) + defer os.RemoveAll(a.cacheDir) + if err := a.checkImageSize(diffIDs); err != nil { + return artifact.Reference{}, err + } + // Try retrieving a remote SBOM document if res, err := a.retrieveRemoteSBOM(ctx); err == nil { // Found SBOM @@ -198,6 +208,56 @@ func (a Artifact) consolidateCreatedBy(diffIDs, layerKeys []string, configFile * return layerKeyMap } +func (a Artifact) checkImageSize(diffIDs []string) error { + maxSize := a.artifactOption.ImageOption.MaxImageSize + if maxSize == 0 { + return nil + } + + imageSize, err := a.imageSize(diffIDs) + if err != nil { + return xerrors.Errorf("failed to calculate image size: %w", err) + } + + if imageSize > maxSize { + return xerrors.Errorf( + "uncompressed image size %s exceeds maximum allowed size %s", + units.HumanSizeWithPrecision(float64(imageSize), 3), units.HumanSize(float64(maxSize)), + ) + } + return nil +} + +func (a Artifact) imageSize(diffIDs []string) (int64, error) { + var imageSize int64 + + for _, diffID := range diffIDs { + layerSize, err := a.saveLayer(diffID) + if err != nil { + return -1, xerrors.Errorf("failed to save layer: %w", err) + } + imageSize += layerSize + } + + return imageSize, nil +} + +func (a Artifact) saveLayer(diffID string) (int64, error) { + _, rc, err := a.uncompressedLayer(diffID) + if err != nil { + return -1, xerrors.Errorf("unable to get uncompressed layer %s: %w", diffID, err) + } + defer rc.Close() + + f, err := os.Create(filepath.Join(a.cacheDir, diffID)) + if err != nil { + return -1, xerrors.Errorf("failed to create a file: %w", err) + } + defer f.Close() + + return io.Copy(f, rc) +} + func (a Artifact) inspect(ctx context.Context, missingImage string, layerKeys, baseDiffIDs []string, layerKeyMap map[string]LayerInfo, configFile *v1.ConfigFile) error { @@ -361,6 +421,11 @@ func (a Artifact) uncompressedLayer(diffID string) (string, io.ReadCloser, error digest = d.String() } + f, err := os.Open(filepath.Join(a.cacheDir, diffID)) + if err == nil { + return digest, f, nil + } + rc, err := layer.Uncompressed() if err != nil { return "", nil, xerrors.Errorf("failed to get the layer content (%s): %w", diffID, err) diff --git a/pkg/fanal/artifact/image/image_test.go b/pkg/fanal/artifact/image/image_test.go index f7e80e3cf578..df030859eed5 100644 --- a/pkg/fanal/artifact/image/image_test.go +++ b/pkg/fanal/artifact/image/image_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/docker/go-units" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -348,6 +349,7 @@ func TestArtifact_Inspect(t *testing.T) { imagePath: "../../test/testdata/alpine-311.tar.gz", artifactOpt: artifact.Option{ LicenseScannerOption: analyzer.LicenseScannerOption{Full: true}, + ImageOption: types.ImageOptions{MaxImageSize: units.GB}, }, missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ @@ -2243,6 +2245,14 @@ func TestArtifact_Inspect(t *testing.T) { }, wantErr: "put artifact failed", }, + { + name: "sad path, image size is larger than the maximum", + imagePath: "../../test/testdata/alpine-311.tar.gz", + artifactOpt: artifact.Option{ + ImageOption: types.ImageOptions{MaxImageSize: units.MB * 1}, + }, + wantErr: "uncompressed image size 5.86MB exceeds maximum allowed size 1MB", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/fanal/types/image.go b/pkg/fanal/types/image.go index 91cdfb44b60c..ac8406eaa322 100644 --- a/pkg/fanal/types/image.go +++ b/pkg/fanal/types/image.go @@ -53,6 +53,7 @@ type ImageOptions struct { PodmanOptions PodmanOptions ContainerdOptions ContainerdOptions ImageSources ImageSources + MaxImageSize int64 } type DockerOptions struct { diff --git a/pkg/flag/image_flags.go b/pkg/flag/image_flags.go index aaa3fc65b930..d56cae500cdf 100644 --- a/pkg/flag/image_flags.go +++ b/pkg/flag/image_flags.go @@ -1,6 +1,7 @@ package flag import ( + "github.com/docker/go-units" v1 "github.com/google/go-containerregistry/pkg/v1" "golang.org/x/xerrors" @@ -58,6 +59,12 @@ var ( Values: xstrings.ToStringSlice(ftypes.AllImageSources), Usage: "image source(s) to use, in priority order", } + MaxImageSize = Flag[string]{ + Name: "max-image-size", + ConfigName: "image.max-size", + Default: "", + Usage: "maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size", + } ) type ImageFlagGroup struct { @@ -68,6 +75,7 @@ type ImageFlagGroup struct { DockerHost *Flag[string] PodmanHost *Flag[string] ImageSources *Flag[[]string] + MaxImageSize *Flag[string] } type ImageOptions struct { @@ -78,6 +86,7 @@ type ImageOptions struct { DockerHost string PodmanHost string ImageSources ftypes.ImageSources + MaxImageSize int64 } func NewImageFlagGroup() *ImageFlagGroup { @@ -89,6 +98,7 @@ func NewImageFlagGroup() *ImageFlagGroup { DockerHost: DockerHostFlag.Clone(), PodmanHost: PodmanHostFlag.Clone(), ImageSources: SourceFlag.Clone(), + MaxImageSize: MaxImageSize.Clone(), } } @@ -105,6 +115,7 @@ func (f *ImageFlagGroup) Flags() []Flagger { f.DockerHost, f.PodmanHost, f.ImageSources, + f.MaxImageSize, } } @@ -124,6 +135,14 @@ func (f *ImageFlagGroup) ToOptions() (ImageOptions, error) { } platform = ftypes.Platform{Platform: pl} } + var maxSize int64 + if value := f.MaxImageSize.Value(); value != "" { + parsedSize, err := units.FromHumanSize(value) + if err != nil { + return ImageOptions{}, xerrors.Errorf("invalid max image size %q: %w", value, err) + } + maxSize = parsedSize + } return ImageOptions{ Input: f.Input.Value(), @@ -133,5 +152,6 @@ func (f *ImageFlagGroup) ToOptions() (ImageOptions, error) { DockerHost: f.DockerHost.Value(), PodmanHost: f.PodmanHost.Value(), ImageSources: xstrings.ToTSlice[ftypes.ImageSource](f.ImageSources.Value()), + MaxImageSize: maxSize, }, nil }