Skip to content

Commit

Permalink
fix: sync stdout buffer to file
Browse files Browse the repository at this point in the history
The trivy command is completed and as it is the main process the entire container is stopped before the stdout
buffer is cleared, resulting in malformed output.

Fixes aquasecurity#1792.
  • Loading branch information
daanschipper committed Jul 24, 2024
1 parent d5d7e3d commit 8e71ce9
Show file tree
Hide file tree
Showing 10 changed files with 91 additions and 89 deletions.
131 changes: 67 additions & 64 deletions pkg/plugins/trivy/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -561,84 +561,87 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri
command := []string{
"trivy",
}
trivyConfig := ctx.GetTrivyOperatorConfig()
compressLogs := trivyConfig.CompressLogs()
c, err := getConfig(ctx)
trivyOperatorConfig := ctx.GetTrivyOperatorConfig()
trivyConfig, err := getConfig(ctx)

if err != nil {
return []string{}, []string{}
}
slow := Slow(c)
sbomSources := c.GetSbomSources()
skipJavaDBUpdate := SkipJavaDBUpdate(c)
cacheDir := c.GetImageScanCacheDir()
vulnTypeArgs := vulnTypeFilter(ctx)
scanners := Scanners(c)

var vulnTypeFlag string
if len(vulnTypeArgs) == 2 {
vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1])
// Arguments first.
args := []string{
"image",
imageRef,
}

// Options in alphabetic order.
cacheDir := trivyConfig.GetImageScanCacheDir()
args = append(args, "--cache-dir", cacheDir)

args = append(args, "--format", "json")

imcs := imageConfigSecretScanner(trivyOperatorConfig)
if len(imcs) > 0 {
args = append(args, imcs...)
}

args = append(args, "--quiet")

sbomSources := trivyConfig.GetSbomSources()
if len(sbomSources) > 0 {
args = append(args, []string{"--sbom-sources", sbomSources}...)
}
imcs := imageConfigSecretScanner(trivyConfig)
var imageconfigSecretScannerFlag string
if len(imcs) == 2 {
imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1])

scanners := Scanners(trivyConfig)
args = append(args, scanners, getSecurityChecks(ctx))

if len(trivyServerURL) > 0 {
args = append(args, []string{"--server", trivyServerURL}...)
}

var skipUpdate string
if c.GetClientServerSkipUpdate() && mode == ClientServer {
skipUpdate = SkipDBUpdate(c)
if trivyConfig.GetClientServerSkipUpdate() && mode == ClientServer {
skipUpdate = SkipDBUpdate(trivyConfig)
} else if mode != ClientServer {
skipUpdate = SkipDBUpdate(c)
skipUpdate = SkipDBUpdate(trivyConfig)
}
if len(skipUpdate) > 0 {
args = append(args, skipUpdate)
}
if !compressLogs {
args := []string{
"--cache-dir",
cacheDir,
"--quiet",
"image",
scanners,
getSecurityChecks(ctx),
"--format",
"json",
}
if len(trivyServerURL) > 0 {
args = append(args, []string{"--server", trivyServerURL}...)
}
args = append(args, imageRef)

if len(slow) > 0 {
args = append(args, slow)
}
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
if len(imcs) > 0 {
args = append(args, imcs...)
}
pkgList := getPkgList(ctx)
if len(pkgList) > 0 {
args = append(args, pkgList)
}
if len(sbomSources) > 0 {
args = append(args, []string{"--sbom-sources", sbomSources}...)
}
if len(skipUpdate) > 0 {
args = append(args, skipUpdate)
}
if len(skipJavaDBUpdate) > 0 {
args = append(args, skipJavaDBUpdate)
}
skipJavaDBUpdate := SkipJavaDBUpdate(trivyConfig)
if len(skipJavaDBUpdate) > 0 {
args = append(args, skipJavaDBUpdate)
}

return command, args
slow := Slow(trivyConfig)
if len(slow) > 0 {
args = append(args, slow)
}
var serverUrlParms string
if mode == ClientServer {
serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL)

vulnTypeArgs := vulnTypeFilter(ctx)
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
var sbomSourcesFlag string
if len(sbomSources) > 0 {
sbomSourcesFlag = fmt.Sprintf(" --sbom-sources %s ", sbomSources)

pkgList := getPkgList(ctx)
if len(pkgList) > 0 {
args = append(args, pkgList)
}

// Return early when compressing logs is disabled.
compressLogs := trivyOperatorConfig.CompressLogs()
if !compressLogs {
return command, args
}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s%s --cache-dir %s --quiet %s --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, sbomSourcesFlag, cacheDir, getPkgList(ctx), serverUrlParms, resultFileName, resultFileName)}

// Add command to args as it is now need to pipe output to compress.
args = append(command, args...)
// Add compress arguments.
// Sync is required to flush buffer to stdout before exiting.
args = append(args, fmt.Sprintf(`> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, resultFileName, resultFileName))

return []string{"/bin/sh"}, append([]string{"-c"}, strings.Join(args, " "))
}

func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string) {
Expand Down
34 changes: 17 additions & 17 deletions pkg/plugins/trivy/plugin_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -633,7 +633,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -921,7 +921,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -1229,7 +1229,7 @@ CVE-2019-1543`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -1542,7 +1542,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -1834,7 +1834,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2122,7 +2122,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2354,7 +2354,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2583,7 +2583,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -2817,7 +2817,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server https://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3051,7 +3051,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3305,7 +3305,7 @@ CVE-2019-1543`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3565,7 +3565,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -3800,7 +3800,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -5416,7 +5416,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image 000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -5731,7 +5731,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down Expand Up @@ -6048,7 +6048,7 @@ default ignore = false`,
},
Args: []string{
"-c",
"trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64",
"trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync",
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
Expand Down
1 change: 0 additions & 1 deletion tests/envtest/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"

"path"
"time"

Expand Down
2 changes: 1 addition & 1 deletion tests/envtest/testdata/fixture/cronjob-expected-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64
- trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 && sync
command:
- /bin/sh
env:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64
- trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion tests/envtest/testdata/fixture/job-expected-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64
- trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 && sync
command:
- /bin/sh
env:
Expand Down
2 changes: 1 addition & 1 deletion tests/envtest/testdata/fixture/pod-expected-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
containers:
- args:
- -c
- trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64
- trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 && sync
command:
- /bin/sh
env:
Expand Down
Loading

0 comments on commit 8e71ce9

Please sign in to comment.