Added skip_dir in image artifacts scan (fanal#128)

* Added skip_dir in image artifact scan

* Updated walker as per suggestions

* Fixed factory method

* refactor(image): revert skipDirectories in artifact

* feat: add InspectOption

* test(walker): add tests for skipDirectories

* test(walker): add tests for skipDirectories

* test(fs): add tests

* test(image): add tests

* test(integration): fix

* feat(main): add --skip-directories

Co-authored-by: knqyf263 <[email protected]>

Author: rahul2393

artifact/artifact.go

@@ -6,6 +6,10 @@ import (
 	"github.com/aquasecurity/fanal/types"
 )
 
+type InspectOption struct {
+	SkipDirectories []string
+}
+
 type Artifact interface {
-	Inspect(ctx context.Context) (reference types.ArtifactReference, err error)
+	Inspect(ctx context.Context, option InspectOption) (reference types.ArtifactReference, err error)
 }

artifact/image/image.go

@@ -30,7 +30,7 @@ func NewArtifact(img image.Image, c cache.ArtifactCache) artifact.Artifact {
 	}
 }
 
-func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error) {
+func (a Artifact) Inspect(ctx context.Context, option artifact.InspectOption) (types.ArtifactReference, error) {
 	imageID, err := a.image.ID()
 	if err != nil {
 		return types.ArtifactReference{}, xerrors.Errorf("unable to get the image ID: %w", err)
@@ -46,7 +46,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		return types.ArtifactReference{}, xerrors.Errorf("unable to get missing layers: %w", err)
 	}
 
-	if err := a.inspect(ctx, imageID, missingImage, missingLayers); err != nil {
+	if err := a.inspect(ctx, imageID, missingImage, missingLayers, option); err != nil {
 		return types.ArtifactReference{}, xerrors.Errorf("analyze error: %w", err)
 	}
 
@@ -58,14 +58,14 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 
 }
 
-func (a Artifact) inspect(ctx context.Context, imageID string, missingImage bool, diffIDs []string) error {
+func (a Artifact) inspect(ctx context.Context, imageID string, missingImage bool, diffIDs []string, option artifact.InspectOption) error {
 	done := make(chan struct{})
 	errCh := make(chan error)
 
 	var osFound types.OS
 	for _, d := range diffIDs {
 		go func(diffID string) {
-			layerInfo, err := a.inspectLayer(diffID)
+			layerInfo, err := a.inspectLayer(diffID, option)
 			if err != nil {
 				errCh <- xerrors.Errorf("failed to analyze layer: %s : %w", diffID, err)
 				return
@@ -101,14 +101,14 @@ func (a Artifact) inspect(ctx context.Context, imageID string, missingImage bool
 
 }
 
-func (a Artifact) inspectLayer(diffID string) (types.BlobInfo, error) {
+func (a Artifact) inspectLayer(diffID string, option artifact.InspectOption) (types.BlobInfo, error) {
 	layerDigest, r, err := a.uncompressedLayer(diffID)
 	if err != nil {
 		return types.BlobInfo{}, xerrors.Errorf("unable to get uncompressed layer %s: %w", diffID, err)
 	}
 
 	result := new(analyzer.AnalysisResult)
-	opqDirs, whFiles, err := walker.WalkLayerTar(r, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
+	opqDirs, whFiles, err := walker.WalkLayerTar(r, option.SkipDirectories, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		r, err := analyzer.AnalyzeFile(filePath, info, opener)
 		if err != nil {
 			return err

artifact/image/image_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/aquasecurity/fanal/artifact"
+
 	depTypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	"golang.org/x/xerrors"
 
@@ -15,6 +17,7 @@ import (
 
 	_ "github.com/aquasecurity/fanal/analyzer/command/apk"
 	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
+	_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
 	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
 	_ "github.com/aquasecurity/fanal/analyzer/os/debian"
 	_ "github.com/aquasecurity/fanal/analyzer/os/ubuntu"
@@ -29,7 +32,7 @@ import (
 
 func TestArtifact_Inspect(t *testing.T) {
 	type args struct {
-		ctx context.Context
+		inspectOption artifact.InspectOption
 	}
 	tests := []struct {
 		name                    string
@@ -203,6 +206,132 @@ func TestArtifact_Inspect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:      "happy path: include a fake lock file",
+			imagePath: "../../test/testdata/fake-lockfile.tar.gz",
+			args: args{
+				inspectOption: artifact.InspectOption{
+					SkipDirectories: []string{"/dep/"},
+				},
+			},
+			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
+				Args: cache.ArtifactCacheMissingBlobsArgs{
+					ArtifactID: "sha256:c4a9737d9fb3671d19691e767bd4ff04f1185e45c6256462af82127703a05904",
+					BlobIDs: []string{
+						"sha256:de1602ca36c9aa319d4bff5df192859c300d0c66975a1762d4564c145d0c5bd1",
+						"sha256:1d3b68b6972f1721420b414849e7a08ed732fe05a89427296ffa3b89d885f372",
+						"sha256:5f4707793820b85c490763fc4e0b344015825f86e3500357b0422e218db4f6a7",
+						"sha256:f93dc29b4a9e546654f3d3c3e874fe21009a0862be3e1bea1ebd7dcc955e137a",
+					},
+				},
+				Returns: cache.ArtifactCacheMissingBlobsReturns{
+					MissingBlobIDs: []string{
+						"sha256:de1602ca36c9aa319d4bff5df192859c300d0c66975a1762d4564c145d0c5bd1",
+						"sha256:1d3b68b6972f1721420b414849e7a08ed732fe05a89427296ffa3b89d885f372",
+						"sha256:5f4707793820b85c490763fc4e0b344015825f86e3500357b0422e218db4f6a7",
+						"sha256:f93dc29b4a9e546654f3d3c3e874fe21009a0862be3e1bea1ebd7dcc955e137a",
+					},
+				},
+			},
+			putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
+				{
+					Args: cache.ArtifactCachePutBlobArgs{
+						BlobID: "sha256:de1602ca36c9aa319d4bff5df192859c300d0c66975a1762d4564c145d0c5bd1",
+						BlobInfo: types.BlobInfo{
+							SchemaVersion: 1,
+							Digest:        "",
+							DiffID:        "sha256:de1602ca36c9aa319d4bff5df192859c300d0c66975a1762d4564c145d0c5bd1",
+							OS:            &types.OS{Family: "debian", Name: "10.1"},
+							PackageInfos: []types.PackageInfo{
+								{
+									FilePath: "var/lib/dpkg/status.d/base",
+									Packages: []types.Package{
+										{Name: "base-files", Version: "10.3+deb10u1", SrcName: "base-files", SrcVersion: "10.3+deb10u1"},
+									},
+								},
+								{
+									FilePath: "var/lib/dpkg/status.d/netbase",
+									Packages: []types.Package{
+										{Name: "netbase", Version: "5.6", SrcName: "netbase", SrcVersion: "5.6"},
+									},
+								},
+								{
+									FilePath: "var/lib/dpkg/status.d/tzdata",
+									Packages: []types.Package{
+										{Name: "tzdata", Version: "2019b-0+deb10u1", SrcName: "tzdata", SrcVersion: "2019b-0+deb10u1"},
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Args: cache.ArtifactCachePutBlobArgs{
+						BlobID: "sha256:1d3b68b6972f1721420b414849e7a08ed732fe05a89427296ffa3b89d885f372",
+						BlobInfo: types.BlobInfo{
+							SchemaVersion: 1,
+							Digest:        "",
+							DiffID:        "sha256:1d3b68b6972f1721420b414849e7a08ed732fe05a89427296ffa3b89d885f372",
+							PackageInfos: []types.PackageInfo{
+								{
+									FilePath: "var/lib/dpkg/status.d/libc6",
+									Packages: []types.Package{{Name: "libc6", Version: "2.28-10", SrcName: "glibc", SrcVersion: "2.28-10"}},
+								},
+								{
+									FilePath: "var/lib/dpkg/status.d/libssl1",
+									Packages: []types.Package{
+										{Name: "libssl1.1", Version: "1.1.1d-0+deb10u1", SrcName: "openssl", SrcVersion: "1.1.1d-0+deb10u1"},
+									},
+								},
+								{
+									FilePath: "var/lib/dpkg/status.d/openssl",
+									Packages: []types.Package{
+										{Name: "openssl", Version: "1.1.1d-0+deb10u1", SrcName: "openssl", SrcVersion: "1.1.1d-0+deb10u1"},
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Args: cache.ArtifactCachePutBlobArgs{
+						BlobID: "sha256:5f4707793820b85c490763fc4e0b344015825f86e3500357b0422e218db4f6a7",
+						BlobInfo: types.BlobInfo{
+							SchemaVersion: 1,
+							Digest:        "",
+							DiffID:        "sha256:5f4707793820b85c490763fc4e0b344015825f86e3500357b0422e218db4f6a7",
+							Applications: []types.Application{{Type: "pipenv", FilePath: "app/Pipfile.lock",
+								Libraries: []types.LibraryInfo{
+									{Library: depTypes.Library{Name: "pyyaml", Version: "5.3.1"}},
+								},
+							}},
+							OpaqueDirs: []string{"app/"},
+						},
+					},
+				},
+				{
+					Args: cache.ArtifactCachePutBlobArgs{
+						BlobID: "sha256:f93dc29b4a9e546654f3d3c3e874fe21009a0862be3e1bea1ebd7dcc955e137a",
+						BlobInfo: types.BlobInfo{
+							SchemaVersion: 1,
+							Digest:        "",
+							DiffID:        "sha256:f93dc29b4a9e546654f3d3c3e874fe21009a0862be3e1bea1ebd7dcc955e137a",
+							OpaqueDirs:    []string{"dep/"},
+						},
+					},
+				},
+			},
+			want: types.ArtifactReference{
+				Name: "../../test/testdata/fake-lockfile.tar.gz",
+				ID:   "sha256:c4a9737d9fb3671d19691e767bd4ff04f1185e45c6256462af82127703a05904",
+				BlobIDs: []string{
+					"sha256:de1602ca36c9aa319d4bff5df192859c300d0c66975a1762d4564c145d0c5bd1",
+					"sha256:1d3b68b6972f1721420b414849e7a08ed732fe05a89427296ffa3b89d885f372",
+					"sha256:5f4707793820b85c490763fc4e0b344015825f86e3500357b0422e218db4f6a7",
+					"sha256:f93dc29b4a9e546654f3d3c3e874fe21009a0862be3e1bea1ebd7dcc955e137a",
+				},
+			},
+		},
 		{
 			name:      "sad path, MissingBlobs returns an error",
 			imagePath: "../../test/testdata/alpine-311.tar.gz",
@@ -363,7 +492,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			require.NoError(t, err)
 
 			a := image2.NewArtifact(img, mockCache)
-			got, err := a.Inspect(context.Background())
+			got, err := a.Inspect(context.Background(), tt.args.inspectOption)
 			if tt.wantErr != "" {
 				require.NotNil(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr, tt.name)

artifact/local/fs.go

@@ -13,8 +13,6 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/fanal/analyzer"
-	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
-	_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"
 	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/fanal/types"
@@ -33,9 +31,9 @@ func NewArtifact(dir string, c cache.ArtifactCache) artifact.Artifact {
 	}
 }
 
-func (a Artifact) Inspect(_ context.Context) (types.ArtifactReference, error) {
+func (a Artifact) Inspect(_ context.Context, option artifact.InspectOption) (types.ArtifactReference, error) {
 	var result analyzer.AnalysisResult
-	err := walker.WalkDir(a.dir, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
+	err := walker.WalkDir(a.dir, option.SkipDirectories, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		filePath, err := filepath.Rel(a.dir, filePath)
 		if err != nil {
 			return err

artifact/local/fs_test.go

@@ -4,12 +4,17 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
+	"github.com/aquasecurity/fanal/analyzer/library"
+	_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
+	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
+	_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"
+	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/fanal/types"
+	godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 )
 
 func TestArtifact_Inspect(t *testing.T) {
@@ -30,10 +35,10 @@ func TestArtifact_Inspect(t *testing.T) {
 			},
 			putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
 				Args: cache.ArtifactCachePutBlobArgs{
-					BlobID: "sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+					BlobID: "sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
-						DiffID:        "sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+						DiffID:        "sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 						OS: &types.OS{
 							Family: "alpine",
 							Name:   "3.11.6",
@@ -46,15 +51,25 @@ func TestArtifact_Inspect(t *testing.T) {
 								},
 							},
 						},
+						Applications: []types.Application{
+							{
+								Type:     library.Bundler,
+								FilePath: "Gemfile.lock",
+								Libraries: []types.LibraryInfo{
+									{Library: godeptypes.Library{Name: "dotenv", Version: "2.7.2"}},
+									{Library: godeptypes.Library{Name: "rack", Version: "2.0.7"}},
+								},
+							},
+						},
 					},
 				},
 				Returns: cache.ArtifactCachePutBlobReturns{},
 			},
 			want: types.ArtifactReference{
 				Name: "host",
-				ID:   "sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+				ID:   "sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 				BlobIDs: []string{
-					"sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+					"sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 				},
 			},
 		},
@@ -65,10 +80,10 @@ func TestArtifact_Inspect(t *testing.T) {
 			},
 			putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
 				Args: cache.ArtifactCachePutBlobArgs{
-					BlobID: "sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+					BlobID: "sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
-						DiffID:        "sha256:d2e3f5cd0886b85366bd784fbebed88cece36902f4c70722c42e5080e0d5ba17",
+						DiffID:        "sha256:5d883ef50a8d41f799cf1cf7d2a59cf65afd56e73909cc52ddd8893598ed2cb8",
 						OS: &types.OS{
 							Family: "alpine",
 							Name:   "3.11.6",
@@ -81,6 +96,16 @@ func TestArtifact_Inspect(t *testing.T) {
 								},
 							},
 						},
+						Applications: []types.Application{
+							{
+								Type:     library.Bundler,
+								FilePath: "Gemfile.lock",
+								Libraries: []types.LibraryInfo{
+									{Library: godeptypes.Library{Name: "dotenv", Version: "2.7.2"}},
+									{Library: godeptypes.Library{Name: "rack", Version: "2.0.7"}},
+								},
+							},
+						},
 					},
 				},
 				Returns: cache.ArtifactCachePutBlobReturns{
@@ -103,7 +128,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			c.ApplyPutBlobExpectation(tt.putBlobExpectation)
 
 			a := NewArtifact(tt.fields.dir, c)
-			got, err := a.Inspect(nil)
+			got, err := a.Inspect(nil, artifact.InspectOption{SkipDirectories: []string{"testdata/skipdir"}})
 			if tt.wantErr != "" {
 				require.NotNil(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr)

artifact/local/testdata/Gemfile.lock

@@ -0,0 +1,14 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    dotenv (2.7.2)
+    rack (2.0.7)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  dotenv (~> 2.7)
+
+BUNDLED WITH
+   1.17.2

artifact/local/testdata/skipdir/Gemfile.lock

@@ -0,0 +1,14 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    dotenv (2.7.2)
+    thor (0.20.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  dotenv (~> 2.7)
+
+BUNDLED WITH
+   1.17.2