feat(hook): add system file filter (fanal#263)

Author: knqyf263

analyzer/analyzer.go

@@ -58,15 +58,17 @@ func RegisterConfigAnalyzer(analyzer configAnalyzer) {
 type Opener func() ([]byte, error)
 
 type AnalysisResult struct {
-	m            sync.Mutex
-	OS           *types.OS
-	PackageInfos []types.PackageInfo
-	Applications []types.Application
-	Configs      []types.Config
+	m                    sync.Mutex
+	OS                   *types.OS
+	PackageInfos         []types.PackageInfo
+	Applications         []types.Application
+	Configs              []types.Config
+	SystemInstalledFiles []string // A list of files installed by OS package manager
 }
 
 func (r *AnalysisResult) isEmpty() bool {
-	return r.OS == nil && len(r.PackageInfos) == 0 && len(r.Applications) == 0 && len(r.Configs) == 0
+	return r.OS == nil && len(r.PackageInfos) == 0 && len(r.Applications) == 0 &&
+		len(r.Configs) == 0 && len(r.SystemInstalledFiles) == 0
 }
 
 func (r *AnalysisResult) Sort() {
@@ -123,6 +125,8 @@ func (r *AnalysisResult) Merge(new *AnalysisResult) {
 	for _, m := range new.Configs {
 		r.Configs = append(r.Configs, m)
 	}
+
+	r.SystemInstalledFiles = append(r.SystemInstalledFiles, new.SystemInstalledFiles...)
 }
 
 type Analyzer struct {

analyzer/pkg/dpkg/dpkg.go

@@ -9,15 +9,11 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/aquasecurity/fanal/types"
-
-	"github.com/aquasecurity/fanal/utils"
-
-	mapset "github.com/deckarep/golang-set"
+	debVersion "github.com/knqyf263/go-deb-version"
 
 	"github.com/aquasecurity/fanal/analyzer"
-
-	debVersion "github.com/knqyf263/go-deb-version"
+	"github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/fanal/utils"
 )
 
 func init() {
@@ -50,9 +46,9 @@ func (a debianPkgAnalyzer) Analyze(target analyzer.AnalysisTarget) (*analyzer.An
 	}, nil
 }
 
-func (a debianPkgAnalyzer) parseDpkginfo(scanner *bufio.Scanner) (pkgs []types.Package) {
+func (a debianPkgAnalyzer) parseDpkginfo(scanner *bufio.Scanner) []types.Package {
 	var pkg *types.Package
-	pkgMap := mapset.NewSet()
+	pkgMap := map[string]*types.Package{}
 
 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())
@@ -63,20 +59,15 @@ func (a debianPkgAnalyzer) parseDpkginfo(scanner *bufio.Scanner) (pkgs []types.P
 
 		pkg = a.parseDpkgPkg(scanner)
 		if pkg != nil {
-			pkgMap.Add(*pkg)
+			pkgMap[pkg.Name+"-"+pkg.Version] = pkg
 		}
 	}
-	pkgs = mapsetToSlice(pkgMap)
-	return pkgs
-}
 
-func mapsetToSlice(features mapset.Set) []types.Package {
-	uniqueLayerFeatures := make([]types.Package, 0, features.Cardinality())
-	for f := range features.Iter() {
-		feature := f.(types.Package)
-		uniqueLayerFeatures = append(uniqueLayerFeatures, feature)
+	pkgs := make([]types.Package, 0, len(pkgMap))
+	for _, p := range pkgMap {
+		pkgs = append(pkgs, *p)
 	}
-	return uniqueLayerFeatures
+	return pkgs
 }
 
 func (a debianPkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package) {

analyzer/pkg/dpkg/dpkg_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/kylelemons/godebug/pretty"
 )
 
-func TestParseApkInfo(t *testing.T) {
+func TestParseDpkgInfo(t *testing.T) {
 	var tests = map[string]struct {
 		path string
 		pkgs []types.Package

analyzer/pkg/rpm/rpm.go

@@ -28,7 +28,7 @@ var requiredFiles = []string{
 type rpmPkgAnalyzer struct{}
 
 func (a rpmPkgAnalyzer) Analyze(target analyzer.AnalysisTarget) (*analyzer.AnalysisResult, error) {
-	parsedPkgs, err := a.parsePkgInfo(target.Content)
+	parsedPkgs, installedFiles, err := a.parsePkgInfo(target.Content)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to parse rpmdb: %w", err)
 	}
@@ -40,37 +40,40 @@ func (a rpmPkgAnalyzer) Analyze(target analyzer.AnalysisTarget) (*analyzer.Analy
 				Packages: parsedPkgs,
 			},
 		},
+		SystemInstalledFiles: installedFiles,
 	}, nil
 }
 
-func (a rpmPkgAnalyzer) parsePkgInfo(packageBytes []byte) (pkgs []types.Package, err error) {
+func (a rpmPkgAnalyzer) parsePkgInfo(packageBytes []byte) ([]types.Package, []string, error) {
 	tmpDir, err := ioutil.TempDir("", "rpm")
 	defer os.RemoveAll(tmpDir)
 	if err != nil {
-		return nil, xerrors.Errorf("failed to create a temp dir: %w", err)
+		return nil, nil, xerrors.Errorf("failed to create a temp dir: %w", err)
 	}
 
 	filename := filepath.Join(tmpDir, "Packages")
 	err = ioutil.WriteFile(filename, packageBytes, 0700)
 	if err != nil {
-		return nil, xerrors.Errorf("failed to write a package file: %w", err)
+		return nil, nil, xerrors.Errorf("failed to write a package file: %w", err)
 	}
 
 	// rpm-python 4.11.3 rpm-4.11.3-35.el7.src.rpm
 	// Extract binary package names because RHSA refers to binary package names.
 	db, err := rpmdb.Open(filename)
 	if err != nil {
-		return nil, xerrors.Errorf("failed to open RPM DB: %w", err)
+		return nil, nil, xerrors.Errorf("failed to open RPM DB: %w", err)
 	}
 
 	// equivalent:
 	//   new version: rpm -qa --qf "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{SOURCERPM} %{ARCH}\n"
 	//   old version: rpm -qa --qf "%{NAME} %{EPOCH} %{VERSION} %{RELEASE} %{SOURCERPM} %{ARCH}\n"
 	pkgList, err := db.ListPackages()
 	if err != nil {
-		return nil, xerrors.Errorf("failed to list packages", err)
+		return nil, nil, xerrors.Errorf("failed to list packages", err)
 	}
 
+	var pkgs []types.Package
+	var installedFiles []string
 	for _, pkg := range pkgList {
 		arch := pkg.Arch
 		if arch == "" {
@@ -84,6 +87,11 @@ func (a rpmPkgAnalyzer) parsePkgInfo(packageBytes []byte) (pkgs []types.Package,
 			srcName, srcVer, srcRel = splitFileName(pkg.SourceRpm)
 		}
 
+		files, err := pkg.InstalledFiles()
+		if err != nil {
+			return nil, nil, xerrors.Errorf("unable to get installed files: %w", err)
+		}
+
 		p := types.Package{
 			Name:            pkg.Name,
 			Epoch:           pkg.Epoch,
@@ -98,9 +106,10 @@ func (a rpmPkgAnalyzer) parsePkgInfo(packageBytes []byte) (pkgs []types.Package,
 			License:         pkg.License,
 		}
 		pkgs = append(pkgs, p)
+		installedFiles = append(installedFiles, files...)
 	}
 
-	return pkgs, nil
+	return pkgs, installedFiles, nil
 }
 
 // splitFileName returns a name, version, release, epoch, arch

analyzer/pkg/rpm/rpm_test.go

@@ -584,7 +584,7 @@ func TestParseRpmInfo(t *testing.T) {
 			bytes, err := ioutil.ReadFile(tc.path)
 			require.NoError(t, err)
 
-			pkgs, err := a.parsePkgInfo(bytes)
+			pkgs, _, err := a.parsePkgInfo(bytes)
 			require.NoError(t, err)
 
 			sort.Slice(tc.pkgs, func(i, j int) bool {

artifact/image/image.go

@@ -229,6 +229,7 @@ func (a Artifact) inspectLayer(ctx context.Context, diffID string) (types.BlobIn
 		OS:            result.OS,
 		PackageInfos:  result.PackageInfos,
 		Applications:  result.Applications,
+		SystemFiles:   result.SystemInstalledFiles,
 		OpaqueDirs:    opqDirs,
 		WhiteoutFiles: whFiles,
 	}

artifact/local/fs.go

@@ -99,6 +99,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		PackageInfos:      result.PackageInfos,
 		Applications:      result.Applications,
 		Misconfigurations: misconfs,
+		SystemFiles:       result.SystemInstalledFiles,
 	}
 
 	if err = a.hookManager.CallHooks(&blobInfo); err != nil {

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/go-redis/redis/v8 v8.11.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/google/flatbuffers v1.12.1 // indirect
 	github.com/google/go-containerregistry v0.6.0
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -25,7 +26,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.10.1 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
-	github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1
+	github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49
 	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mitchellh/mapstructure v1.4.1

go.sum

@@ -650,8 +650,9 @@ github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/crfs v0.0.0-20191108021818-71d77da419c9/go.mod h1:etGhoOqfwPkooV6aqoX3eBGQOJblqdoc9XvWOeuxpPw=
-github.com/google/flatbuffers v1.12.0 h1:N8EguYFm2wwdpoNcpchQY0tPs85vOJkboFb2dPxmixo=
 github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw=
+github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -863,8 +864,8 @@ github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GX
 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
-github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1 h1:sRDvjjWoHLWAxtPXBKYRJp8Ot4ugxYE/ZyADl3jzc1g=
-github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
+github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49 h1:QazJZdFn/ApQh8OHepQiCKXGZ0QE08Bu8BnS10aHgvE=
+github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=

hook/all/import.go

@@ -1,6 +1,7 @@
 package all
 
 import (
+	_ "github.com/aquasecurity/fanal/hook/filter"
 	_ "github.com/aquasecurity/fanal/hook/nodejs"
 	_ "github.com/aquasecurity/fanal/hook/python"
 	_ "github.com/aquasecurity/fanal/hook/ruby"