Disable library analyzer for OS only scan type#1191
Merged
knqyf263 merged 6 commits intoaquasecurity:mainfrom Sep 29, 2021
Merged
Disable library analyzer for OS only scan type#1191knqyf263 merged 6 commits intoaquasecurity:mainfrom
knqyf263 merged 6 commits intoaquasecurity:mainfrom
Conversation
|
|
|
@knqyf263 any chance that you can have a look at this soon, seems like an easy fix, but is quite troubling for us thanks a lot for providing trivy! |
dmivankov
referenced
this pull request
in dmivankov/trivy
Sep 15, 2021
Allows disabling analyzers from outside. Mainly to disable jar analyzer which can go to network which may be undesired and introduce scan flakiness. But sounds generic enough to have other uses too. related to #1191 and #1233
|
@fawind could you please sign the CLA to get this merged? |
Contributor
Author
|
I think the CLA expires after a while. Re-signed it. |
Collaborator
|
@fawind I'm sorry for the inconvenience. We recently updated our CLA. All contributors need to resign and that's why you needed to sign it again. |
knqyf263
approved these changes
Sep 29, 2021
Collaborator
|
Thanks! |
Contributor
Author
|
Thanks for taking the time and bringing this over the line @knqyf263! Do you know if there is a timeline for the next release that will include this fix? |
Collaborator
|
We plan to release it by next week. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We are running into the issue that with the addition of JAR scanning in v0.17.0, Trivy tries to reach out to "maven.org" in order to resolve maven artifacts. This breaks running the scanner in an air-gapped environment where these requests time out (#1185, #982).
The proper solution in my opinion would be to mark analyzers that don't require network access as offline capable and add a separate offline flag that only runs those analyzers (we could start with just excluding the jar analyzer). Happy to contribute this if you agree with this approach!
As a more workaround solution, we should also exclude programming language analyzers when only running with
--vulnType os(and maybe vice-versa exclude OS analyzers when running with--vulnType library?) (list of all analyzers).This is a draft PR to start the discussion for the latter one. If you're happy with this approach I would clean this up and add some tests.