René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Trivy ScanType breaks when scanning anything other than images","articleBody":"## 🐞 Bug report\r\nIn addition to scanning docker images, trivy can also can software repos, filesystems, etc. However, this does not work with the SCB integration due to the way that SCB handles parameters.\r\n\r\n### Describe the bug\r\nSecureCodeBox parameterizes the docker container of trivy as follows:\r\nhttps://github.com/secureCodeBox/secureCodeBox/blob/cdc97324c75ae4c7e646730344420edfebe50b01/scanners/trivy/templates/trivy-scan-type.yaml#L29-L36\r\n\r\nWhen replicated locally, this results in:\r\n```bash\r\ntrivy --no-progress --format json --output /home/securecodebox/trivy-results.json $PARAMS\r\n```\r\n(where `$PARAMS` is any additional parameters as specified in the Scan definition).\r\n\r\nThis works fine for scanning a docker image from the repositories (the default behavior). However, when trying to scan a VCS repo, you need to use `trivy repo $PARAMS...`, when scanning a file system `trivy fs $PARAMS`. Any parameters given before the `repo`, `fs` etc. are silently ignored by trivy. Thus, any ScanSpec that utilizes these modes will effectively strip the `--no-progress --format json --output /home/securecodebox/trivy-results.json` from the command, leading to the parser failing to run properly.\r\n\r\nExample Scan to reproduce:\r\n```yaml\r\napiVersion: \"execution.securecodebox.io/v1\"\r\nkind: Scan\r\nmetadata:\r\n  name: \"trivy-breakage\"\r\nspec:\r\n  scanType: \"trivy\"\r\n  parameters:\r\n    - \"repo\"\r\n    - \"https://github.com/secureCodeBox/secureCodeBox\"\r\n```\r\n\r\nThis will result in the parser failing to find a result, and the pod logs showing the ASCII output of trivy.\r\n\r\n### Workaround\r\nYou can work around this issue by specifying the missing parameters again in the Scan definition, **after the `fs`/ `repo` but before the target** (specifying them after the target will _also_ break the trivy parameter parser, it seems).\r\n\r\n```yaml\r\napiVersion: \"execution.securecodebox.io/v1\"\r\nkind: Scan\r\nmetadata:\r\n  name: \"trivy-breakage\"\r\nspec:\r\n  scanType: \"trivy\"\r\n  parameters:\r\n    - \"repo\"\r\n    - \"--no-progress\"\r\n    - \"--format\"\r\n    - \"json\"\r\n    - \"--output\"\r\n    - \"/home/securecodebox/trivy-results.json\"\r\n    - \"https://github.com/secureCodeBox/secureCodeBox\"\r\n```\r\n\r\nI am not sure if there is anything we can do about this aside from putting a warning into the docs, so I have labelled this as both a bug and a documentation issue. If anyone has an idea, let me know, otherwise I'll update the docs as part of the change introduced in #777.","author":{"url":"https://github.com/malexmave","@type":"Person","name":"malexmave"},"datePublished":"2021-11-06T12:35:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/796/secureCodeBox/issues/796"}