bug(conan): file filters for conan lock no longer working

[DmitriyLewen]

Discussed in #6942

^{Originally posted by bruchar1 June 14, 2024}

Description

My conan.lock files have names like debug.lock or release.lock. I use the following config:

scan:
  file-patterns:
    - conan-lock:.*\.lock$

It works with Trivy 0.50.x, but not with 0.51.x or 0.52.x. On those versions, only lock files named conan.lock are detected.

Desired Behavior

Conan lock files with names different that conan.lock should be scanned

Actual Behavior

Only conan.lock files are scanned

Reproduction Steps

1. Use the config described above
2. Run `trivy repo .` on a repository containing conan (v1) lock files with different names (e.g. `debug.lock`, `release.lock`)

Target

Git Repository

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

(in a repo containing only one file: base.lock)

$ trivy.exe repo . --debug
2024/06/14 13:53:20 INFO Loaded file_path=trivy.yaml
2024-06-14T13:53:20-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-14T13:53:20-04:00       DEBUG   Ignore statuses statuses=[]
2024-06-14T13:53:20-04:00       DEBUG   Cache dir       dir="C:\\Users\\charles.brunet\\AppData\\Local\\trivy"
2024-06-14T13:53:20-04:00       DEBUG   DB update was skipped because the local DB is the latest
2024-06-14T13:53:20-04:00       DEBUG   DB info schema=2 updated_at=2024-06-14T12:12:23.195463377Z next_update=2024-06-14T18:12:23.195463016Z downloaded_at=2024-06-14T13:38:29.6233946Z
2024-06-14T13:53:20-04:00       INFO    Vulnerability scanning is enabled
2024-06-14T13:53:20-04:00       DEBUG   Vulnerability type      type=[library]
2024-06-14T13:53:20-04:00       INFO    Secret scanning is enabled
2024-06-14T13:53:20-04:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:53:20-04:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:53:20-04:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-14T13:53:20-04:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-14T13:53:21-04:00       DEBUG   OS is not detected.
2024-06-14T13:53:21-04:00       INFO    Number of language-specific files       num=0

$ mv base.lock conan.lock

$ trivy.exe repo . --debug
2024/06/14 13:57:49 INFO Loaded file_path=trivy.yaml
2024-06-14T13:57:49-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-14T13:57:49-04:00       DEBUG   Ignore statuses statuses=[]
2024-06-14T13:57:49-04:00       DEBUG   Cache dir       dir="C:\\Users\\charles.brunet\\AppData\\Local\\trivy"
2024-06-14T13:57:49-04:00       DEBUG   DB update was skipped because the local DB is the latest
2024-06-14T13:57:49-04:00       DEBUG   DB info schema=2 updated_at=2024-06-14T12:12:23.195463377Z next_update=2024-06-14T18:12:23.195463016Z downloaded_at=2024-06-14T17:57:36.7072649Z
2024-06-14T13:57:49-04:00       INFO    Vulnerability scanning is enabled
2024-06-14T13:57:49-04:00       DEBUG   Vulnerability type      type=[library]
2024-06-14T13:57:49-04:00       INFO    Secret scanning is enabled
2024-06-14T13:57:49-04:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:57:49-04:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:57:49-04:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-14T13:57:49-04:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-14T13:57:50-04:00       DEBUG   [conan] Handling conan lockfile as v1.x
2024-06-14T13:57:50-04:00       DEBUG   OS is not detected.
2024-06-14T13:57:50-04:00       INFO    Number of language-specific files       num=1
2024-06-14T13:57:50-04:00       INFO    [conan] Detecting vulnerabilities...
2024-06-14T13:57:50-04:00       DEBUG   [conan] Scanning packages for vulnerabilities   file_path="conan.lock"

conan.lock (conan)
==================
Total: 14 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 6, CRITICAL: 1)
...

Operating System

Windows (and also Linux docker)

Version

$ trivy.exe --version
2024/06/14 13:55:00 INFO Loaded file_path=trivy.yaml
Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-14 12:12:23.195463377 +0000 UTC
  NextUpdate: 2024-06-14 18:12:23.195463016 +0000 UTC
  DownloadedAt: 2024-06-14 13:38:29.6233946 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

Actually, --file-patterns doesn't work with most post-analyzers now as --file-patterns is not taken into account in post-analyzers. We also need to fix it.

e.g.

trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go

Lines 49 to 51 in 3eecfc6

	required := func(path string, _ fs.DirEntry) bool {
	return filepath.Base(path) == types.NpmPkgLock
	}

).

[DmitriyLewen]

I thought about it.
But other-post analyzers use immutable file names (for example, npm always uses file name package-lock.json).
conan supports a flag to set the filename.
Also mix has the same option (but we use analyzer for mix).

But anyway we need to update our logic.
I created #6962 for that.

UPD:
I think we can merge fix for conan now.
To fix file-patterns we will create separate PR.

[knqyf263]

I think we can merge fix for conan now.
To fix file-patterns we will create separate PR.

Yes, I'll review and merge #6949 first.