Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(misconf): Merge trivy-iac into Trivy #5636

Closed
wants to merge 7 commits into from
Closed

refactor(misconf): Merge trivy-iac into Trivy #5636

wants to merge 7 commits into from

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Nov 22, 2023
edited

Description

Merges trivy-iac into Trivy.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@simar7 simar7 self-assigned this Nov 22, 2023
simar7
simar7 commented Nov 22, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
nikpivkin
nikpivkin reviewed Nov 23, 2023
View reviewed changes
cmd/schema/main.go Outdated Show resolved Hide resolved
nikpivkin
nikpivkin reviewed Nov 23, 2023
View reviewed changes
pkg/rego/build.go Outdated Show resolved Hide resolved
nikpivkin
nikpivkin reviewed Nov 23, 2023
View reviewed changes
pkg/rules/register.go Outdated Show resolved Hide resolved
nikpivkin
nikpivkin reviewed Nov 23, 2023
View reviewed changes
magefiles/magefile.go Outdated Show resolved Hide resolved
@simar7
Copy link
Member Author

simar7 commented Nov 29, 2023

@nikpivkin as you mentioned, I removed the packages that exist in defsec today so we can properly make another PR to bring them into Trivy later.

@simar7
Copy link
Member Author

simar7 commented Nov 29, 2023

@DmitriyLewen the errors in the CI seem unrelated to this PR. Is it because we have to update tinygo version after the bump to Go 1.21?
image
image

@DmitriyLewen
Copy link
Contributor

Hello @simar7
We have not received this error before.

I tried to reproduce your error locally, but tests for your PR work correctly:

➜  trivy git:(merge-trivy-iac-2) ✗ tinygo version
tinygo version 0.29.0 darwin/amd64 (using go version go1.21.4 and LLVM version 15.0.0)

➜  trivy git:(merge-trivy-iac-2) ✗ mage test:module   
...
=== RUN   TestModule
=== RUN   TestModule/spring4shell_jre_8,_severity_update
=== RUN   TestModule/spring4shell_jre_11,_no_severity_update
--- PASS: TestModule (6.04s)
    --- PASS: TestModule/spring4shell_jre_8,_severity_update (2.68s)
    --- PASS: TestModule/spring4shell_jre_11,_no_severity_update (3.20s)
PASS
ok      github.com/aquasecurity/trivy/integration       7.578s

I also pulled changes (bump to 1.21) to my PR - #5630.
Tests are successful.

I see you update/add some dependencies.
Perhaps there is a conflict?

@simar7
Copy link
Member Author

simar7 commented Nov 30, 2023

Hello @simar7 We have not received this error before.

I tried to reproduce your error locally, but tests for your PR work correctly:

➜  trivy git:(merge-trivy-iac-2) ✗ tinygo version
tinygo version 0.29.0 darwin/amd64 (using go version go1.21.4 and LLVM version 15.0.0)

➜  trivy git:(merge-trivy-iac-2) ✗ mage test:module   
...
=== RUN   TestModule
=== RUN   TestModule/spring4shell_jre_8,_severity_update
=== RUN   TestModule/spring4shell_jre_11,_no_severity_update
--- PASS: TestModule (6.04s)
    --- PASS: TestModule/spring4shell_jre_8,_severity_update (2.68s)
    --- PASS: TestModule/spring4shell_jre_11,_no_severity_update (3.20s)
PASS
ok      github.com/aquasecurity/trivy/integration       7.578s

I also pulled changes (bump to 1.21) to my PR - #5630. Tests are successful.

I see you update/add some dependencies. Perhaps there is a conflict?

I see - it's strange indeed. I will try to rebase and see what happens. Thanks for looking into it.

@nikpivkin
Copy link
Contributor

nikpivkin commented Nov 30, 2023
edited

I found the following in the tinygo documentation on the supported packages page:

os/user
The compiler gave the following error when this package was imported:
# os/user
../../../../../../usr/local/go1.20/src/os/user/cgo_lookup_cgo.go:14:6: not implemented: build constraints in #cgo line

But I used go mod graph and couldn't find a package that used that.

Also I get the following error if I disable CGO (which does not happen in main):

CGO_ENABLED=0 go generate pkg/module/testdata/analyzer/analyzer.go
# golang.org/x/sys/unix
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1893:64: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1898:50: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1898:79: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_unix.go:605:17: undefined: syscall.Setrlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_unix.go:605:47: undefined: syscall.Rlimit
pkg/module/testdata/analyzer/analyzer.go:1: running "tinygo": exit status 1

@simar7
Copy link
Member Author

simar7 commented Dec 1, 2023

I found the following in the tinygo documentation on the supported packages page:

os/user
The compiler gave the following error when this package was imported:

os/user

../../../../../../usr/local/go1.20/src/os/user/cgo_lookup_cgo.go:14:6: not implemented: build constraints in #cgo line

Interesting find, but we don't use cgo in Trivy or is it a dependency of Trivy that does so (maybe tinygo?) we might have to look through the diff of the changed dependencies here
What do the entries on that page imply? Are they just outputs of tinygo running against certain code?

But I used go mod graph and couldn't find a package that used that.

Also I get the following error if I disable CGO (which does not happen in main):

CGO_ENABLED=0 go generate pkg/module/testdata/analyzer/analyzer.go
# golang.org/x/sys/unix
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1893:64: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1898:50: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_linux.go:1898:79: undefined: syscall.Rlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_unix.go:605:17: undefined: syscall.Setrlimit
../../../../../../go/pkg/mod/golang.org/x/sys@v0.14.0/unix/syscall_unix.go:605:47: undefined: syscall.Rlimit
pkg/module/testdata/analyzer/analyzer.go:1: running "tinygo": exit status 1

Hmm.. I'm also not sure. So far I've tried the following with no success:

  1. Downgrade Trivy version to 1.20
  2. Upgrade tinygo to v0.30.0
  3. Disabling CGO intentionally by passing in CGO_ENABLED=0 as an argument to the mage module test. Using sh.RunWith() here I got this idea from here

I'm not able to reproduce this issue locally either. I am clearing go test cache between tests via go clean -testcache.

@nikpivkin
Copy link
Contributor

@simar7 I tried re-migrating trivy-iac and locally all my tests passed. CI failed due to linter issues.

@simar7
Copy link
Member Author

simar7 commented Dec 1, 2023

@simar7 I tried re-migrating trivy-iac and locally all my tests passed. CI failed due to linter issues.

Interesting does that mean it's just the GitHub Actions not working well on this PR? Or are there any differences between your PR and this?

@nikpivkin
Copy link
Contributor

@simar7 I compared go.mod and didn't seem to notice any difference.

@simar7
Copy link
Member Author

simar7 commented Dec 4, 2023

Closing in favor of #5692 as this one has something up with the CI actions.

@simar7 simar7 closed this Dec 4, 2023
@knqyf263 knqyf263 deleted the merge-trivy-iac-2 branch May 20, 2024 05:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpivkin nikpivkin Awaiting requested review from nikpivkin nikpivkin is a code owner

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 will be requested when the pull request is marked ready for review knqyf263 is a code owner

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen will be requested when the pull request is marked ready for review DmitriyLewen is a code owner

Assignees

@simar7 simar7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

refactor(misconf): Merging trivy-iac into Trivy
3 participants
@simar7 @DmitriyLewen @nikpivkin