Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions cmd/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ type globalConfig struct {
var (
globalCfgLock sync.RWMutex
globalCfg globalConfig
parsingCaps *share.ParsingCaps
parsingCapsMu sync.RWMutex
)

func getGlobalConfig() globalConfig {
Expand All @@ -55,6 +57,20 @@ func setGlobalConfig(input globalConfig) {
globalCfg = input
}

func getParsingCaps() *share.ParsingCaps {
parsingCapsMu.RLock()
defer parsingCapsMu.RUnlock()

return parsingCaps
}

func setParsingCaps(caps *share.ParsingCaps) {
parsingCapsMu.Lock()
defer parsingCapsMu.Unlock()

parsingCaps = caps
}

const taskerPath = "/usr/local/bin/scannerTask"
const registerWaitTime = time.Duration(time.Second * 10)
const dockerSocket = "unix:///var/run/docker.sock"
Expand Down
13 changes: 8 additions & 5 deletions cmd/scanner/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func (rs *rpcService) ScanRunning(ctx context.Context, req *share.ScanRunningReq
if scanTasker != nil {
sr, err = scanTasker.Run(ctx, *data)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", getParsingCaps())
sr, err = cveTools.ScanImageData(data)
}

Expand All @@ -121,7 +121,7 @@ func (rs *rpcService) ScanImageData(ctx context.Context, data *share.ScanData) (
if scanTasker != nil {
sr, err = scanTasker.Run(ctx, *data)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", getParsingCaps())
sr, err = cveTools.ScanImageData(data)
}

Expand All @@ -146,7 +146,7 @@ func (rs *rpcService) ScanImage(ctx context.Context, req *share.ScanImageRequest
if scanTasker != nil {
sr, err = scanTasker.Run(ctx, *req)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", getParsingCaps())
sr, err = cveTools.ScanImage(ctx, req, "")
}

Expand All @@ -162,7 +162,7 @@ func (rs *rpcService) ScanAppPackage(ctx context.Context, req *share.ScanAppRequ
if scanTasker != nil {
sr, err = scanTasker.Run(ctx, *req)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", getParsingCaps())
sr, err = cveTools.ScanAppPackage(req, "")
}

Expand All @@ -178,7 +178,7 @@ func (rs *rpcService) ScanAwsLambda(ctx context.Context, req *share.ScanAwsLambd
if scanTasker != nil {
sr, err = scanTasker.Run(ctx, *req)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", getParsingCaps())
sr, err = cveTools.ScanAwsLambda(req, "")
}

Expand Down Expand Up @@ -529,10 +529,13 @@ func scannerRegister(joinIP string, joinPort uint16, data *share.ScannerRegister
}
// Server is old and doesn't implement GetCaps — treat as no capabilities.
isGetCapsActivate = false
ctrlCaps = share.ControllerCaps{}
setParsingCaps(nil)
} else {
isGetCapsActivate = true
log.WithField("cap", caps).Info("controller capabilities")
ctrlCaps = *caps
setParsingCaps(caps.GetParsingCaps())
}

haveControllerSetting := false
Expand Down
16 changes: 12 additions & 4 deletions cmd/scanner/standalone.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,12 @@ type scanOnDemandReportData struct {
Report *api.RESTScanRepoReport `json:"report"`
}

func getStandaloneParsingCaps() *share.ParsingCaps {
return &share.ParsingCaps{
JarAutoModuleName: true,
}
}

func parseImageValue(value string) (string, string, string) {
var parts []string
var proto, registry, repository, ref string // ref can be a tag or digest.
Expand Down Expand Up @@ -266,14 +272,15 @@ func writeResultToStdout(result *share.ScanResult, showOptions string, capCritic

func scanRunning(pid int, cvedb map[string]*share.ScanVulnerability, showOptions string, capCritical bool) {
lookup := scanUtils.CVEDBMapLookup{M: cvedb}
parsingCaps := getStandaloneParsingCaps()

sys := system.NewSystemTools()
sysInfo := sys.GetSystemInfo()
scanUtil := scanUtils.NewScanUtil(sys)
cveTools := cvetools.NewScanTools("", sys, nil, "")
cveTools := cvetools.NewScanTools("", sys, nil, "", parsingCaps)

var data share.ScanData
data.Buffer, data.Error = scanUtil.GetRunningPackages("1", share.ScanObjectType_HOST, pid, sysInfo.Kernel.Release, "", false)
data.Buffer, data.Error = scanUtil.GetRunningPackages("1", share.ScanObjectType_HOST, pid, sysInfo.Kernel.Release, "", false, parsingCaps)
if data.Error != share.ScanErrorCode_ScanErrNone {
log.WithFields(log.Fields{"pid": pid, "error": data.Error}).Error("Failed to get the packages")
return
Expand Down Expand Up @@ -332,6 +339,7 @@ func scanOnDemand(req *share.ScanImageRequest, cvedb map[string]*share.ScanVulne
var err error

lookup := scanUtils.CVEDBMapLookup{M: cvedb}
parsingCaps := getStandaloneParsingCaps()
req.Registry, err = normalizeRegistry(req.Registry)
if err != nil {
log.WithFields(log.Fields{"registry": req.Registry, "error": err}).Error("Failed to normalize registry")
Expand All @@ -348,7 +356,7 @@ func scanOnDemand(req *share.ScanImageRequest, cvedb map[string]*share.ScanVulne
if scanTasker != nil {
result, err = scanTasker.Run(ctx, *req)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", parsingCaps)
result, err = cveTools.ScanImage(ctx, req, "")
}
cancel()
Expand All @@ -369,7 +377,7 @@ func scanOnDemand(req *share.ScanImageRequest, cvedb map[string]*share.ScanVulne
if scanTasker != nil {
result, err = scanTasker.Run(ctx, *req)
} else {
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "")
cveTools := cvetools.NewScanTools("", system.NewSystemTools(), nil, "", parsingCaps)
result, err = cveTools.ScanImage(ctx, req, "")
}
cancel()
Expand Down
4 changes: 4 additions & 0 deletions cmd/scanner/tasker.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ func (ts *Tasker) putInputFile(request interface{}) (string, []string, error) {
args = append(args, "-x")
}

if caps := getParsingCaps(); caps != nil && caps.GetJarAutoModuleName() {
args = append(args, "--enable-jar-auto-module-name")
}

cfg := getGlobalConfig()
cacerts := ""

Expand Down
7 changes: 4 additions & 3 deletions cvetools/cvesearch.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,14 +106,15 @@ var matchKubenetesModeules map[string]bool = map[string]bool{ // should expand i
"ingress-nginx": true,
}

func NewScanTools(rtSock string, sys *system.SystemTools, layerCacher *ImageLayerCacher, mFile string) *ScanTools {
func NewScanTools(rtSock string, sys *system.SystemTools, layerCacher *ImageLayerCacher, mFile string, parsingCaps *share.ParsingCaps) *ScanTools {
cveDB := common.NewCveDB()
return &ScanTools{
CveDB: *cveDB,
RtSock: rtSock,
sys: sys,
LayerCacher: layerCacher,
modulesFile: mFile,
parsingCaps: parsingCaps,
}
}

Expand Down Expand Up @@ -165,7 +166,7 @@ func (cv *ScanTools) ScanImageData(data *share.ScanData) (*share.ScanResult, err
}
}

appPkgs := scan.NewScanApps(true).DerivePkg(pkgs)
appPkgs := scan.NewScanApps(true, cv.parsingCaps).DerivePkg(pkgs)
if k8sAppString != "" {
log.WithFields(log.Fields{"k8sAppRes": k8sAppString}).Debug()
// append k8s repo into the appPkgs
Expand Down Expand Up @@ -375,7 +376,7 @@ func (cv *ScanTools) ScanImage(ctx context.Context, req *share.ScanImageRequest,
}

// There is a download timeout inside this function
layerRecords, errCode = DownloadRemoteImage(ctx, rc, req.Repository, imgPath, info.Layers, info.Sizes, cv.LayerCacher)
layerRecords, errCode = DownloadRemoteImage(ctx, rc, req.Repository, imgPath, info.Layers, info.Sizes, cv.LayerCacher, cv.parsingCaps)
if errCode != share.ScanErrorCode_ScanErrNone {
result.Error = errCode
return result, nil
Expand Down
9 changes: 5 additions & 4 deletions cvetools/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ func (s *ScanTools) LoadLocalImage(ctx context.Context, repository, tag, imgPath

log.WithFields(log.Fields{"imageName": imageName, "downloads": downloads}).Debug()

layerModules, errCode := getImageLayerIterate(ctx, downloads, nil, imgPath,
layerModules, errCode := getImageLayerIterate(ctx, downloads, nil, imgPath, nil,
func(ctx context.Context, layer string) (interface{}, int64, error) {
blob := blobs[layer]
file, err := os.Open(filepath.Join(repoFolder, blob))
Expand Down Expand Up @@ -423,6 +423,7 @@ func getApkPackages(fullpath string) ([]byte, error) {

func getImageLayerIterate(
ctx context.Context, layers []string, sizes map[string]int64, imgPath string,
parsingCaps *share.ParsingCaps,
layerReader func(ctx context.Context, layer string) (interface{}, int64, error),
) (map[string]*LayerFiles, share.ScanErrorCode) { // layer -> filename -> file content
lfs := make(map[string]*LayerFiles)
Expand Down Expand Up @@ -469,7 +470,7 @@ func getImageLayerIterate(

// for file content
curLayerFiles := make(map[string][]byte)
curLayerApps := scan.NewScanApps(true)
curLayerApps := scan.NewScanApps(true, parsingCaps)
for filename, fullpath := range pathMap {
var data []byte
if scan.RPMPkgFiles.Contains(filename) {
Expand Down Expand Up @@ -721,7 +722,7 @@ func collectLayerRawRecord(imgPath string, downloads []string) (map[string][]sha
return secretLogs, setidPermLogs, fmap, removed
}

func DownloadRemoteImage(ctx context.Context, rc *scan.RegClient, name, imgPath string, layers []string, sizes map[string]int64, cacher *ImageLayerCacher) (map[string]*LayerRecord, share.ScanErrorCode) {
func DownloadRemoteImage(ctx context.Context, rc *scan.RegClient, name, imgPath string, layers []string, sizes map[string]int64, cacher *ImageLayerCacher, parsingCaps *share.ParsingCaps) (map[string]*LayerRecord, share.ScanErrorCode) {
var downloads []string // download layer requests
var total_downloaded int64

Expand Down Expand Up @@ -752,7 +753,7 @@ func DownloadRemoteImage(ctx context.Context, rc *scan.RegClient, name, imgPath

log.WithFields(log.Fields{"downloads": downloads}).Debug()
// scheme is always set to v1 because layers of v2 image have been reversed in GetImageInfo.
layerModules, err := getImageLayerIterate(ctx, downloads, sizes, imgPath, func(ctx context.Context, layer string) (interface{}, int64, error) {
layerModules, err := getImageLayerIterate(ctx, downloads, sizes, imgPath, parsingCaps, func(ctx context.Context, layer string) (interface{}, int64, error) {
return downloadRemoteLayer(ctx, rc, name, goDigest.Digest(layer))
})

Expand Down
2 changes: 2 additions & 0 deletions cvetools/types.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package cvetools

import (
"github.com/neuvector/neuvector/share"
"github.com/neuvector/neuvector/share/system"
"github.com/neuvector/neuvector/share/utils"
"github.com/neuvector/scanner/common"
Expand All @@ -27,6 +28,7 @@ type ScanTools struct {
sys *system.SystemTools
LayerCacher *ImageLayerCacher
modulesFile string
parsingCaps *share.ParsingCaps
}

type vulShortReport struct {
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ go 1.26.4

replace k8s.io/cri-api => k8s.io/cri-api v0.25.16

replace github.com/neuvector/neuvector => ../neuvector

require (
github.com/containerd/errdefs v1.0.0
github.com/google/go-containerregistry v0.21.6
Expand Down
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -446,8 +446,6 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=
github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
github.com/neuvector/neuvector v0.0.0-20260707174923-4c5fd44d0c6d h1:pagbqr7eqQo/yzQu7k58t1FV2EjGtIFI8jjdcC18xGQ=
github.com/neuvector/neuvector v0.0.0-20260707174923-4c5fd44d0c6d/go.mod h1:DGaffOc4/QjpGWGf7mbspcCxhh5EWJXLV2Qhn3+uPgg=
github.com/neuvector/neuvector/controller/k8sapi v1.0.0 h1:Zn4yQQtHc2uuPHA+uSaBe3bn8gADo8LqM9BzrT7pqOU=
github.com/neuvector/neuvector/controller/k8sapi v1.0.0/go.mod h1:McwcXqmrfjN41Y5ETg3Bjfe8DfCp8KHrZjF5DhVLRuk=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
Expand Down
8 changes: 7 additions & 1 deletion task/scannerTask.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ func main() {
modulefile := flag.String("m", "", "modules json name") // debug: modules for reg type
rtSock := flag.String("u", "", "Container socket URL") // used for scan local image
maxCacherRecordSize := flag.Int64("maxrec", 0, "maximum layer cacher size in MB") // common.MaxRecordCacherSizeMB
jarAutoModuleName := flag.Bool("enable-jar-auto-module-name", false, "enable parsing Automatic-Module-Name from jar manifests")
tlsVerification := flag.Bool("enable-tls-verification", false, "enable tls verification")
cacerts := flag.String("cacerts", "", "the path of cacerts file")
verbose := flag.Bool("x", false, "more debug")
Expand Down Expand Up @@ -141,7 +142,12 @@ func main() {
defer layerCacher.LeaveLayerCacher()
}

cveTools = cvetools.NewScanTools(*rtSock, system.NewSystemTools(), layerCacher, *modulefile)
var parsingCaps *share.ParsingCaps
if *jarAutoModuleName {
parsingCaps = &share.ParsingCaps{JarAutoModuleName: true}
}

cveTools = cvetools.NewScanTools(*rtSock, system.NewSystemTools(), layerCacher, *modulefile, parsingCaps)
common.InitDebugFilters("")

// create an imgPath from the input file
Expand Down
1 change: 1 addition & 0 deletions vendor/github.com/neuvector/neuvector/share/common.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading