feat(filesystem): scan in client/server mode (#1829)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

docs/getting-started/cli/fs.md

@@ -31,5 +31,9 @@ OPTIONS:
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
    --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
    --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --server value                                 server address [$TRIVY_SERVER]
+   --token value                                  for authentication [$TRIVY_TOKEN]
+   --token-header value                           specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
+   --custom-headers value                         custom headers [$TRIVY_CUSTOM_HEADERS]
    --help, -h                                     show help (default: false)
 ```

docs/vulnerability/scanning/filesystem.md

@@ -6,7 +6,8 @@ Scan a local project including language-specific files.
 $ trivy fs /path/to/project
 ```
 
-## Local Project
+## Standalone mode
+### Local Project
 Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
 
 ```
@@ -53,4 +54,50 @@ It's also possible to scan a single file.
 
 ```
 $ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
-```
+```
+
+## Client/Server mode
+You must launch Trivy server in advance. 
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
+```
+
+<details>
+<summary>Result</summary>
+
+```
+pom.xml (pom)
+=============
+Total: 4 (CRITICAL: 4)
+
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485   | CRITICAL | 2.9.1             | 2.8.11, 2.9.4                  | jackson-databind: Unsafe              |
+|                                             |                  |          |                   |                                | deserialization due to                |
+|                                             |                  |          |                   |                                | incomplete black list (incomplete     |
+|                                             |                  |          |                   |                                | fix for CVE-2017-15095)...            |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17485 |
++                                             +------------------+          +                   +--------------------------------+---------------------------------------+
+|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4    | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in shaded-hikari-config       |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9546  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9547    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in ibatis-sqlmap              |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547  |
++                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in anteros-core               |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
++---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+

integration/client_server_test.go

@@ -26,6 +26,8 @@ import (
 )
 
 type csArgs struct {
+	Command           string
+	RemoteAddrOption  string
 	Format            string
 	TemplatePath      string
 	IgnoreUnfixed     bool
@@ -35,6 +37,7 @@ type csArgs struct {
 	ClientToken       string
 	ClientTokenHeader string
 	ListAllPackages   bool
+	Target            string
 }
 
 func TestClientServer(t *testing.T) {
@@ -220,6 +223,15 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+		{
+			name: "scan pox.xml with fs command in client/server mode",
+			args: csArgs{
+				Command:          "fs",
+				RemoteAddrOption: "--server",
+				Target:           "testdata/fixtures/fs/pom/",
+			},
+			golden: "testdata/pom.json.golden",
+		},
 	}
 
 	app, addr, cacheDir := setup(t, setupOptions{})
@@ -525,8 +537,14 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 }
 
 func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
+	if c.Command == "" {
+		c.Command = "client"
+	}
+	if c.RemoteAddrOption == "" {
+		c.RemoteAddrOption = "--remote"
+	}
 	t.Helper()
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}
+	osArgs := []string{"trivy", "--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
 
 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)
@@ -567,6 +585,10 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 
 	osArgs = append(osArgs, "--output", outputFile)
 
+	if c.Target != "" {
+		osArgs = append(osArgs, c.Target)
+	}
+
 	return osArgs, outputFile
 }
 

integration/testdata/almalinux-8.json.golden

@@ -119,4 +119,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/alpine-310.json.golden

@@ -308,4 +308,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/alpine-39-high-critical.json.golden

@@ -128,4 +128,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -192,4 +192,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/amazon-1.json.golden

@@ -111,4 +111,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/amazon-2.json.golden

@@ -169,4 +169,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/busybox-with-lockfile.json.golden

@@ -129,4 +129,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/centos-6.json.golden

@@ -196,4 +196,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -217,4 +217,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/centos-7-medium.json.golden

@@ -146,4 +146,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/centos-7.json.golden

@@ -260,4 +260,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -110,4 +110,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/debian-buster.json.golden

@@ -158,4 +158,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/debian-stretch.json.golden

@@ -335,4 +335,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/distroless-base.json.golden

@@ -345,4 +345,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/distroless-python27.json.golden

@@ -362,4 +362,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/mariner-1.0.json.golden

@@ -113,4 +113,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/opensuse-leap-151.json.golden

@@ -109,4 +109,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/oraclelinux-8-slim.json.golden

@@ -177,4 +177,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/photon-30.json.golden

@@ -226,4 +226,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/rockylinux-8.json.golden

@@ -124,4 +124,4 @@
       "Type": "python-pkg"
     }
   ]
-}
+}

integration/testdata/ubi-7.json.golden

@@ -121,4 +121,4 @@
       ]
     }
   ]
-}
+}

integration/testdata/ubuntu-1804.json.golden

@@ -341,4 +341,4 @@
       ]
     }
   ]
-}
+}

pkg/cache/nop.go

@@ -0,0 +1,16 @@
+package cache
+
+import "github.com/aquasecurity/fanal/cache"
+
+func NopCache(ac cache.ArtifactCache) cache.Cache {
+	return nopCache{ArtifactCache: ac}
+}
+
+type nopCache struct {
+	cache.ArtifactCache
+	cache.LocalArtifactCache
+}
+
+func (nopCache) Close() error {
+	return nil
+}

pkg/cache/remote.go

@@ -31,7 +31,6 @@ func NewRemoteCache(url string, customHeaders http.Header, insecure bool) cache.
 			},
 		},
 	}
-
 	c := rpcCache.NewCacheProtobufClient(url, httpClient)
 	return &RemoteCache{ctx: ctx, client: c}
 }