Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(secret): Consider secrets in rpc calls #2753

Merged
merged 5 commits into from
Aug 25, 2022
Merged

fix(secret): Consider secrets in rpc calls #2753

merged 5 commits into from
Aug 25, 2022

Conversation

ankk13
Copy link
Contributor

@ankk13 ankk13 commented Aug 22, 2022

Description

Currently secrets stored as part for blobInfo are dropped when putblob is done via remote cache.
The final server scan response as well drops Secrets if any.
This Pull Request, adds support to Secrets field for RPC calls

The change for pkg/rpc/client/client.go is needed as scanner/service.proto changes were not in sync.

Related issues

  • Close #XXX

Related PRs

  • #XXX
  • #YYY

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@ankk13 ankk13 requested a review from knqyf263 as a code owner August 22, 2022 04:21
@knqyf263
Copy link
Collaborator

knqyf263 commented Aug 23, 2022
edited
Loading

I tested this PR, but didn't see secrets in client/server mode. I didn't take a deeper look though. Could you add a test here so that we can confirm secret scanning works in client/server mode as well?
https://github.com/aquasecurity/trivy/blob/main/integration/client_server_test.go

You can put dummy secrets under testdata and detect them in fs scanning.

trivy/integration/client_server_test.go

Lines 232 to 240 in da6f1b6

{
name: "scan pox.xml with fs command in client/server mode",
args: csArgs{
Command: "fs",
RemoteAddrOption: "--server",
Target: "testdata/fixtures/fs/pom/",
},
golden: "testdata/pom.json.golden",
},

knqyf263
knqyf263 reviewed Aug 23, 2022
View reviewed changes
integration/client_server_test.go Outdated
RemoteAddrOption: "--server",
Target: "testdata/fixtures/fs/secrets/",
},
golden: "testdata/secrets-rpc.json.golden",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the same golden file? We need to make sure the results are the same between standalone mode and client/server mode. For example, we use the same golden files for image scanning.

trivy/integration/client_server_test.go

Lines 49 to 55 in 85ca86c

{
name: "alpine 3.9",
args: csArgs{
Input: "testdata/fixtures/images/alpine-39.tar.gz",
},
golden: "testdata/alpine-39.json.golden",
},

knqyf263
knqyf263 reviewed Aug 24, 2022
View reviewed changes
integration/testdata/secrets.json.golden Outdated
]
},
{
"Target": "sample.pem",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have any specific reason to add this key? This test case already has GitHub PAT and AWS access keys. Aren't they enough?

@knqyf263 knqyf263 merged commit d8d8e62 into aquasecurity:main Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ankk13 @knqyf263