From d8bce94d8c46601eb0810c7bb2d2e9423f0c195d Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Fri, 24 May 2024 19:08:38 +0900 Subject: [PATCH] chore(deps): use aws-sdk-go-v2 (#1922) --- config/awsconf.go | 22 +++++++++++- go.mod | 28 ++++++++------- go.sum | 52 +++++++++++++++------------ reporter/s3.go | 92 +++++++++++++++++++++++------------------------ saas/saas.go | 37 +++++++++---------- subcmds/report.go | 8 +++-- 6 files changed, 136 insertions(+), 103 deletions(-) diff --git a/config/awsconf.go b/config/awsconf.go index 37ce5b695e..2b2d484d8b 100644 --- a/config/awsconf.go +++ b/config/awsconf.go @@ -1,5 +1,13 @@ package config +import ( + "fmt" + "slices" + + "github.com/aws/aws-sdk-go-v2/service/s3" + "github.com/aws/aws-sdk-go-v2/service/s3/types" +) + // AWSConf is aws config type AWSConf struct { // AWS profile to use @@ -17,14 +25,26 @@ type AWSConf struct { // The Server-side encryption algorithm used when storing the reports in S3 (e.g., AES256, aws:kms). S3ServerSideEncryption string `json:"s3ServerSideEncryption"` + // report s3 enable Enabled bool `toml:"-" json:"-"` } // Validate configuration func (c *AWSConf) Validate() (errs []error) { - // TODO if !c.Enabled { return } + + if c.S3Bucket == "" { + errs = append(errs, fmt.Errorf("S3Bucket is empty")) + + } + + if c.S3ServerSideEncryption != "" { + if !slices.Contains(s3.PutObjectInput{}.ServerSideEncryption.Values(), types.ServerSideEncryption(c.S3ServerSideEncryption)) { + errs = append(errs, fmt.Errorf("S3ServerSideEncryption: %s is not supported server side encryption type", c.S3ServerSideEncryption)) + } + } + return } diff --git a/go.mod b/go.mod index 877a389353..07628fe409 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,11 @@ require ( github.com/aquasecurity/trivy-db v0.0.0-20240425111931-1fe1d505d3ff github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 - github.com/aws/aws-sdk-go v1.53.0 + github.com/aws/aws-sdk-go-v2 v1.27.0 + github.com/aws/aws-sdk-go-v2/config v1.27.15 + github.com/aws/aws-sdk-go-v2/credentials v1.17.15 + github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.28.9 github.com/c-robinson/iplib v1.0.8 github.com/cenkalti/backoff v2.2.1+incompatible github.com/d4l3k/messagediff v1.2.2-0.20190829033028-7e0a312ae40b @@ -107,20 +111,20 @@ require ( github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e // indirect - github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go v1.53.0 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect - github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.8 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.2 // indirect github.com/aws/smithy-go v1.20.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect diff --git a/go.sum b/go.sum index e43b18d5d6..5124fc4c49 100644 --- a/go.sum +++ b/go.sum @@ -325,34 +325,42 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.53.0 h1:MMo1x1ggPPxDfHMXJnQudTbGXYlD4UigUAud1DJxPVo= github.com/aws/aws-sdk-go v1.53.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= -github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= -github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= -github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= -github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgiLlo= +github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg= +github.com/aws/aws-sdk-go-v2/config v1.27.15 h1:uNnGLZ+DutuNEkuPh6fwqK7LpEiPmzb7MIMA1mNWEUc= +github.com/aws/aws-sdk-go-v2/config v1.27.15/go.mod h1:7j7Kxx9/7kTmL7z4LlhwQe63MYEE5vkVV6nWg4ZAI8M= +github.com/aws/aws-sdk-go-v2/credentials v1.17.15 h1:YDexlvDRCA8ems2T5IP1xkMtOZ1uLJOCJdTr0igs5zo= +github.com/aws/aws-sdk-go-v2/credentials v1.17.15/go.mod h1:vxHggqW6hFNaeNC0WyXS3VdyjcV0a4KMUY4dKJ96buU= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 h1:dQLK4TjtnlRGb0czOht2CevZ5l6RSyRWAnKeGd7VAFE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3/go.mod h1:TL79f2P6+8Q7dTsILpiVST+AL9lkF6PPGI167Ny0Cjw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 h1:/FUtT3xsoHO3cfh+I/kCbcMCN98QZRsiFet/V8QkWSs= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7/go.mod h1:MaCAgWpGooQoCWZnMur97rGn5dp350w2+CeiV5406wE= github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 h1:Qr9W21mzWT3RhfYn9iAux7CeRIdbnTAqmiOlASqQgZI= github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4/go.mod h1:if7ybzzjOmDB8pat9FE35AHTY6ZxlYSy3YviSmFZv8c= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 h1:UXqEWQI0n+q0QixzU0yUUQBZXRd5037qdInTIHFTl98= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9/go.mod h1:xP6Gq6fzGZT8w/ZN+XvGMZ2RU1LeEs7b2yUP5DN8NY4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 h1:Wx0rlZoEJR7JwlSZcHnEa7CNjrSIyVxMFWGAaXy4fJY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9/go.mod h1:aVMHdE0aHO3v+f/iw01fmXV/5DbfQ3Bi9nN7nd9bE9Y= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 h1:uO5XR6QGBcmPyo2gxofYJLFkcVQ4izOoGDNenlZhTEk= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7/go.mod h1:feeeAYfAcwTReM6vbwjEyDmiGho+YgBhaFULuXDW8kc= +github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2 h1:gYSJhNiOF6J9xaYxu2NFNstoiNELwt0T9w29FxSfN+Y= +github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2/go.mod h1:739CllldowZiPPsDFcJHNF4FXrVxaSGVnZ9Ez9Iz9hc= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.8 h1:Kv1hwNG6jHC/sxMTe5saMjH6t6ZLkgfvVxyEjfWL1ks= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.8/go.mod h1:c1qtZUWtygI6ZdvKppzCSXsDOq5I4luJPZ0Ud3juFCA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.2 h1:nWBZ1xHCF+A7vv9sDzJOq4NWIdzFYm0kH7Pr4OjHYsQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.2/go.mod h1:9lmoVDVLz/yUZwLaQ676TK02fhCu4+PgRSmMaKR1ozk= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.9 h1:Qp6Boy0cGDloOE3zI6XhNLNZgjNS8YmiFQFHe71SaW0= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.9/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws= github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= diff --git a/reporter/s3.go b/reporter/s3.go index e0d3b5145a..1eb027a660 100644 --- a/reporter/s3.go +++ b/reporter/s3.go @@ -2,17 +2,18 @@ package reporter import ( "bytes" + "context" "encoding/json" + "errors" "fmt" "path" + "slices" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" - "github.com/aws/aws-sdk-go/aws/ec2metadata" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go-v2/aws" + awsConfig "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/s3" + "github.com/aws/aws-sdk-go-v2/service/s3/types" "golang.org/x/xerrors" "github.com/future-architect/vuls/config" @@ -30,28 +31,23 @@ type S3Writer struct { config.AWSConf } -func (w S3Writer) getS3() (*s3.S3, error) { - ses, err := session.NewSession() - if err != nil { - return nil, err +func (w S3Writer) getS3() (*s3.Client, error) { + var optFns []func(*awsConfig.LoadOptions) error + if w.Region != "" { + optFns = append(optFns, awsConfig.WithRegion(w.Region)) } - config := &aws.Config{ - Region: aws.String(w.Region), - Credentials: credentials.NewChainCredentials([]credentials.Provider{ - &credentials.EnvProvider{}, - &credentials.SharedCredentialsProvider{Filename: "", Profile: w.Profile}, - &ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(ses)}, - }), + if w.Profile != "" { + optFns = append(optFns, awsConfig.WithSharedConfigProfile(w.Profile)) } - s, err := session.NewSession(config) + cfg, err := awsConfig.LoadDefaultConfig(context.TODO(), optFns...) if err != nil { - return nil, err + return nil, xerrors.Errorf("Failed to load config. err: %w", err) } - return s3.New(s), nil + return s3.NewFromConfig(cfg), nil } // Write results to S3 -// http://docs.aws.amazon.com/sdk-for-go/latest/v1/developerguide/common-examples.title.html +// https://docs.aws.amazon.com/en_us/code-library/latest/ug/go_2_s3_code_examples.html func (w S3Writer) Write(rs ...models.ScanResult) (err error) { if len(rs) == 0 { return nil @@ -59,7 +55,7 @@ func (w S3Writer) Write(rs ...models.ScanResult) (err error) { svc, err := w.getS3() if err != nil { - return err + return xerrors.Errorf("Failed to get s3 client. err: %w", err) } if w.FormatOneLineText { @@ -103,34 +99,41 @@ func (w S3Writer) Write(rs ...models.ScanResult) (err error) { return nil } +// ErrBucketExistCheck : bucket existence cannot be checked because s3:ListBucket or s3:ListAllMyBuckets is not allowed +var ErrBucketExistCheck = xerrors.New("bucket existence cannot be checked because s3:ListBucket or s3:ListAllMyBuckets is not allowed") + // Validate check the existence of S3 bucket func (w S3Writer) Validate() error { svc, err := w.getS3() if err != nil { - return err + return xerrors.Errorf("Failed to get s3 client. err: %w", err) } - result, err := svc.ListBuckets(&s3.ListBucketsInput{}) - if err != nil { - return xerrors.Errorf("Failed to list buckets. err: %w, profile: %s, region: %s", - err, w.Profile, w.Region) + // s3:ListBucket + _, err = svc.HeadBucket(context.TODO(), &s3.HeadBucketInput{Bucket: aws.String(w.S3Bucket)}) + if err == nil { + return nil + } + var nsb *types.NoSuchBucket + if errors.As(err, &nsb) { + return xerrors.Errorf("Failed to find the buckets. profile: %s, region: %s, bucket: %s", w.Profile, w.Region, w.S3Bucket) } - found := false - for _, bucket := range result.Buckets { - if *bucket.Name == w.S3Bucket { - found = true - break + // s3:ListAllMyBuckets + result, err := svc.ListBuckets(context.TODO(), &s3.ListBucketsInput{}) + if err == nil { + if slices.ContainsFunc(result.Buckets, func(b types.Bucket) bool { + return *b.Name == w.S3Bucket + }) { + return nil } + return xerrors.Errorf("Failed to find the buckets. profile: %s, region: %s, bucket: %s", w.Profile, w.Region, w.S3Bucket) } - if !found { - return xerrors.Errorf("Failed to find the buckets. profile: %s, region: %s, bucket: %s", - w.Profile, w.Region, w.S3Bucket) - } - return nil + + return ErrBucketExistCheck } -func (w S3Writer) putObject(svc *s3.S3, k string, b []byte, gzip bool) error { +func (w S3Writer) putObject(svc *s3.Client, k string, b []byte, gzip bool) error { var err error if gzip { if b, err = gz(b); err != nil { @@ -140,16 +143,13 @@ func (w S3Writer) putObject(svc *s3.S3, k string, b []byte, gzip bool) error { } putObjectInput := &s3.PutObjectInput{ - Bucket: aws.String(w.S3Bucket), - Key: aws.String(path.Join(w.S3ResultsDir, k)), - Body: bytes.NewReader(b), - } - - if w.S3ServerSideEncryption != "" { - putObjectInput.ServerSideEncryption = aws.String(w.S3ServerSideEncryption) + Bucket: aws.String(w.S3Bucket), + Key: aws.String(path.Join(w.S3ResultsDir, k)), + Body: bytes.NewReader(b), + ServerSideEncryption: types.ServerSideEncryption(w.S3ServerSideEncryption), } - if _, err := svc.PutObject(putObjectInput); err != nil { + if _, err := svc.PutObject(context.TODO(), putObjectInput); err != nil { return xerrors.Errorf("Failed to upload data to %s/%s, err: %w", w.S3Bucket, k, err) } diff --git a/saas/saas.go b/saas/saas.go index 90ce6164c3..ac80b33ec1 100644 --- a/saas/saas.go +++ b/saas/saas.go @@ -12,16 +12,17 @@ import ( "strings" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go-v2/aws" + awsConfig "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/aws/aws-sdk-go-v2/service/s3" + "github.com/aws/aws-sdk-go-v2/service/sts/types" + "golang.org/x/xerrors" + "github.com/future-architect/vuls/config" "github.com/future-architect/vuls/logging" "github.com/future-architect/vuls/models" "github.com/future-architect/vuls/util" - "golang.org/x/xerrors" ) // Writer writes results to SaaS @@ -29,9 +30,9 @@ type Writer struct{} // TempCredential : TempCredential type TempCredential struct { - Credential *sts.Credentials `json:"Credential"` - S3Bucket string `json:"S3Bucket"` - S3ResultsDir string `json:"S3ResultsDir"` + Credential *types.Credentials `json:"Credential"` + S3Bucket string `json:"S3Bucket"` + S3ResultsDir string `json:"S3ResultsDir"` } type payload struct { @@ -98,23 +99,19 @@ func (w Writer) Write(rs ...models.ScanResult) error { return xerrors.Errorf("Failed to unmarshal saas credential file. err : %s", err) } - sess, err := session.NewSession(&aws.Config{ - Credentials: credentials.NewStaticCredentialsFromCreds(credentials.Value{ - AccessKeyID: *tempCredential.Credential.AccessKeyId, - SecretAccessKey: *tempCredential.Credential.SecretAccessKey, - SessionToken: *tempCredential.Credential.SessionToken, - }), - Region: aws.String("ap-northeast-1"), - }) + cfg, err := awsConfig.LoadDefaultConfig(ctx, + awsConfig.WithRegion("ap-northeast-1"), + awsConfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(*tempCredential.Credential.AccessKeyId, *tempCredential.Credential.SecretAccessKey, *tempCredential.Credential.SessionToken)), + ) if err != nil { - return xerrors.Errorf("Failed to new aws session. err: %w", err) + return xerrors.Errorf("Failed to load config. err: %w", err) } // For S3 upload of aws sdk if err := os.Setenv("HTTPS_PROXY", config.Conf.HTTPProxy); err != nil { return xerrors.Errorf("Failed to set HTTP proxy: %s", err) } - svc := s3.New(sess) + svc := s3.NewFromConfig(cfg) for _, r := range rs { if 0 < len(tags) { if r.Optional == nil { @@ -134,7 +131,7 @@ func (w Writer) Write(rs ...models.ScanResult) error { Key: aws.String(path.Join(tempCredential.S3ResultsDir, s3Key)), Body: bytes.NewReader(b), } - if _, err := svc.PutObject(putObjectInput); err != nil { + if _, err := svc.PutObject(ctx, putObjectInput); err != nil { return xerrors.Errorf("Failed to upload data to %s/%s, err: %w", tempCredential.S3Bucket, s3Key, err) } diff --git a/subcmds/report.go b/subcmds/report.go index e960218877..70426cb1e9 100644 --- a/subcmds/report.go +++ b/subcmds/report.go @@ -12,6 +12,7 @@ import ( "github.com/aquasecurity/trivy/pkg/utils/fsutils" "github.com/google/subcommands" "github.com/k0kubun/pp" + "golang.org/x/xerrors" "github.com/future-architect/vuls/config" "github.com/future-architect/vuls/detector" @@ -349,8 +350,11 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{} AWSConf: config.Conf.AWS, } if err := w.Validate(); err != nil { - logging.Log.Errorf("Check if there is a bucket beforehand: %s, err: %+v", config.Conf.AWS.S3Bucket, err) - return subcommands.ExitUsageError + if !xerrors.Is(err, reporter.ErrBucketExistCheck) { + logging.Log.Errorf("Check if there is a bucket beforehand: %s, err: %+v", config.Conf.AWS.S3Bucket, err) + return subcommands.ExitUsageError + } + logging.Log.Warnf("bucket: %s existence cannot be checked because s3:ListBucket or s3:ListAllMyBuckets is not allowed", config.Conf.AWS.S3Bucket) } reports = append(reports, w) }