Skip to content

fix: trivy binary check fallback #1154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix: trivy binary check fallback #1154

wants to merge 7 commits into from

Conversation

sozercan
Copy link
Member

@sozercan sozercan commented Jun 12, 2025
edited
Loading

What this PR does / why we need it:
This isn't something that affects the official builds from GHCR since container builds always copies trivy to /trivy.

If the project is rebuilt and the binary is not placed in root dir, this causes issues since eraser expects trivy to be in root. This PR enables fallback to PATH. If not found in PATH, it will provide an error.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #1149 #1150

Special notes for your reviewer:

@codecov Codecov
Copy link

codecov bot commented Jun 12, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 45.00000% with 11 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/scanners/trivy/trivy.go 38.88% 10 Missing and 1 partial ⚠️
Flag Coverage Δ
unittests 4.99% <45.00%> (-9.85%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
pkg/scanners/trivy/types.go 72.07% <100.00%> (+33.24%) ⬆️
pkg/scanners/trivy/trivy.go 5.03% <38.88%> (+5.03%) ⬆️

... and 32 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

ashnamehrotra
ashnamehrotra approved these changes Jun 12, 2025
View reviewed changes
Copy link
Contributor

@ashnamehrotra ashnamehrotra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

pmengelbert
pmengelbert reviewed Jun 12, 2025
View reviewed changes
pmengelbert
pmengelbert reviewed Jun 12, 2025
View reviewed changes
pmengelbert
pmengelbert requested changes Jun 12, 2025
View reviewed changes
Copy link
Contributor

@pmengelbert pmengelbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few comments

pkg/scanners/trivy/types.go Outdated

// currentExecutingLookPath is a variable that points to exec.LookPath by default,
// but can be overridden for testing purposes.
var currentExecutingLookPath = exec.LookPath
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a little weird to have this as a global variable here. Why not just use exec.LookPath in the findTrivyExecutable function?

Instead of overriding the lookup function for testing, why not create a t.TempDir(), create some executable files in it, and maniuplate PATH by using os.Setenv?

pkg/scanners/trivy/types.go

cliArgs := s.config.cliArgs(refs[i])
cmd := exec.Command(trivyCommandName, cliArgs...)
cmd := exec.Command(s.trivyPath, cliArgs...) // nolint:gosec // G204: Subprocess launched with variable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make the initScanner function create a symlink at /trivy to the path where trivy was found? That way we don't have to disable a security lint.

Copy link
Member Author

@sozercan sozercan Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, this might be why we used /trivy path instead of relying on PATH. However, will this break read only root file system pod security?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, we can change /trivy to trivy in the call to exec.Command and it will be located in the PATH automatically

Thanks to Mo for the fresh perspective :)

@sozercan sozercan force-pushed the trivy-path branch 3 times, most recently from d122771 to 52c653d Compare June 16, 2025 22:05
sozercan added 7 commits June 16, 2025 22:08
@sozercan
fix: check if trivy exist
b625541 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
lint
8da96c7 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
move to initscanner
15b5699 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
copyloopvar to replace exportloopref
1288f1b 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
address review comments
a04d0cd 
Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
Revert "address review comments"
22cea7d 
This reverts commit eebe5b9.

Signed-off-by: Sertac Ozercan <[email protected]>
@sozercan
update
5d37828 
Signed-off-by: Sertac Ozercan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmengelbert pmengelbert pmengelbert requested changes

@ashnamehrotra ashnamehrotra ashnamehrotra approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] trivy-scanner pod doesn't error when trivy binary cannot be found
3 participants
@sozercan @ashnamehrotra @pmengelbert