Use trivy rootfs scan for both local and remote

Makefile

@@ -24,8 +24,8 @@ test-unit:
 	go test -timeout 160s ./... -v -coverprofile=coverage.out
 
 test-integration: 
-	@if [ -z "$${GITHUB_TOKEN}" ] || [ -z "$${GHCR_CREDS}" ] || [ -z "$${REGISTRY1_CREDS}" ]; then \
-		echo "Error: GITHUB_TOKEN, GHCR_CREDS, or REGISTRY1_CREDS is not set"; \
+	@if [ -z "$${GITHUB_TOKEN}" ] || [ -z "$${GHCR_CREDS}" ]; then \
+		echo "Error: GITHUB_TOKEN or GHCR_CREDS is not set"; \
 		exit 1; \
 	fi
 	integration=true go test -timeout 160s ./... -v -coverprofile=coverage.out

cmd/scan.go

@@ -69,6 +69,7 @@ Example: 'registry1.dso.mil:myuser:mypassword'`)
 	rootCmd.PersistentFlags().StringP("output-file", "f", "", "Output file for CSV results")
 	rootCmd.PersistentFlags().StringP("package-path", "p", "", `Path to the local zarf package. 
 This is for local scanning and not fetching from a remote registry.`)
+	rootCmd.PersistentFlags().StringP("scanner-type", "s", "rootfs", "Trivy scanner type. options: sbom|rootfs")
 	rootCmd.PersistentFlags().StringP("offline-db-path", "d", "", `Path to the offline DB to use for the scan. 
 This is for local scanning and not fetching from a remote registry.
 This should have all the files extracted from the trivy-db image and ran once before running the scan.`)
@@ -86,16 +87,24 @@ func runScanner(cmd *cobra.Command, _ []string) error {
 	outputFile, _ := cmd.Flags().GetString("output-file")            //nolint:errcheck
 	registryCreds, _ := cmd.Flags().GetStringSlice("registry-creds") //nolint:errcheck
 	packagePath, _ := cmd.Flags().GetString("package-path")          //nolint:errcheck
+	scannerType, _ := cmd.Flags().GetString("scanner-type")          //nolint:errcheck
 	offlineDBPath, _ := cmd.Flags().GetString("offline-db-path")     //nolint:errcheck
 
 	parsedCreds := docker.ParseCredentials(registryCreds)
-	dockerConfigPath, err := docker.GenerateAndWriteDockerConfig(ctx, parsedCreds)
-	if err != nil {
-		return fmt.Errorf("error generating and writing Docker config: %w", err)
-	}
 
 	factory := &scan.ScannerFactoryImpl{}
-	scanner, err := factory.CreateScanner(ctx, logger, dockerConfigPath, org, packageName, tag, packagePath, offlineDBPath)
+	scanner, err := factory.CreateScanner(
+		ctx,
+		logger,
+		"",
+		org,
+		packageName,
+		tag,
+		packagePath,
+		offlineDBPath,
+		parsedCreds,
+		scannerType == "sbom",
+	)
 	if err != nil {
 		return fmt.Errorf("error creating scanner: %w", err)
 	}

cmd/store/e2e_test.go

@@ -15,17 +15,13 @@ func TestStore(t *testing.T) {
 	const testDBPath = "tests/uds_security_hub.db"
 	github := os.Getenv("GITHUB_TOKEN")
 	ghcrCreds := os.Getenv("GHCR_CREDS")
-	registry1Creds := os.Getenv("REGISTRY1_CREDS")
-	dockerCreds := os.Getenv("DOCKER_IO_CREDS")
-	if github == "" || ghcrCreds == "" || registry1Creds == "" {
-		t.Fatalf("GITHUB_TOKEN, GHCR_CREDS, and REGISTRY1_CREDS are required")
+	if github == "" || ghcrCreds == "" {
+		t.Fatalf("GITHUB_TOKEN and GHCR_CREDS are required")
 	}
 
 	os.Args = []string{
 		"program",
 		"--registry-creds", ghcrCreds,
-		"--registry-creds", registry1Creds,
-		"--registry-creds", dockerCreds,
 		"-n", "packages/uds/mattermost",
 		"--db-path", testDBPath,
 		"-v", "1",

cmd/store/main.go

@@ -124,13 +124,8 @@ func runStoreScanner(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("error getting registry credentials: %w", err)
 	}
 	parsedCreds := docker.ParseCredentials(registryCreds)
-	dockerConfigPath, err := docker.GenerateAndWriteDockerConfig(ctx, parsedCreds)
-	if err != nil {
-		return fmt.Errorf("error generating and writing Docker config: %w", err)
-	}
-	scanner := scan.NewRemotePackageScanner(ctx, logInstance, dockerConfigPath, config.Org, config.PackageName,
-		config.Tag, config.OfflineDBPath)
-
+	scanner := scan.NewRemotePackageScanner(ctx, logInstance, "", config.Org, config.PackageName,
+		config.Tag, config.OfflineDBPath, parsedCreds, false)
 	manager, err := db.NewGormScanManager(config.DBConn)
 	if err != nil {
 		return fmt.Errorf("error initializing GormScanManager: %w", err)

docs/adrs/0001-rootfs-scanning.md

@@ -0,0 +1,139 @@
+# ADR: Scan using `trivy rootfs` to get a complete scan of a package
+
+Date: 2024-08-12
+
+## Status
+
+accepted
+
+## Context
+
+Prior local package scanning was implemented using only the sbom. This can result
+in lower quality CVE results.
+
+Example CVE counts for the zarf argocd example as per 2024-08-12.
+
+| Scanner Type | CRITICAL | HIGH | MEDIUM | TOTAL |
+| :----------: | :------: | :--: | :----: | :---: |
+| sbom         | 1        | 2    | 23     | 41    |
+| rootfs       | 2        | 9    | 101    | 187   |
+
+## Implementation
+
+Trivy supports scanning a container using a `rootfs`. By extracting the layers
+for each image to a directory we can use this to get a complete scan of an image.
+
+### Local Package Scans
+
+
+- read the `images/index.json` manifest from the package. Example from `zarf/examples/argocd`
+
+```
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 9612,
+         "digest": "sha256:15f469a6f69979694769ab1e6782be40facca74ea7ad74e01f2a6a5c72e307f6",
+         "annotations": {
+            "org.opencontainers.image.base.name": "quay.io/argoproj/argocd:sha256-2dafd800fb617ba5b16ae429e388ca140f66f88171463d23d158b372bb2fae08.sig"
+         }
+      },
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 9790,
+         "digest": "sha256:f414c5344bf3ec6777b84aa6e1e32838cf7a8a5ea5cc12a9489c14ee51b449a6",
+         "annotations": {
+            "org.opencontainers.image.base.name": "quay.io/argoproj/argocd:sha256-2dafd800fb617ba5b16ae429e388ca140f66f88171463d23d158b372bb2fae08.att"
+         }
+      },
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 2483,
+         "digest": "sha256:1c08fe64a37f29ce012c0a3665ef78f2e9ac27b2425a7d717dc852dc58062f10",
+         "annotations": {
+            "org.opencontainers.image.base.name": "docker.io/library/redis:7.0.15-alpine"
+         }
+      },
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 1625,
+         "digest": "sha256:d37d27b92cce4fb1383d5fbe32540382ea3d9662c7be3555f5a0f6a044099e1b",
+         "annotations": {
+            "org.opencontainers.image.base.name": "ghcr.io/stefanprodan/podinfo:6.4.0"
+         }
+      },
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 3237,
+         "digest": "sha256:e7898cd05251d2af51380cbf50c9613748440fe6406e28e027846875b941c2de",
+         "annotations": {
+            "org.opencontainers.image.base.name": "quay.io/argoproj/argocd:v2.9.6"
+         }
+      }
+   ]
+}
+```
+
+- this will include a list of images, for each image:
+    - ignore any image that has a `org.opencontainers.image.base.name` ending with `*.att` or `*.sig`.
+      These are not images that need to be scanned.
+    - read the file in `images/blobs/sha256/<digest>`. It is an image manifest.
+```
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "config": {
+    "mediaType": "application/vnd.docker.container.image.v1+json",
+    "digest": "sha256:26997ab04178102d8549deff0abfcfb9455bd6a6e6f6a6723d3493d53d5a9097",
+    "size": 7053
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+      "digest": "sha256:3153aa388d026c26a2235e1ed0163e350e451f41a8a313e1804d7e1afb857ab4",
+      "size": 29533422
+    },
+// <extra layers redacted>
+  ]
+}
+```
+
+    - the `layers` are a list of tar.gz files stored in the blobs directory by their digest
+    - extract `tar xf` each layer in the given order to a tmp directory.
+        - if there is an error in the step, log a warn and continue
+    - run `trivy rootfs` against that directory and report results.
+
+### Remote Package Scanner
+
+For the remote scanner we download the image to a local directory using oras.land. 
+Once it's on disk, we read the `index.json` file to get a list of manifests. These 
+are the supported platforms. We are currently only looking at the `amd64` image, 
+so we read the blob associated with amd64 to get a list of layers in the image. This 
+is where we find the actual index.json for `amd64`. We then use the same logic as the
+local scanner to unpack the rootfs and use `trivy rootfs` to scan that image.
+
+Thus, the remote and the local scan are remarkably similar, with only subtle differences
+in where the index is found.
+
+
+### Note on SBOM support
+
+There is also support to scan only using the SBOM using command line flags. This yields
+lower quality results as the SBOMs at the time of writing this are not a complete
+representation of all dependencies in a package. The trivy rootfs scanner finds more
+vulnerabilities. We can possibly use this disparity in the future to increase the
+accuracy of our SBOM generation.
+
+## Alternatives Considered
+
+- Trivy also has a oci layout scanner which could work with some tweaking on the results to separate out the individual image components.
+  This would allow us to avoid unpacking the tar files
+
+Example:
+
+```
+$ trivy image --input /tmp/dir@<image-digest-from-index.json>
+```

go.mod

@@ -20,6 +20,7 @@ require (
 	gorm.io/driver/postgres v1.5.9
 	gorm.io/driver/sqlite v1.5.6
 	gorm.io/gorm v1.25.11
+	oras.land/oras-go/v2 v2.5.0
 )
 
 require (
@@ -50,7 +51,6 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/cli v27.1.1+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -123,7 +123,6 @@ require (
 	github.com/sylabs/squashfs v1.0.0 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
 	github.com/ulikunitz/xz v0.5.12 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
 	github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect

go.sum

@@ -2269,6 +2269,8 @@ modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw
 modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
 modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
+oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c=
+oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

internal/log/zap..go

@@ -28,7 +28,7 @@ func NewLogger(ctx context.Context) types.Logger {
 	if logger, ok := ctx.Value(loggerKey).(types.Logger); ok {
 		return logger
 	}
-	zapLoggerInstance, err := zap.NewProduction()
+	zapLoggerInstance, err := zap.NewProduction(zap.AddCallerSkip(1))
 	if err != nil {
 		panic(err)
 	}

pkg/scan/e2e_test.go

@@ -16,63 +16,62 @@ func TestE2EScanFunctionality(t *testing.T) {
 	if os.Getenv("integration") != "true" {
 		t.Skip("Skipping integration test")
 	}
-	// Set up the context and logger
-	ctx := context.Background()
-	logger := log.NewLogger(ctx)
-	ghcrCreds := os.Getenv("GHCR_CREDS")
-	registry1Creds := os.Getenv("REGISTRY1_CREDS")
-	dockerCreds := os.Getenv("DOCKER_IO_CREDS")
-	if ghcrCreds == "" || registry1Creds == "" || dockerCreds == "" {
-		t.Fatalf("GHCR_CREDS and REGISTRY1_CREDS must be set")
+	testCases := []struct {
+		name string
+		sbom bool
+	}{
+		{name: "RootFS Scanner", sbom: false},
+		{name: "SBOM Scanner", sbom: true},
 	}
-	registryCreds := docker.ParseCredentials([]string{ghcrCreds, registry1Creds, dockerCreds})
-	// Define the test inputs
 
-	org := "defenseunicorns"
-	packageName := "packages/uds/sonarqube"
-	tag := "9.9.5-uds.1-upstream"
-	dockerConfigPath, err := docker.GenerateAndWriteDockerConfig(ctx, registryCreds)
-	if err != nil {
-		t.Fatalf("Error generating and writing Docker config: %v", err)
-	}
-	// Create the scanner
-	scanner := NewRemotePackageScanner(ctx, logger, dockerConfigPath, org, packageName, tag, "")
-	if err != nil {
-		t.Fatalf("Error creating scanner: %v", err)
-	}
-	rps, ok := scanner.(*Scanner)
-	if !ok {
-		t.Fatalf("Error creating scanner: %v", err)
-	}
-	// Perform the scan
-	results, err := rps.ScanZarfPackage(org, packageName, tag)
-	if err != nil {
-		t.Fatalf("Error scanning package: %v", err)
-	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up the context and logger
+			ctx := context.Background()
+			logger := log.NewLogger(ctx)
+			ghcrCreds := os.Getenv("GHCR_CREDS")
+			if ghcrCreds == "" {
+				t.Fatalf("GHCR_CREDS must be set")
+			}
+			registryCreds := docker.ParseCredentials([]string{ghcrCreds})
+			// Define the test inputs
 
-	// Process the results
-	var buf bytes.Buffer
-	for i, v := range results {
-		r, err := scanner.ScanResultReader(v)
-		if err != nil {
-			t.Fatalf("Error reading scan result: %v", err)
-		}
+			org := "defenseunicorns"
+			packageName := "packages/uds/sonarqube"
+			tag := "9.9.5-uds.1-upstream"
+			// Create the scanner
+			scanner := NewRemotePackageScanner(ctx, logger, "", org, packageName, tag, "", registryCreds, tt.sbom)
+			// Perform the scan
+			results, err := scanner.Scan(ctx)
+			if err != nil {
+				t.Fatalf("Error scanning package: %v", err)
+			}
 
-		if err := r.WriteToCSV(&buf, i == 0); err != nil {
-			t.Fatalf("Error creating csv: %v", err)
-		}
-	}
+			// Process the results
+			var buf bytes.Buffer
+			for i, v := range results {
+				r, err := scanner.ScanResultReader(v)
+				if err != nil {
+					t.Fatalf("Error reading scan result: %v", err)
+				}
 
-	combinedCSV := buf.String()
+				if err := r.WriteToCSV(&buf, i == 0); err != nil {
+					t.Fatalf("Error creating csv: %v", err)
+				}
+			}
 
-	// Verify the combined CSV output
-	if len(combinedCSV) == 0 {
-		t.Fatalf("Combined CSV output is empty")
-	}
+			combinedCSV := buf.String()
+
+			// Verify the combined CSV output
+			if len(combinedCSV) == 0 {
+				t.Fatalf("Combined CSV output is empty")
+			}
 
-	// make sure the header only exists in the first line
-	lines := strings.Split(combinedCSV, "\n")
-	if slices.Contains(lines[1:], lines[0]) {
-		t.Error("the header line appears more than once")
+			// make sure the header only exists in the first line
+			lines := strings.Split(combinedCSV, "\n")
+			if slices.Contains(lines[1:], lines[0]) {
+				t.Error("the header line appears more than once")
+			}
+		})
 	}
 }