--skip-files does not work with globs

[fawind]

Description

The docs mention that it should be possible to use globs with the --skip-files option (source), i.e.:

$ trivy image --skip-files "./testdata/*/bar" .

What did you expect to happen?

The following command - not using globs - successfully works in skipping the file. No CVEs are flagged for opt/bitnami/common/bin/gosu:

 trivy image --scanners vuln --offline-scan  --skip-files opt/bitnami/common/bin/gosu bitnami/spring-cloud-dataflow:2.10.2

I tired multiple variations of using glob patterns, but none of them seem to work and skip the opt/bitnami/common/bin/gosu file, resulting in the report containing the respective CVEs. Examples of glob patterns I tried:

--skip-files "*/gosu"
--skip-files "opt/*/gosu"
--skip-files "**/gosu"

Output of run with -debug:

$ trivy image --scanners vuln --offline-scan bitnami/spring-cloud-dataflow:2.10.2 --skip-files "*/gosu" --debug
2023-04-06T15:27:38.099+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-06T15:27:38.111+0100    DEBUG   cache dir:  /Users/fwindheuser/Library/Caches/trivy
2023-04-06T15:27:38.111+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-04-06T15:27:38.111+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-04-06 12:08:08.048185529 +0000 UTC, NextUpdate: 2023-04-06 18:08:08.048184829 +0000 UTC, DownloadedAt: 2023-04-06 13:05:35.504181 +0000 UTC
2023-04-06T15:27:38.111+0100    INFO    Vulnerability scanning is enabled
2023-04-06T15:27:38.111+0100    DEBUG   Vulnerability type:  [os library]
2023-04-06T15:27:41.008+0100    DEBUG   Image ID: sha256:60d0f200ff04bfa4a05925a3e48ba94f173becb65a9048f65dae31c04f5ebbda
2023-04-06T15:27:41.008+0100    DEBUG   Diff IDs: [sha256:137d08e8ad520b25ed4b374715dbe42e2f3859bd0536053fb66b29faca91e7e4]
2023-04-06T15:27:41.008+0100    DEBUG   Base Layers: []
2023-04-06T15:27:41.021+0100    INFO    Detected OS: debian
2023-04-06T15:27:41.021+0100    INFO    Detecting Debian vulnerabilities...
2023-04-06T15:27:41.021+0100    DEBUG   debian: os version: 11
2023-04-06T15:27:41.021+0100    DEBUG   debian: the number of packages: 99
2023-04-06T15:27:41.033+0100    INFO    Number of language-specific files: 3
2023-04-06T15:27:41.033+0100    INFO    Detecting gobinary vulnerabilities...
2023-04-06T15:27:41.033+0100    DEBUG   Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/gosu
2023-04-06T15:27:41.034+0100    DEBUG   Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/yq
2023-04-06T15:27:41.034+0100    INFO    Detecting jar vulnerabilities...
2023-04-06T15:27:41.034+0100    DEBUG   Detecting library vulnerabilities, type: jar, path:

[...]

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

[...]

Output of trivy -v:

Version: 0.39.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-06 12:08:08.048185529 +0000 UTC
  NextUpdate: 2023-04-06 18:08:08.048184829 +0000 UTC
  DownloadedAt: 2023-04-06 13:05:35.504181 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-04-06 00:47:46.424773514 +0000 UTC
  NextUpdate: 2023-04-09 00:47:46.424773114 +0000 UTC
  DownloadedAt: 2023-04-06 10:46:52.025846 +0000 UTC

[simar7]

Thanks for the report, we'll look into it.

[simar7]

hi @fawind - I looked into it and seems like Go doesn't natively support ** based pattern matching as can be seen here: golang/go#11862

Regardless, this behaviour is useful to have. So I have two solutions for you:

Short term

You can pass paths such as: */*/*/*/gosu

trivy image  --skip-files="*/*/*/*/gosu"  bitnami/spring-cloud-dataflow:2.10.2

Will skip the gosu binary under opt/bitnami/common/bin/gosu.

Long term (new feature support)

I've created a PR to support this: #4026 – Once it's merged and new Trivy version is released, you can give it a try.

[fawind]

This got released with v0.40.0. Thanks a bunch for taking the time and improving this!