feat: skip files and dirs (aquasecurity#284)

analyzer/config/config.go

@@ -28,18 +28,10 @@ type ScannerOption struct {
 }
 
 func (o *ScannerOption) Sort() {
-	sort.Slice(o.Namespaces, func(i, j int) bool {
-		return o.Namespaces[i] < o.Namespaces[j]
-	})
-	sort.Slice(o.FilePatterns, func(i, j int) bool {
-		return o.FilePatterns[i] < o.FilePatterns[j]
-	})
-	sort.Slice(o.PolicyPaths, func(i, j int) bool {
-		return o.PolicyPaths[i] < o.PolicyPaths[j]
-	})
-	sort.Slice(o.DataPaths, func(i, j int) bool {
-		return o.DataPaths[i] < o.DataPaths[j]
-	})
+	sort.Strings(o.Namespaces)
+	sort.Strings(o.FilePatterns)
+	sort.Strings(o.PolicyPaths)
+	sort.Strings(o.DataPaths)
 }
 
 func RegisterConfigAnalyzers(filePatterns []string) error {

artifact/artifact.go

@@ -2,10 +2,28 @@ package artifact
 
 import (
 	"context"
+	"sort"
 
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/hook"
 	"github.com/aquasecurity/fanal/types"
 )
 
+type Option struct {
+	DisabledAnalyzers []analyzer.Type
+	DisabledHooks     []hook.Type
+	SkipFiles         []string
+	SkipDirs          []string
+}
+
+func (o *Option) Sort() {
+	sort.Slice(o.DisabledAnalyzers, func(i, j int) bool {
+		return o.DisabledAnalyzers[i] < o.DisabledAnalyzers[j]
+	})
+	sort.Strings(o.SkipFiles)
+	sort.Strings(o.SkipDirs)
+}
+
 type Artifact interface {
 	Inspect(ctx context.Context) (reference types.ArtifactReference, err error)
 }

artifact/image/image.go

@@ -3,7 +3,6 @@ package image
 import (
 	"context"
 	"encoding/json"
-	"image"
 	"io"
 	"os"
 	"reflect"
@@ -50,37 +49,44 @@ var (
 )
 
 type Artifact struct {
-	image               image.Image
-	caches              []cache.ArtifactCache
-	analyzer            analyzer.Analyzer
-	hookManager         hook.Manager
-	scanner             scanner.Scanner
+	image       types.Image
+	caches      []cache.ArtifactCache
+	walker      walker.LayerTar
+	analyzer    analyzer.Analyzer
+	hookManager hook.Manager
+	scanner     scanner.Scanner
+
+	artifactOption      artifact.Option
 	configScannerOption config.ScannerOption
 }
 
 type layerkeyDiffIdMap map[string]string
 type cacheLayerKeyMap map[types.CacheType]layerkeyDiffIdMap
 
-func NewArtifact(img image.Image, c []cache.ArtifactCache, disabledAnalyzers []analyzer.Type, disabledHooks []hook.Type, opt config.ScannerOption) (artifact.Artifact, error) {
+func NewArtifact(img types.Image, c []cache.ArtifactCache, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (artifact.Artifact, error) {
 	// Register config analyzers
-	if err := config.RegisterConfigAnalyzers(opt.FilePatterns); err != nil {
+	if err := config.RegisterConfigAnalyzers(scannerOpt.FilePatterns); err != nil {
 		return nil, xerrors.Errorf("config scanner error: %w", err)
 	}
 
-	s, err := scanner.New("", opt.Namespaces, opt.PolicyPaths, opt.DataPaths, opt.Trace)
+	s, err := scanner.New("", scannerOpt.Namespaces, scannerOpt.PolicyPaths, scannerOpt.DataPaths, scannerOpt.Trace)
 	if err != nil {
 		return nil, xerrors.Errorf("scanner error: %w", err)
 	}
 
-	disabledAnalyzers = append(disabledAnalyzers, defaultDisabledAnalyzers...)
-	disabledHooks = append(disabledHooks, defaultDisabledHooks...)
+	disabledAnalyzers := append(artifactOpt.DisabledAnalyzers, defaultDisabledAnalyzers...)
+	disabledHooks := append(artifactOpt.DisabledHooks, defaultDisabledHooks...)
 
 	return Artifact{
-		image:               img,
-		caches:              c,
-		analyzer:            analyzer.NewAnalyzer(disabled),
-		scanner:             s,
-		configScannerOption: opt,
+		image:       img,
+		caches:      c,
+		walker:      walker.NewLayerTar(artifactOpt.SkipFiles, artifactOpt.SkipDirs),
+		analyzer:    analyzer.NewAnalyzer(disabledAnalyzers),
+		hookManager: hook.NewManager(disabledHooks),
+		scanner:     s,
+
+		artifactOption:      artifactOpt,
+		configScannerOption: scannerOpt,
 	}, nil
 }
 
@@ -178,7 +184,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 
 func (a Artifact) calcCacheKeys(imageID string, diffIDs []string, cacheType types.CacheType) (string, []string, map[string]string, error) {
 	// Pass an empty config scanner option so that the cache key can be the same, even when policies are updated.
-	imageKey, err := cache.CalcKey(imageID, a.analyzer.ImageConfigAnalyzerVersions(), nil, &config.ScannerOption{})
+	imageKey, err := cache.CalcKey(imageID, a.analyzer.ImageConfigAnalyzerVersions(), nil, artifact.Option{}, config.ScannerOption{})
 	if err != nil {
 		return "", nil, nil, err
 	}
@@ -187,7 +193,7 @@ func (a Artifact) calcCacheKeys(imageID string, diffIDs []string, cacheType type
 	hookVersions := a.hookManager.Versions()
 	var layerKeys []string
 	for _, diffID := range diffIDs {
-		blobKey, err := cache.CalcKey(diffID, a.analyzer.AnalyzerVersions(cacheType), hookVersions, &a.configScannerOption)
+		blobKey, err := cache.CalcKey(diffID, a.analyzer.AnalyzerVersions(cacheType), hookVersions, a.artifactOption, a.configScannerOption)
 		if err != nil {
 			return "", nil, nil, err
 		}
@@ -254,7 +260,7 @@ func (a Artifact) inspect(ctx context.Context, missingImage string, diffIDs map[
 func (a Artifact) inspectLayer(ctx context.Context, diffID string) (map[types.CacheType]types.BlobInfo, error) {
 	log.Logger.Debugf("Missing diff ID: %s", diffID)
 	layerInfo := map[types.CacheType]types.BlobInfo{}
-	layerDigest, cr, err := a.uncompressedLayer(diffID)
+	layerDigest, r, err := a.uncompressedLayer(diffID)
 	if err != nil {
 		return nil, xerrors.Errorf("unable to get uncompressed layer %s: %w", diffID, err)
 	}
@@ -265,7 +271,7 @@ func (a Artifact) inspectLayer(ctx context.Context, diffID string) (map[types.Ca
 		resultMap[cache.Type()] = new(analyzer.AnalysisResult)
 	}
 	limit := semaphore.NewWeighted(parallel)
-	opqDirs, whFiles, err := walker.WalkLayerTar(cr, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
+	opqDirs, whFiles, err := walker.WalkLayerTar(r, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		if err = a.analyzer.AnalyzeFile(ctx, &wg, limit, resultMap, filePath, info, opener); err != nil {
 			return xerrors.Errorf("failed to analyze %s: %w", filePath, err)
 		}