Skip to content

Commit

Permalink
Exclude dirs in host filesystem scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
olzhasar-reef committed Nov 30, 2024
1 parent f926b45 commit 3651e0c
Showing 1 changed file with 26 additions and 5 deletions.
31 changes: 26 additions & 5 deletions src/vulnrelay/scanners/grype.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ class Grype(Scanner, name="grype"):
def defectdojo_name(self) -> str:
return "Anchore Grype"

def _perform_scan(self, target: str, *extra_run_args: str) -> str:
def _perform_scan(self, grype_args: list[str], *, extra_run_args: list[str] | None = None) -> str:
extra_run_args = extra_run_args or []

cmd = [
"docker",
"run",
Expand All @@ -27,23 +29,42 @@ def _perform_scan(self, target: str, *extra_run_args: str) -> str:
self.docker_image,
"-o",
"json",
target,
*grype_args,
]

logger.debug("Running command: %s", cmd)

try:
result = subprocess.run(cmd, check=True, capture_output=True)
except subprocess.CalledProcessError as e:
raise ScannerError("Command:\n%s\nReturned:%s\n", cmd, e.stderr.decode("utf-8")) from e
errout = e.stderr.decode("utf-8")
raise ScannerError(f"{errout}\nSubprocess command:\n{cmd}")

output = result.stdout.decode("utf-8")
logger.debug("Scan result: %s", output)

return output

def scan_image(self, image_name: str) -> str:
return self._perform_scan(image_name)
return self._perform_scan([image_name])

def scan_host(self) -> str:
return self._perform_scan("dir:/host", "--volume", "/:/host:ro")
excluded_dirs = [
"./proc",
"./sys",
"./tmp",
"./var",
"./var/log",
"./var/cache",
"./var/tmp",
"./var/lib/docker",
"./home",
]

grype_args = ["dir:/host"]

for _dir in excluded_dirs:
grype_args.append("--exclude")
grype_args.append(_dir)

return self._perform_scan(grype_args, extra_run_args=["--volume", "/:/host:ro"])

0 comments on commit 3651e0c

Please sign in to comment.