Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Image Identification in Tar Files #1643

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Docker Image Identification in Tar Files #1643

wants to merge 18 commits into from

Conversation

joeleonjr
Copy link
Contributor

@joeleonjr joeleonjr commented Aug 18, 2023
edited
Loading

Description:

The scanner will currently untar a file and look through the archive for secrets; however, this approach misses secrets hidden in Docker image layers. (The docker save command turns docker images into tar files.) This PR adds docker image scanning inside all archived files identified as the application/x-tar mimetype. A use-case for this feature would be scanning a filesystem, identifying tar files, and then checking if any of them are docker images.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

ahrav
ahrav reviewed Aug 23, 2023
View reviewed changes
Copy link
Collaborator

@ahrav ahrav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great. Some small comments and just some Go style tweaks. Awesome job!!
🎉

pkg/handlers/archive.go Outdated Show resolved Hide resolved
pkg/handlers/archive.go Outdated Show resolved Hide resolved
pkg/handlers/archive.go Outdated Show resolved Hide resolved
pkg/handlers/handlers.go Outdated Show resolved Hide resolved
pkg/sources/sources.go Show resolved Hide resolved
pkg/sources/docker/docker.go Outdated Show resolved Hide resolved
pkg/sources/docker/docker.go Outdated Show resolved Hide resolved
pkg/sources/docker/docker.go Outdated Show resolved Hide resolved
pkg/sources/docker/docker.go Outdated Show resolved Hide resolved
pkg/handlers/archive_test.go Outdated Show resolved Hide resolved
@joeleonjr
Copy link
Contributor Author

@ahrav I moved the integration test into a separate file (and made the updates you suggested), but it's throwing an error. Locally it worked great. This is what I'm seeing:

panic: test timed out after 5m0s
running tests:
	TestFoundKeyInDockerTar (5m0s)

goroutine 62 [running]:
testing.(*M).startAlarm.func1()
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2[259](https://github.com/trufflesecurity/trufflehog/actions/runs/5963890907/job/16177983237?pr=1643#step:5:260) +0x3b9
created by time.goFunc
	/opt/hostedtoolcache/go/1.21.0/x64/src/time/sleep.go:176 +0x2d

goroutine 1 [chan receive, 5 minutes]:
testing.(*T).Run(0xc00050d860, {0xeaba6e?, 0x52bdfc?}, 0xef8168)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1649 +0x3c8
testing.runTests.func1(0x1798fe0?)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2054 +0x3e
testing.tRunner(0xc00050d860, 0xc0005bfc48)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1595 +0xff
testing.runTests(0xc000555180?, {0x176ed40, 0x6, 0x6}, {0xc?, 0xc0005bfd08?, 0x17983e0?})
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2052 +0x445
testing.(*M).Run(0xc000555180)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1925 +0x636
main.main()
	_testmain.go:57 +0x19c

goroutine 20 [select]:
go.opencensus.io/stats/view.(*worker).start(0xc000506100)
	/home/runner/go/pkg/mod/[email protected]/stats/view/worker.go:292 +0x9f
created by go.opencensus.io/stats/view.init.0 in goroutine 1
	/home/runner/go/pkg/mod/[email protected]/stats/view/worker.go:34 +0x8d

goroutine 8 [running]:
	goroutine running on other thread; stack unavailable
created by testing.(*T).Run in goroutine 1
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1648 +0x3ad

goroutine 40 [select]:
github.com/trufflesecurity/trufflehog/v3/pkg/sources/docker.ScanDockerImg({0xfef4b0, 0xc000879d70}, {0xff3c78, 0xc000634040}, 0xc000133380, 0xc00007e370)
	/home/runner/work/trufflehog/trufflehog/pkg/sources/docker/docker.go:217 +0xdc5
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.HandleFile({0xfef4b0?, 0xc000879d70}, {0xfe06c0, 0xc000879da0}, 0x0?, 0x0?)
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/handlers.go:65 +0x6e5
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.TestFoundKeyInDockerTar.func1()
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/archive_integration_test.go:88 +0x65
created by github.com/trufflesecurity/trufflehog/v3/pkg/handlers.TestFoundKeyInDockerTar in goroutine 8
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/archive_integration_test.go:86 +0x8d8
FAIL	github.com/trufflesecurity/trufflehog/v3/pkg/handlers	[300](https://github.com/trufflesecurity/trufflehog/actions/runs/5963890907/job/16177983237?pr=1643#step:5:301).061s

@ahrav
Copy link
Collaborator

ahrav commented Aug 24, 2023

@ahrav I moved the integration test into a separate file (and made the updates you suggested), but it's throwing an error. Locally it worked great. This is what I'm seeing:

panic: test timed out after 5m0s
running tests:
	TestFoundKeyInDockerTar (5m0s)

goroutine 62 [running]:
testing.(*M).startAlarm.func1()
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2[259](https://github.com/trufflesecurity/trufflehog/actions/runs/5963890907/job/16177983237?pr=1643#step:5:260) +0x3b9
created by time.goFunc
	/opt/hostedtoolcache/go/1.21.0/x64/src/time/sleep.go:176 +0x2d

goroutine 1 [chan receive, 5 minutes]:
testing.(*T).Run(0xc00050d860, {0xeaba6e?, 0x52bdfc?}, 0xef8168)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1649 +0x3c8
testing.runTests.func1(0x1798fe0?)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2054 +0x3e
testing.tRunner(0xc00050d860, 0xc0005bfc48)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1595 +0xff
testing.runTests(0xc000555180?, {0x176ed40, 0x6, 0x6}, {0xc?, 0xc0005bfd08?, 0x17983e0?})
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:2052 +0x445
testing.(*M).Run(0xc000555180)
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1925 +0x636
main.main()
	_testmain.go:57 +0x19c

goroutine 20 [select]:
go.opencensus.io/stats/view.(*worker).start(0xc000506100)
	/home/runner/go/pkg/mod/[email protected]/stats/view/worker.go:292 +0x9f
created by go.opencensus.io/stats/view.init.0 in goroutine 1
	/home/runner/go/pkg/mod/[email protected]/stats/view/worker.go:34 +0x8d

goroutine 8 [running]:
	goroutine running on other thread; stack unavailable
created by testing.(*T).Run in goroutine 1
	/opt/hostedtoolcache/go/1.21.0/x64/src/testing/testing.go:1648 +0x3ad

goroutine 40 [select]:
github.com/trufflesecurity/trufflehog/v3/pkg/sources/docker.ScanDockerImg({0xfef4b0, 0xc000879d70}, {0xff3c78, 0xc000634040}, 0xc000133380, 0xc00007e370)
	/home/runner/work/trufflehog/trufflehog/pkg/sources/docker/docker.go:217 +0xdc5
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.HandleFile({0xfef4b0?, 0xc000879d70}, {0xfe06c0, 0xc000879da0}, 0x0?, 0x0?)
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/handlers.go:65 +0x6e5
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.TestFoundKeyInDockerTar.func1()
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/archive_integration_test.go:88 +0x65
created by github.com/trufflesecurity/trufflehog/v3/pkg/handlers.TestFoundKeyInDockerTar in goroutine 8
	/home/runner/work/trufflehog/trufflehog/pkg/handlers/archive_integration_test.go:86 +0x8d8
FAIL	github.com/trufflesecurity/trufflehog/v3/pkg/handlers	[300](https://github.com/trufflesecurity/trufflehog/actions/runs/5963890907/job/16177983237?pr=1643#step:5:301).061s

Oh i wonder if the runner timed out after the 5 min interval. We can try to increase the timeout from 5m to test.

@joeleonjr joeleonjr marked this pull request as ready for review August 24, 2023 18:19
@joeleonjr joeleonjr requested review from a team as code owners August 24, 2023 18:19
@zricethezav
Copy link
Collaborator

@joeleonjr would this solve #674 ?

@joeleonjr
Copy link
Contributor Author

@joeleonjr would this solve #674 ?

Good catch. Yes, this closes #674

@CLAassistant
Copy link

CLAassistant commented Aug 17, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

@bill-rich bill-rich Awaiting requested review from bill-rich

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joeleonjr @ahrav @zricethezav @CLAassistant