aquasecurity · DmitriyLewen · Aug 21, 2024 · Aug 21, 2024 · Aug 21, 2024 · Sep 3, 2024
@@ -142,8 +142,9 @@ type AnalysisInput struct {
 }
 
 type PostAnalysisInput struct {
-	FS      fs.FS
-	Options AnalysisOptions
+	FS                           fs.FS
+	Options                      AnalysisOptions
+	FilePathsMatchedFromPatterns []string // List of filePaths got from --file-patterns flag
 }
 
 type AnalysisOptions struct {
@@ -455,13 +456,23 @@ func (ag AnalyzerGroup) AnalyzeFile(ctx context.Context, wg *sync.WaitGroup, lim
 }
 
 // RequiredPostAnalyzers returns a list of analyzer types that require the given file.
-func (ag AnalyzerGroup) RequiredPostAnalyzers(filePath string, info os.FileInfo) []Type {
+func (ag AnalyzerGroup) RequiredPostAnalyzers(filePath string, info os.FileInfo, requiredByFilePatterns map[Type][]string) []Type {
 	if info.IsDir() {
 		return nil
 	}
 	var postAnalyzerTypes []Type
 	for _, a := range ag.postAnalyzers {
-		if ag.filePatternMatch(a.Type(), filePath) || a.Required(filePath, info) {
+		if ag.filePatternMatch(a.Type(), filePath) {
+			postAnalyzerTypes = append(postAnalyzerTypes, a.Type())
+
+			// Save filePaths for files required by filePatterns to use in PostAnalyze
+			filePaths := []string{filePath}
+			if saved, ok := requiredByFilePatterns[a.Type()]; ok {
+				filePaths = append(filePaths, saved...)
+			}
+			requiredByFilePatterns[a.Type()] = filePaths
+		}
+		if a.Required(filePath, info) {
 			postAnalyzerTypes = append(postAnalyzerTypes, a.Type())
 		}
 	}
@@ -472,7 +483,8 @@ func (ag AnalyzerGroup) RequiredPostAnalyzers(filePath string, info os.FileInfo)
 // and passes it to the respective post-analyzer.
 // The obtained results are merged into the "result".
 // This function may be called concurrently and must be thread-safe.
-func (ag AnalyzerGroup) PostAnalyze(ctx context.Context, compositeFS *CompositeFS, result *AnalysisResult, opts AnalysisOptions) error {
+func (ag AnalyzerGroup) PostAnalyze(ctx context.Context, compositeFS *CompositeFS, result *AnalysisResult,
+	opts AnalysisOptions, requiredByFilePatterns map[Type][]string) error {
 	for _, a := range ag.postAnalyzers {
 		fsys, ok := compositeFS.Get(a.Type())
 		if !ok {
@@ -503,8 +515,9 @@ func (ag AnalyzerGroup) PostAnalyze(ctx context.Context, compositeFS *CompositeF
 		}
 
 		res, err := a.PostAnalyze(ctx, PostAnalysisInput{
-			FS:      filteredFS,
-			Options: opts,
+			FS:                           filteredFS,
+			Options:                      opts,
+			FilePathsMatchedFromPatterns: requiredByFilePatterns[a.Type()],
 		})
 		if err != nil {
 			return xerrors.Errorf("post analysis error: %w", err)

@@ -630,7 +630,7 @@ func TestAnalyzerGroup_PostAnalyze(t *testing.T) {
 
 			ctx := context.Background()
 			got := new(analyzer.AnalysisResult)
-			err = a.PostAnalyze(ctx, composite, got, analyzer.AnalysisOptions{})
+			err = a.PostAnalyze(ctx, composite, got, analyzer.AnalysisOptions{}, make(map[analyzer.Type][]string))
 			require.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})

@@ -45,7 +45,7 @@ func newConanLockAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, er
 
 func (a conanLockAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
 	required := func(filePath string, d fs.DirEntry) bool {
-		// we need all file got from `a.Required` function (conan.lock files) and from file-patterns.
+		// Parse all required files: `conan.lock` (from a.Required func) + input.FilePathsMatchedFromPatterns
 		return true
 	}
 

@@ -55,7 +55,8 @@ func (a pubSpecLockAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostA
 	}
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.PubSpecLock
+		// Parse all required files: `pubspec.lock` (from a.Required func) + input.FilePathsMatchedFromPatterns
+		return true
 	}
 
 	err = fsutils.WalkDir(input.FS, ".", required, func(path string, _ fs.DirEntry, r io.Reader) error {

@@ -59,9 +59,8 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos
 		a.logger.Debug("The nuget packages directory couldn't be found. License search disabled")
 	}
 
-	// We saved only config and lock files in the FS,
-	// so we need to parse all saved files
 	required := func(path string, d fs.DirEntry) bool {
+		// Parse all required files: `packages.lock.json`, `packages.config` (from a.Required func) + input.FilePathsMatchedFromPatterns
 		return true
 	}
 

@@ -68,7 +68,7 @@ func (a *gomodAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalys
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.GoMod
+		return filepath.Base(path) == types.GoMod || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, _ io.Reader) error {

@@ -49,7 +49,8 @@ func (a gradleLockAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAn
 	}
 
 	required := func(path string, d fs.DirEntry) bool {
-		return a.Required(path, nil)
+		// Parse all required files: `*gradle.lockfile` (from a.Required func) + input.FilePathsMatchedFromPatterns
+		return true
 	}
 
 	var apps []types.Application

@@ -54,7 +54,7 @@ func (a juliaAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysi
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.JuliaManifest
+		return filepath.Base(path) == types.JuliaManifest || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error {

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 
 	"golang.org/x/xerrors"
 
@@ -47,7 +48,7 @@ func newNpmLibraryAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, e
 func (a npmLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
 	// Parse package-lock.json
 	required := func(path string, _ fs.DirEntry) bool {
-		return filepath.Base(path) == types.NpmPkgLock
+		return filepath.Base(path) == types.NpmPkgLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	var apps []types.Application

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 
 	"golang.org/x/xerrors"
 
@@ -45,7 +46,7 @@ func (a pnpmAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.PnpmLock
+		return filepath.Base(path) == types.PnpmLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, d fs.DirEntry, r io.Reader) error {

@@ -71,7 +71,7 @@ func (a yarnAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.YarnLock
+		return filepath.Base(path) == types.YarnLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, d fs.DirEntry, r io.Reader) error {

@@ -47,7 +47,7 @@ func (a composerAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnal
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.ComposerLock
+		return filepath.Base(path) == types.ComposerLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error {

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"github.com/samber/lo"
@@ -63,7 +64,7 @@ func (a packagingAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAna
 	var apps []types.Application
 
 	required := func(path string, _ fs.DirEntry) bool {
-		return filepath.Base(path) == "METADATA" || isEggFile(path)
+		return filepath.Base(path) == "METADATA" || isEggFile(path) || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, d fs.DirEntry, r io.Reader) error {

@@ -59,8 +59,8 @@ func (a pipLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAn
 		a.logger.Warn("Unable to find python `site-packages` directory. License detection is skipped.", log.Err(err))
 	}
 
-	// We only saved the `requirements.txt` files
 	required := func(_ string, _ fs.DirEntry) bool {
+		// Parse all required files: `conan.lock` (from a.Required func) + input.FilePathsMatchedFromPatterns
 		return true
 	}
 

@@ -7,6 +7,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
@@ -44,7 +45,7 @@ func (a poetryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalys
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.PoetryLock
+		return filepath.Base(path) == types.PoetryLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error {

@@ -57,7 +57,7 @@ func (a cargoAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysi
 	var apps []types.Application
 
 	required := func(path string, d fs.DirEntry) bool {
-		return filepath.Base(path) == types.CargoLock
+		return filepath.Base(path) == types.CargoLock || slices.Contains(input.FilePathsMatchedFromPatterns, path)
 	}
 
 	err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, d fs.DirEntry, r io.Reader) error {

@@ -264,14 +264,16 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 	}
 	defer composite.Cleanup()
 
+	// Files required by file patterns grouped by analyzer types
+	requiredByFilePatterns := make(map[analyzer.Type][]string)
 	// Walk a tar layer
 	opqDirs, whFiles, err := a.walker.Walk(rc, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		if err = a.analyzer.AnalyzeFile(ctx, &wg, limit, result, "", filePath, info, opener, disabled, opts); err != nil {
 			return xerrors.Errorf("failed to analyze %s: %w", filePath, err)
 		}
 
 		// Skip post analysis if the file is not required
-		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info)
+		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info, requiredByFilePatterns)
 		if len(analyzerTypes) == 0 {
 			return nil
 		}
@@ -295,7 +297,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 	wg.Wait()
 
 	// Post-analysis
-	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
+	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts, requiredByFilePatterns); err != nil {
 		return types.BlobInfo{}, xerrors.Errorf("post analysis error: %w", err)
 	}
 

@@ -83,6 +83,9 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
 		return artifact.Reference{}, xerrors.Errorf("failed to prepare filesystem for post analysis: %w", err)
 	}
 
+	// Files required by file patterns grouped by analyzer types
+	requiredByFilePatterns := make(map[analyzer.Type][]string)
+
 	err = a.walker.Walk(a.rootPath, a.artifactOption.WalkerOption, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		dir := a.rootPath
 
@@ -97,7 +100,7 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
 		}
 
 		// Skip post analysis if the file is not required
-		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info)
+		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info, requiredByFilePatterns)
 		if len(analyzerTypes) == 0 {
 			return nil
 		}
@@ -117,7 +120,7 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
 	wg.Wait()
 
 	// Post-analysis
-	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
+	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts, requiredByFilePatterns); err != nil {
 		return artifact.Reference{}, xerrors.Errorf("post analysis error: %w", err)
 	}