feat: add virtual machine scan command (#2910)

Co-authored-by: knqyf263 <[email protected]>

Author: masahiro331

.github/workflows/semantic-pr.yaml

@@ -42,6 +42,7 @@ jobs:
             sbom
             server
             k8s
+            vm
 
             alpine
             redhat
@@ -66,7 +67,7 @@ jobs:
             go
             c
             c++
-            
+
             os
             lang
 
@@ -82,11 +83,11 @@ jobs:
 
             cli
             flag
-            
+
             cyclonedx
             spdx
 
             helm
             report
             db
-            deps
+            deps

.github/workflows/vm-test.yaml

@@ -0,0 +1,27 @@
+name: VM Test
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pkg/fanal/vm/**'
+      - 'pkg/fanal/walker/vm.go'
+      - 'pkg/fanal/artifact/vm/**'
+      - 'integration/vm_test.go'
+  pull_request:
+
+jobs:
+  vm-test:
+    name: VM Integration Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - name: Run vm integration tests
+        run: |
+          make test-vm-integration

.gitignore

@@ -25,6 +25,7 @@ thumbs.db
 # test fixtures
 coverage.txt
 integration/testdata/fixtures/images
+integration/testdata/fixtures/vm-images
 
 # SBOMs generated during CI
 /bom.json
@@ -33,4 +34,4 @@ integration/testdata/fixtures/images
 dist
 
 # WebAssembly
-*.wasm
+*.wasm

Makefile

@@ -77,6 +77,15 @@ test-integration: integration/testdata/fixtures/images/*.tar.gz
 test-module-integration: integration/testdata/fixtures/images/*.tar.gz $(EXAMPLE_MODULES)
 	go test -v -tags=module_integration ./integration/...
 
+# Run VM integration tests
+.PHONY: test-vm-integration
+test-vm-integration: integration/testdata/fixtures/vm-images/*.img.gz
+	go test -v -tags=vm_integration ./integration/...
+
+integration/testdata/fixtures/vm-images/*.img.gz:
+	integration/scripts/download-vm-images.sh
+
+
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint
 	$(GOBIN)/golangci-lint run --timeout 5m
@@ -121,4 +130,4 @@ mkdocs-serve:
 # Generate JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
 .PHONY: easyjson
 easyjson: $(GOBIN)/easyjson
-	easyjson pkg/module/serialize/types.go
+	easyjson pkg/module/serialize/types.go

README.md

@@ -11,13 +11,15 @@
 [📖 Documentation][docs]
 </div>
 
-Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner. Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
+Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
+Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
 
 Targets (what Trivy can scan):
 
 - Container Image
 - Filesystem
-- Git repository (remote)
+- Git Repository (remote)
+- Virtual Machine Image
 - Kubernetes
 - AWS
 

docs/docs/index.md

@@ -45,7 +45,7 @@ This documentation details how to use Trivy to access the features listed below.
 
 Please see [LICENSE][license] for Trivy licensing information.
 
-[installation]: ../index.md
+[installation]: ../getting-started/installation.md
 [vuln]: ../docs/vulnerability/scanning/index.md
 [misconf]: ../docs/misconfiguration/scanning.md
 [kubernetesoperator]: ../docs/kubernetes/operator/index.md
@@ -63,7 +63,7 @@ Please see [LICENSE][license] for Trivy licensing information.
 [lang]: ../docs/vulnerability/detection/language.md
 
 [builtin]: ../docs/misconfiguration/policy/builtin.md
-[quickstart]: ../getting-started/quickstart.md
+[quickstart]: ../index.md
 [podman]: ../docs/advanced/container/podman.md
 
 [sbom]: ../docs/sbom/index.md

docs/docs/vm/aws.md

@@ -0,0 +1,70 @@
+# AWS EC2
+
+Trivy can scan the following targets in AWS EC2.
+
+- Amazon Machine Image (AMI)
+- Elastic Block Store (EBS) Snapshot
+
+## Amazon Machine Image (AMI)
+You can specify your AMI ID with the `ami:` prefix.
+
+```shell
+$ trivy vm ami:${your_ami_id}
+```
+
+!!! note
+    AMIs in the marketplace are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+### Example
+
+```shell
+$ trivy vm --security-checks vuln ami:ami-0123456789abcdefg
+```
+
+!!! tip
+    The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+
+
+### Required Actions
+Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
+
+- ec2:DescribeImages
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+## Elastic Block Store (EBS) Snapshot
+You can specify your EBS snapshot ID with the `ebs:` prefix.
+
+```shell
+$ trivy vm ebs:${your_ebs_snapshot_id}
+```
+
+!!! note
+    Public snapshots are not supported because the EBS direct APIs don't support that.
+    See [the AWS documentation][ebsapi-elements] for the detail.
+
+### Example
+```shell
+$ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg
+```
+
+!!! tip
+The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+
+The above command takes a while as it calls EBS API and fetches the EBS blocks.
+If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS.
+Then, Trivy can scan the local VM image file.
+
+```shell
+$ coldsnap download snap-0123456789abcdefg disk.img
+$ trivy vm ./disk.img
+```
+
+### Required Actions
+
+- ebs:ListSnapshotBlocks
+- ebs:GetSnapshotBlock
+
+[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
+[coldsnap]: https://github.com/awslabs/coldsnap

docs/docs/vm/index.md

@@ -0,0 +1,121 @@
+# Virtual Machine Image
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Scanning
+Trivy supports VM image scanning for vulnerabilities, secrets, etc.
+The following targets are currently supported:
+
+- Local file
+- [AWS EC2][aws]
+
+To scan VM images, you can use the `vm` subcommand.
+
+### Local file
+Pass the path to your local VM image file.
+
+```bash
+$ trivy vm --security-checks vuln disk.vmdk
+```
+
+<details>
+<summary>Result</summary>
+
+```
+disk.vmdk (amazon 2 (Karoo))
+===========================================================================================
+Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
+
+┌────────────────────────────┬────────────────┬──────────┬───────────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│          Library           │ Vulnerability  │ Severity │       Installed Version       │         Fixed Version         │                            Title                             │
+├────────────────────────────┼────────────────┼──────────┼───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ amazon-ssm-agent           │ CVE-2022-24675 │ HIGH     │ 3.0.529.0-1.amzn2             │ 3.1.1575.0-1.amzn2            │ golang: encoding/pem: fix stack overflow in Decode           │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2022-24675                   │
+├────────────────────────────┼────────────────┤          ├───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-export-libs           │ CVE-2021-25215 │          │ 32:9.11.4-26.P2.amzn2.4       │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs                  │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ bind-libs-lite             │ CVE-2021-25215 │ HIGH     │                               │ 32:9.11.4-26.P2.amzn2.5       │ bind: An assertion check can fail while answering queries    │
+│                            │                │          │                               │                               │ for DNAME records...                                         │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25215                   │
+│                            ├────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│                            │ CVE-2021-25214 │ MEDIUM   │                               │ 32:9.11.4-26.P2.amzn2.5.2     │ bind: Broken inbound incremental zone update (IXFR) can      │
+│                            │                │          │                               │                               │ cause named to terminate...                                  │
+│                            │                │          │                               │                               │ https://avd.aquasec.com/nvd/cve-2021-25214                   │
+├────────────────────────────┼────────────────┼──────────┤                               ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
+... 
+```
+
+</details>
+
+### AWS EC2
+
+See [here][aws] for the detail.
+
+## Supported architectures
+
+### Virtual machine images
+
+| Image format | Support |
+|--------------|:-------:|
+| VMDK         |    ✔    |
+| OVA          |         |
+| VHD          |         |
+| VHDX         |         |
+| QCOW2        |         |
+
+
+#### VMDK disk types
+
+| VMDK disk type              | Support |
+|-----------------------------|:-------:|
+| streamOptimized             |    ✔    |
+| monolithicSparse            |         |
+| vmfs                        |         |
+| vmfsSparse                  |         |
+| twoGbMaxExtentSparse        |         |
+| monolithicFlat              |         |
+| twoGbMaxExtentFlat          |         |
+| vmfsRaw                     |         |
+| fullDevice                  |         |
+| partitionedDevice           |         |
+| vmfsRawDeviceMap            |         |
+| vmfsPassthroughRawDeviceMap |         |
+
+Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
+
+
+### Disk partitions
+
+| Disk format                  | Support |
+|------------------------------|:-------:|
+| Master boot record (MBR)     |    ✔    |
+| Extended master boot record  |         |
+| GUID partition table (GPT)   |    ✔    |
+| Logical volume manager (LVM) |         |
+
+### Filesystems
+
+| Filesystem format | Support |
+|-------------------|:-------:|
+| XFS               |    ✔    |
+| EXT4              |    ✔    |
+| EXT2/3            |         |
+| ZFS               |         |
+
+[aws]: ./aws.md
+[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk

docs/docs/vulnerability/scanning/index.md

@@ -1,11 +1,9 @@
 # Vulnerability Scanning
 
-Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.
-
-![vulnerability][vuln]
+Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], [Virtual Machine Image][vm] and [Git Repositories][repo] to detect vulnerabilities.
 
 [image]: image.md
 [rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
-[vuln]: ../../../imgs/vulnerability.png
+[vm]: ../../vm/index.md

docs/imgs/vulnerability.png

@@ -22,7 +22,8 @@ Targets (what Trivy can scan):
 
 - Container Image
 - Filesystem
-- Git repository (remote)
+- Git Repository (remote)
+- Virtual Machine Image
 - Kubernetes
 - AWS
 
@@ -150,8 +151,8 @@ Trivy is an [Aqua Security][aquasec] open source project.
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
 
-[Ecosystem]: ./ecosystem/overview
-[Installation]: getting-started/installation/
+[Ecosystem]: ./ecosystem/index.md
+[Installation]: getting-started/installation.md
 [pronunciation]: #how-to-pronounce-the-name-trivy
 
 [aquasec]: https://aquasec.com
@@ -160,4 +161,4 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 
 [Tutorials]: ./tutorials/overview
 [CLI]: ./docs
-[Contributing]: ./contributing/issue
+[Contributing]: ./community/contribute/issue