feat(misconf): render causes for Terraform (#8360)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

docs/docs/references/configuration/cli/trivy_config.md

@@ -45,6 +45,7 @@ trivy config [flags] DIR
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-check-update                 skip fetching rego check updates

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -78,6 +78,7 @@ trivy filesystem [flags] PATH
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])

docs/docs/references/configuration/cli/trivy_image.md

@@ -100,6 +100,7 @@ trivy image [flags] IMAGE_NAME
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a format for the compliance report. (all,summary) (default "summary")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -94,6 +94,7 @@ trivy kubernetes [flags] [CONTEXT]
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --report string                     specify a report format for the output (all,summary) (default "all")
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])

docs/docs/references/configuration/cli/trivy_repository.md

@@ -77,6 +77,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -80,6 +80,7 @@ trivy rootfs [flags] ROOTDIR
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_vm.md

@@ -69,6 +69,7 @@ trivy vm [flags] VM_IMAGE
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (terraform)
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/config-file.md

@@ -409,6 +409,9 @@ misconfiguration:
   # Same as '--include-non-failures'
   include-non-failures: false
 
+  # Same as '--render-cause'
+  render-cause: []
+
   # Same as '--misconfig-scanners'
   scanners:
    - azure-arm

pkg/compliance/report/testdata/all.json

@@ -23,7 +23,8 @@
               "CauseMetadata": {
                 "Code": {
                   "Lines": null
-                }
+                },
+                "RenderedCause": {}
               }
             }
           ]
@@ -46,7 +47,8 @@
               "CauseMetadata": {
                 "Code": {
                   "Lines": null
-                }
+                },
+                "RenderedCause": {}
               }
             }
           ]

pkg/fanal/types/misconf.go

@@ -30,13 +30,14 @@ type MisconfResult struct {
 type MisconfResults []MisconfResult
 
 type CauseMetadata struct {
-	Resource    string       `json:",omitempty"`
-	Provider    string       `json:",omitempty"`
-	Service     string       `json:",omitempty"`
-	StartLine   int          `json:",omitempty"`
-	EndLine     int          `json:",omitempty"`
-	Code        Code         `json:",omitempty"`
-	Occurrences []Occurrence `json:",omitempty"`
+	Resource      string        `json:",omitempty"`
+	Provider      string        `json:",omitempty"`
+	Service       string        `json:",omitempty"`
+	StartLine     int           `json:",omitempty"`
+	EndLine       int           `json:",omitempty"`
+	Code          Code          `json:",omitempty"`
+	Occurrences   []Occurrence  `json:",omitempty"`
+	RenderedCause RenderedCause `json:",omitempty"`
 }
 
 type Occurrence struct {
@@ -45,6 +46,11 @@ type Occurrence struct {
 	Location Location
 }
 
+type RenderedCause struct {
+	Raw         string `json:",omitempty"`
+	Highlighted string `json:",omitempty"`
+}
+
 type Code struct {
 	Lines []Line
 }

pkg/flag/misconf_flags.go

@@ -6,6 +6,7 @@ import (
 	"github.com/samber/lo"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/policy"
 	xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
 )
@@ -108,6 +109,13 @@ var (
 		ConfigName: "misconfiguration.config-file-schemas",
 		Usage:      "specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking",
 	}
+	RenderCauseFlag = Flag[[]string]{
+		Name:       "render-cause",
+		ConfigName: "misconfiguration.render-cause",
+		Usage:      "specify configuration types for which the rendered causes will be shown in the table report",
+		Values:     xstrings.ToStringSlice([]types.ConfigType{types.Terraform}), // TODO: add Plan and JSON?
+		Default:    []string{},
+	}
 )
 
 // MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.
@@ -128,6 +136,7 @@ type MisconfFlagGroup struct {
 	TerraformExcludeDownloaded *Flag[bool]
 	MisconfigScanners          *Flag[[]string]
 	ConfigFileSchemas          *Flag[[]string]
+	RenderCause                *Flag[[]string]
 }
 
 type MisconfOptions struct {
@@ -147,6 +156,7 @@ type MisconfOptions struct {
 	TfExcludeDownloaded     bool
 	MisconfigScanners       []analyzer.Type
 	ConfigFileSchemas       []string
+	RenderCause             []types.ConfigType
 }
 
 func NewMisconfFlagGroup() *MisconfFlagGroup {
@@ -166,6 +176,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		TerraformExcludeDownloaded: TerraformExcludeDownloaded.Clone(),
 		MisconfigScanners:          MisconfigScannersFlag.Clone(),
 		ConfigFileSchemas:          ConfigFileSchemasFlag.Clone(),
+		RenderCause:                RenderCauseFlag.Clone(),
 	}
 }
 
@@ -189,6 +200,7 @@ func (f *MisconfFlagGroup) Flags() []Flagger {
 		f.CloudformationParamVars,
 		f.MisconfigScanners,
 		f.ConfigFileSchemas,
+		f.RenderCause,
 	}
 }
 
@@ -212,5 +224,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		TfExcludeDownloaded:     f.TerraformExcludeDownloaded.Value(),
 		MisconfigScanners:       xstrings.ToTSlice[analyzer.Type](f.MisconfigScanners.Value()),
 		ConfigFileSchemas:       f.ConfigFileSchemas.Value(),
+		RenderCause:             xstrings.ToTSlice[types.ConfigType](f.RenderCause.Value()),
 	}, nil
 }

pkg/iac/scan/code.go

@@ -78,8 +78,8 @@ func (c *Code) IsCauseMultiline() bool {
 }
 
 const (
-	darkTheme  = "solarized-dark256"
-	lightTheme = "github"
+	DarkTheme  = "solarized-dark256"
+	LightTheme = "github"
 )
 
 type codeSettings struct {
@@ -90,7 +90,7 @@ type codeSettings struct {
 }
 
 var defaultCodeSettings = codeSettings{
-	theme:              darkTheme,
+	theme:              DarkTheme,
 	allowTruncation:    true,
 	maxLines:           10,
 	includeHighlighted: true,
@@ -106,13 +106,13 @@ func OptionCodeWithTheme(theme string) CodeOption {
 
 func OptionCodeWithDarkTheme() CodeOption {
 	return func(s *codeSettings) {
-		s.theme = darkTheme
+		s.theme = DarkTheme
 	}
 }
 
 func OptionCodeWithLightTheme() CodeOption {
 	return func(s *codeSettings) {
-		s.theme = lightTheme
+		s.theme = LightTheme
 	}
 }
 

pkg/iac/scan/flat.go

@@ -22,6 +22,7 @@ type FlatResult struct {
 	Resource        string             `json:"resource"`
 	Occurrences     []Occurrence       `json:"occurrences,omitempty"`
 	Location        FlatRange          `json:"location"`
+	RenderedCause   RenderedCause      `json:"rendered_cause"`
 }
 
 type FlatRange struct {
@@ -68,5 +69,6 @@ func (r *Result) Flatten() FlatResult {
 			StartLine: rng.GetStartLine(),
 			EndLine:   rng.GetEndLine(),
 		},
+		RenderedCause: r.renderedCause,
 	}
 }

pkg/iac/scan/highlighting.go

@@ -41,12 +41,17 @@ func highlight(fsKey, filename string, startLine, endLine int, input, theme stri
 		return lines
 	}
 
-	lexer := lexers.Match(filename)
-	if lexer == nil {
-		lexer = lexers.Fallback
+	highlighted, ok := Highlight(filename, input, theme)
+	if !ok {
+		return nil
 	}
-	lexer = chroma.Coalesce(lexer)
 
+	lines := strings.Split(highlighted, "\n")
+	globalCache.Set(key, lines)
+	return lines
+}
+
+func Highlight(filename, input, theme string) (string, bool) {
 	style := styles.Get(theme)
 	if style == nil {
 		style = styles.Fallback
@@ -56,20 +61,23 @@ func highlight(fsKey, filename string, startLine, endLine int, input, theme stri
 		formatter = formatters.Fallback
 	}
 
+	lexer := lexers.Match(filename)
+	if lexer == nil {
+		lexer = lexers.Fallback
+	}
+	lexer = chroma.Coalesce(lexer)
+
 	iterator, err := lexer.Tokenise(nil, input)
 	if err != nil {
-		return nil
+		return "", false
 	}
 
 	var buffer bytes.Buffer
 	if err := formatter.Format(&buffer, style, iterator); err != nil {
-		return nil
+		return "", false
 	}
 
-	raw := shiftANSIOverLineEndings(buffer.Bytes())
-	lines := strings.Split(string(raw), "\n")
-	globalCache.Set(key, lines)
-	return lines
+	return string(shiftANSIOverLineEndings(buffer.Bytes())), true
 }
 
 func shiftANSIOverLineEndings(input []byte) []byte {

pkg/iac/scan/result.go

@@ -32,6 +32,7 @@ type Result struct {
 	regoRule         string
 	traces           []string
 	fsPath           string
+	renderedCause    RenderedCause
 }
 
 func (r Result) RegoNamespace() string {
@@ -101,6 +102,14 @@ func (r Result) Traces() []string {
 	return r.traces
 }
 
+type RenderedCause struct {
+	Raw string
+}
+
+func (r *Result) WithRenderedCause(cause RenderedCause) {
+	r.renderedCause = cause
+}
+
 func (r *Result) AbsolutePath(fsRoot string, metadata iacTypes.Metadata) string {
 	if strings.HasSuffix(fsRoot, ":") {
 		fsRoot += "/"