fix: check if trivy exist

Signed-off-by: Sertac Ozercan <[email protected]>

Author: sozercan

Dockerfile

@@ -66,7 +66,7 @@ ENTRYPOINT ["/remover"]
 
 FROM --platform=$TARGETPLATFORM gcr.io/distroless/static:latest as trivy-scanner
 COPY --from=trivy-scanner-build /workspace/out/trivy-scanner /
-COPY --from=trivy-binary /usr/local/bin/trivy /
+COPY --from=trivy-binary /usr/local/bin/trivy /trivy
 WORKDIR /var/lib/trivy
 ENTRYPOINT ["/trivy-scanner"]
 

docs/docs/trivy.md

@@ -3,4 +3,4 @@ title: Trivy
 ---
 
 ## Trivy Provider Options
-The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
+The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. The scanner will first look for the trivy executable at `/trivy` (the default path in the container), and if not found, will fall back to searching for `trivy` in the system PATH. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.

pkg/scanners/trivy/types.go

@@ -14,6 +14,10 @@ import (
 	"github.com/eraser-dev/eraser/pkg/utils"
 )
 
+// currentExecutingLookPath is a variable that points to exec.LookPath by default,
+// but can be overridden for testing purposes
+var currentExecutingLookPath = exec.LookPath
+
 const (
 	StatusFailed ScanStatus = iota
 	StatusNonCompliant
@@ -172,12 +176,33 @@ type ImageScanner struct {
 	timer  *time.Timer
 }
 
+func (s *ImageScanner) findTrivyExecutable() (string, error) {
+	// First, check if trivy exists at the hardcoded path
+	if _, err := os.Stat(trivyCommandName); err == nil {
+		return trivyCommandName, nil
+	}
+
+	// If not found at hardcoded path, try to find it in PATH
+	path, err := currentExecutingLookPath("trivy")
+	if err != nil {
+		return "", fmt.Errorf("trivy executable not found at %s and not found in PATH: %w", trivyCommandName, err)
+	}
+
+	return path, nil
+}
+
 func (s *ImageScanner) Scan(img unversioned.Image) (ScanStatus, error) {
 	refs := make([]string, 0, len(img.Names)+len(img.Digests))
 	refs = append(refs, img.Digests...)
 	refs = append(refs, img.Names...)
 	scanSucceeded := false
 
+	// Find trivy executable path
+	trivyPath, err := s.findTrivyExecutable()
+	if err != nil {
+		return StatusFailed, err
+	}
+
 	log.Info("scanning image with id", "imageID", img.ImageID, "refs", refs)
 	for i := 0; i < len(refs) && !scanSucceeded; i++ {
 		log.Info("scanning image with ref", "ref", refs[i])
@@ -186,13 +211,13 @@ func (s *ImageScanner) Scan(img unversioned.Image) (ScanStatus, error) {
 		stderr := new(bytes.Buffer)
 
 		cliArgs := s.config.cliArgs(refs[i])
-		cmd := exec.Command(trivyCommandName, cliArgs...)
+		cmd := exec.Command(trivyPath, cliArgs...)
 		cmd.Stdout = stdout
 		cmd.Stderr = stderr
 		cmd.Env = append(cmd.Env, os.Environ()...)
 		cmd.Env = setRuntimeSocketEnvVars(cmd, s.config.Runtime)
 
-		log.V(1).Info("scanning image ref", "ref", refs[i], "cli_invocation", fmt.Sprintf("%s %s", trivyCommandName, strings.Join(cliArgs, " ")), "env", cmd.Env)
+		log.V(1).Info("scanning image ref", "ref", refs[i], "cli_invocation", fmt.Sprintf("%s %s", trivyPath, strings.Join(cliArgs, " ")), "env", cmd.Env)
 		if err := cmd.Run(); err != nil {
 			log.Error(err, "error scanning image", "imageID", img.ImageID, "reference", refs[i], "stderr", stderr.String())
 			continue

pkg/scanners/trivy/types_test.go

@@ -4,16 +4,18 @@ import (
 	"strings"
 	"testing"
 
+	"errors"
+	"fmt"
+
 	"github.com/eraser-dev/eraser/api/unversioned"
+
+	"github.com/stretchr/testify/assert"
 )
 
 const ref = "image:tag"
 
 var testDuration = unversioned.Duration(100000000000)
 
-func init() {
-}
-
 func TestCLIArgs(t *testing.T) {
 	type testCell struct {
 		desc     string
@@ -168,3 +170,157 @@ func TestCLIArgs(t *testing.T) {
 		})
 	}
 }
+
+// TestImageScanner_findTrivyExecutable tests the findTrivyExecutable method in isolation.
+func TestImageScanner_findTrivyExecutable(t *testing.T) {
+	// Store original function to restore after tests
+	originalLookPath := currentExecutingLookPath
+	defer func() { currentExecutingLookPath = originalLookPath }()
+
+	scanner := &ImageScanner{}
+
+	testCases := []struct {
+		name               string
+		lookPathSetup      func()
+		expectedPath       string
+		expectedError      bool
+		expectedErrorMatch string
+	}{
+		{
+			name: "Trivy found in PATH only",
+			lookPathSetup: func() {
+				currentExecutingLookPath = func(file string) (string, error) {
+					if file == "trivy" {
+						return "/usr/bin/trivy", nil
+					}
+					return "", errors.New("not found")
+				}
+			},
+			expectedPath:  "/usr/bin/trivy",
+			expectedError: false,
+		},
+		{
+			name: "Trivy not found anywhere",
+			lookPathSetup: func() {
+				currentExecutingLookPath = func(file string) (string, error) {
+					return "", errors.New("executable file not found in $PATH")
+				}
+			},
+			expectedPath:       "",
+			expectedError:      true,
+			expectedErrorMatch: "trivy executable not found at /trivy and not found in PATH",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.lookPathSetup()
+
+			path, err := scanner.findTrivyExecutable()
+
+			if tc.expectedError {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tc.expectedErrorMatch)
+				assert.Empty(t, path)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tc.expectedPath, path)
+			}
+		})
+	}
+}
+
+// TestImageScanner_Scan_TrivyPathLookup tests the logic for finding the trivy executable.
+func TestImageScanner_Scan_TrivyPathLookup(t *testing.T) {
+	// Store original function to restore after tests
+	originalLookPath := currentExecutingLookPath
+	defer func() { currentExecutingLookPath = originalLookPath }()
+
+	// Base configuration for the scanner
+	baseConfig := DefaultConfig()
+	scanner := &ImageScanner{
+		config: *baseConfig,
+	}
+	// Dummy image for testing
+	img := unversioned.Image{ImageID: "test-image-id", Names: []string{"test-image:latest"}}
+
+	// Expected error message prefix when trivy is not found
+	expectedNotFoundErrorMsgPrefix := fmt.Sprintf("trivy executable not found at %s", trivyCommandName)
+
+	testCases := []struct {
+		name                     string
+		lookPathSetup            func() // Sets up the mock for exec.LookPath
+		expectedStatus           ScanStatus
+		expectNotFoundError      bool   // True if we expect the specific "trivy not found by LookPath" error
+		expectedErrorMsgContains string // The prefix for the "not found" error message
+	}{
+		{
+			name: "Trivy found at hardcoded path /trivy",
+			lookPathSetup: func() {
+				currentExecutingLookPath = func(file string) (string, error) {
+					if file == "trivy" {
+						return "/usr/bin/trivy", nil // Found in PATH
+					}
+					return originalLookPath(file) // Fallback for any other calls
+				}
+			},
+			// Scan will likely still fail due to inability to run actual scan in test,
+			// but it should not be the "trivy not found by LookPath" error.
+			expectedStatus:      StatusFailed,
+			expectNotFoundError: false,
+		},
+		{
+			name: "Trivy found in $PATH, not at /trivy",
+			lookPathSetup: func() {
+				currentExecutingLookPath = func(file string) (string, error) {
+					if file == "trivy" {
+						return "/usr/bin/trivy", nil // Found in $PATH
+					}
+					return originalLookPath(file)
+				}
+			},
+			expectedStatus:      StatusFailed, // Similar to above, subsequent scan steps will fail.
+			expectNotFoundError: false,
+		},
+		{
+			name: "Trivy not found anywhere",
+			lookPathSetup: func() {
+				currentExecutingLookPath = func(file string) (string, error) {
+					if file == "trivy" {
+						return "", errors.New("mock: trivy not in $PATH")
+					}
+					return originalLookPath(file)
+				}
+			},
+			expectedStatus:           StatusFailed,
+			expectNotFoundError:      true,
+			expectedErrorMsgContains: expectedNotFoundErrorMsgPrefix,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.lookPathSetup()
+
+			status, err := scanner.Scan(img)
+
+			if tc.expectNotFoundError {
+				assert.Error(t, err, "Expected an error when trivy is not found")
+				if err != nil { // Check prefix only if error is not nil
+					assert.True(t, strings.HasPrefix(err.Error(), tc.expectedErrorMsgContains),
+						"Error message should start with '%s'. Got: %s", tc.expectedErrorMsgContains, err.Error())
+				}
+				assert.Equal(t, tc.expectedStatus, status, "ScanStatus should be StatusFailed")
+			} else {
+				// If trivy was "found" by LookPath, any error should be from subsequent operations (e.g., cmd.Run, JSON unmarshal),
+				// not the specific "trivy executable not found by LookPath..." error.
+				if err != nil {
+					assert.False(t, strings.HasPrefix(err.Error(), expectedNotFoundErrorMsgPrefix),
+						"Error should not be the 'trivy not found by LookPath' error. Got: %s", err.Error())
+				}
+				// The status might still be StatusFailed due to these subsequent errors,
+				// which is acceptable for this test's focus on path lookup.
+			}
+		})
+	}
+}