Merge pull request #1 from stackrox/multiple-validations-per-binary

Multiple validations per binary

internal/scan/scan.go

@@ -457,14 +457,16 @@ func walkDirScan(ctx context.Context, cfg *types.Config, tag *v1.TagReference, c
 			klog.V(1).InfoS("scanning success", "image", getImage(res), "path", innerPath, "status", "success")
 		} else {
 			status := res.Status()
-			klog.InfoS("scanning "+status,
-				"image", getImage(res),
-				"path", innerPath,
-				"error", res.Error.Error,
-				"component", getComponent(res),
-				"tag", getTag(res),
-				"rpm", res.RPM,
-				"status", status)
+			for _, err := range res.Errors {
+				klog.InfoS("scanning "+status,
+					"image", getImage(res),
+					"path", innerPath,
+					"error", err.Error,
+					"component", getComponent(res),
+					"tag", getTag(res),
+					"rpm", res.RPM,
+					"status", status)
+			}
 		}
 		results.Append(res)
 		return nil

internal/types/errors.go

@@ -21,4 +21,5 @@ var (
 	ErrOSNotCertified              = errors.New("operating system is not FIPS certified")
 	ErrDistributionFileMissing     = errors.New("could not find distribution file")
 	ErrCertifiedDistributionsEmpty = errors.New("certified_distributions is empty, consider using -V [VERSION] for check-payload")
+	ErrDetectedExcludedModule      = errors.New("detected a library that is incompatible with FIPS, check to make sure it is not performing any cryptographic operations")
 )

internal/types/types.go

@@ -75,6 +75,7 @@ type ScanResult struct {
 	Path      string
 	Skip      bool
 	Error     *ValidationError
+	Errors    []*ValidationError
 }
 
 type ScanResults struct {

internal/types/types_scan_result.go

@@ -73,7 +73,12 @@ func (r *ScanResult) SetOS(info OSInfo) *ScanResult {
 }
 
 func (r *ScanResult) SetValidationError(err *ValidationError) *ScanResult {
-	r.Error = err
+	if r.Error != nil {
+		r.Errors = append(r.Errors, err)
+	} else {
+		r.Error = err
+		r.Errors = append(r.Errors, err)
+	}
 	return r
 }
 

internal/validations/validations.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -73,6 +74,7 @@ var validationFns = map[string][]ValidationFn{
 		validateGoStatic,
 		validateGoOpenssl,
 		validateGoTagsAndExperiment,
+		validateExcludedCryptoModules,
 	},
 	"exe": {
 		validateNotStatic,
@@ -295,6 +297,29 @@ func validateNotStatic(_ context.Context, _ string, baton *Baton) *types.Validat
 	return types.NewValidationError(types.ErrNotDynLinked)
 }
 
+func validateExcludedCryptoModules(ctx context.Context, path string, baton *Baton) *types.ValidationError {
+	var symbols bytes.Buffer
+	cmd := exec.CommandContext(ctx, "nm", "-j", path)
+	cmd.Stdout = &symbols
+	if err := cmd.Run(); err != nil {
+		return types.NewValidationError(err)
+	}
+
+	// Make this more flexible by deriving the excluded modules from
+	// configuration.
+	excluded := []byte("golang.org/x/crypto")
+	symtable, err := golang.ReadTable(path, baton.GoBuildInfo)
+	if err != nil {
+		return types.NewValidationError(fmt.Errorf("go: could not read table for %v: %w", filepath.Base(path), err))
+	}
+	for _, f := range symtable.Funcs {
+		if strings.Contains(f.Name, string(excluded)) {
+			return types.NewValidationError(types.ErrDetectedExcludedModule).SetWarning()
+		}
+	}
+	return nil
+}
+
 func isGoExecutable(path string, baton *Baton) (bool, error) {
 	bi, err := buildinfo.ReadFile(path)
 	if err != nil {
@@ -393,6 +418,7 @@ checks:
 			// See if the error is to be ignored.
 			for _, list := range errIgnores {
 				if list.Ignore(innerPath, err.Error) {
+					klog.Info("ignoring %s for ", err.Error, innerPath)
 					continue checks
 				}
 			}
@@ -414,10 +440,12 @@ checks:
 					}
 				}
 			}
-			return res.SetValidationError(err)
+			res.SetValidationError(err)
 		}
 	}
-
+	if res.Error != nil {
+		return res
+	}
 	return res.Success()
 }