add an option to follow soft links

[wagde-orca]

Description

add an option in rootfs/fs to allow following soft links... this will help in scanning files that are found outside the root and have a link inside the root...
it does not work in the latest version and it is easy to reproduce

scanning a dir with a jar finds the file and scan it
trivy rootfs --vuln-type library --list-all-pkgs -o res.json -f json --scanners vuln /tmp/jar_file
2023-05-30T19:08:27.364+0300 INFO Vulnerability scanning is enabled
2023-05-30T19:08:27.365+0300 INFO JAR files found
2023-05-30T19:08:27.365+0300 INFO Analyzing JAR files takes a while...
2023-05-30T19:08:27.771+0300 INFO Number of language-specific files: 1
2023-05-30T19:08:27.771+0300 INFO Detecting jar vulnerabilities...

scanning a dir with link does not find the file
ls -ltr /tmp/jar_link
lrwxr-xr-x 1 wagdezabit wheel 19 May 30 19:07 a.jar -> /tmp/jar_file/a.jar
trivy rootfs --vuln-type library --list-all-pkgs -o res.json -f json --scanners vuln /tmp/jar_link
2023-05-30T19:09:48.244+0300 INFO Vulnerability scanning is enabled
2023-05-30T19:09:48.252+0300 INFO Number of language-specific files: 0

Target

Filesystem

Scanner

Vulnerability

[knqyf263]

Following symlinks leads to duplicated results if the actual entity is in the scanning directory.

[wagde-orca]

@knqyf263 you are right, but maybe we can add a verification that the actual entry is not in the results and add it
i think this is a good idea not to have duplicates in the results...
for example if you have the same jar file in two directories we will have two entries in Packages and two entries in Vulnerabilities..
instead we can have one entry with multiple FilePaths and not only one...

See this example
find .
./a
./a/jackson-databind-2.9.8.jar
./b
./b/jackson-databind-2.9.8.jar

trivy rootfs --vuln-type library --list-all-pkgs -o res.json -f json --scanners vuln .

we will have
"Packages": [
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.9.8",
"Layer": {},
"FilePath": "a/jackson-databind-2.9.8.jar"
},
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.9.8",
"Layer": {},
"FilePath": "b/jackson-databind-2.9.8.jar"
}
],

this can lead to huge result json in case the same jar file exist in tens/hundreds of directories...
I hope you will consider this optimization

anyway... I suggest adding following symlinks as an option and not the default behavior :-)

[itaysk]

also possibly addresses this concern:

https://github.com/bgeesaman/malicious-compliance/blob/main/demo/demo3.gif
https://github.com/bgeesaman/malicious-compliance/blob/main/docker/Dockerfile-3-lang