feat(fs): optimize scanning performance by direct file access for known paths (#8525)

Author: knqyf263

docs/docs/target/rootfs.md

@@ -13,3 +13,16 @@ $ trivy rootfs /path/to/rootfs
     Rootfs scanning works differently from the Filesystem scanning.
     You should use `trivy fs` to scan your local projects in CI/CD.
     See [here](../scanner/vulnerability.md) for the differences.
+
+## Performance Optimization
+
+By default, Trivy traverses all files from the specified root directory to find target files for scanning.
+However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster.
+For example, when scanning only OS packages, no full traversal is performed:
+
+```bash
+$ trivy rootfs --pkg-types os --scanners vuln /
+```
+
+When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown.
+If you want to exclude specific directories from scanning for better performance, you can use the [--skip-dirs](../configuration/skipping.md) option.

pkg/fanal/analyzer/analyzer.go

@@ -118,6 +118,13 @@ type CustomGroup interface {
 	Group() Group
 }
 
+// StaticPathAnalyzer is an interface for analyzers that can specify static file paths
+// instead of traversing the entire filesystem.
+type StaticPathAnalyzer interface {
+	// StaticPaths returns a list of static file paths to analyze
+	StaticPaths() []string
+}
+
 type Opener func() (xio.ReadSeekCloserAt, error)
 
 type AnalyzerGroup struct {
@@ -527,3 +534,28 @@ func (ag AnalyzerGroup) filePatternMatch(analyzerType Type, filePath string) boo
 	}
 	return false
 }
+
+// StaticPaths collects static paths from all enabled analyzers
+// It returns the collected paths and a boolean indicating if all enabled analyzers implement StaticPathAnalyzer
+func (ag AnalyzerGroup) StaticPaths(disabled []Type) ([]string, bool) {
+	var paths []string
+
+	for _, a := range ag.analyzers {
+		// Skip disabled analyzers
+		if slices.Contains(disabled, a.Type()) {
+			continue
+		}
+
+		// If any analyzer doesn't implement StaticPathAnalyzer, return false
+		staticPathAnalyzer, ok := a.(StaticPathAnalyzer)
+		if !ok {
+			return nil, false
+		}
+
+		// Collect paths from StaticPathAnalyzer
+		paths = append(paths, staticPathAnalyzer.StaticPaths()...)
+	}
+
+	// Remove duplicates
+	return lo.Uniq(paths), true
+}

pkg/fanal/analyzer/buildinfo/content_manifest.go

@@ -63,3 +63,7 @@ func (a contentManifestAnalyzer) Type() analyzer.Type {
 func (a contentManifestAnalyzer) Version() int {
 	return contentManifestAnalyzerVersion
 }
+
+func (a contentManifestAnalyzer) StaticPaths() []string {
+	return contentSetsDirs.Items()
+}

pkg/fanal/analyzer/buildinfo/dockerfile.go

@@ -157,3 +157,7 @@ func setKVValue(kvpo instructions.KeyValuePairOptional, values map[string]string
 	}
 	return kvpo
 }
+
+func (a dockerfileAnalyzer) StaticPaths() []string {
+	return []string{"root/buildinfo"}
+}

pkg/fanal/analyzer/const.go

@@ -178,6 +178,7 @@ var (
 		TypeGemSpec,
 		TypeCargo,
 		TypeComposer,
+		TypeComposerVendor,
 		TypeJar,
 		TypePom,
 		TypeGradleLock,
@@ -192,6 +193,7 @@ var (
 		TypeCondaPkg,
 		TypeCondaEnv,
 		TypePythonPkg,
+		TypePythonPkgEgg,
 		TypePip,
 		TypePipenv,
 		TypePoetry,
@@ -205,6 +207,7 @@ var (
 		TypePubSpecLock,
 		TypeMixLock,
 		TypeJulia,
+		TypeSBOM,
 	}
 
 	// TypeLockfiles has all lock file analyzers

pkg/fanal/analyzer/os/alpine/alpine.go

@@ -48,3 +48,8 @@ func (a alpineOSAnalyzer) Type() analyzer.Type {
 func (a alpineOSAnalyzer) Version() int {
 	return version
 }
+
+// StaticPaths returns the static paths of the alpine analyzer
+func (a alpineOSAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}

pkg/fanal/analyzer/os/amazonlinux/amazonlinux.go

@@ -73,3 +73,8 @@ func (a amazonlinuxOSAnalyzer) Type() analyzer.Type {
 func (a amazonlinuxOSAnalyzer) Version() int {
 	return version
 }
+
+// StaticPaths returns the static paths of the amazonlinux analyzer
+func (a amazonlinuxOSAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}

pkg/fanal/analyzer/os/debian/debian.go

@@ -48,3 +48,8 @@ func (a debianOSAnalyzer) Type() analyzer.Type {
 func (a debianOSAnalyzer) Version() int {
 	return version
 }
+
+// StaticPaths returns the static paths of the debian analyzer
+func (a debianOSAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}

pkg/fanal/analyzer/os/redhatbase/alma.go

@@ -60,3 +60,8 @@ func (a almaOSAnalyzer) Type() analyzer.Type {
 func (a almaOSAnalyzer) Version() int {
 	return almaAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the alma analyzer
+func (a almaOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/redhatbase/centos.go

@@ -60,3 +60,8 @@ func (a centOSAnalyzer) Type() analyzer.Type {
 func (a centOSAnalyzer) Version() int {
 	return centosAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the centos analyzer
+func (a centOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/redhatbase/fedora.go

@@ -62,3 +62,8 @@ func (a fedoraOSAnalyzer) Type() analyzer.Type {
 func (a fedoraOSAnalyzer) Version() int {
 	return fedoraAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the fedora analyzer
+func (a fedoraOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/redhatbase/oracle.go

@@ -56,3 +56,8 @@ func (a oracleOSAnalyzer) Type() analyzer.Type {
 func (a oracleOSAnalyzer) Version() int {
 	return oracleAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the oracle analyzer
+func (a oracleOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/redhatbase/redhatbase.go

@@ -97,3 +97,8 @@ func (a redhatOSAnalyzer) Type() analyzer.Type {
 func (a redhatOSAnalyzer) Version() int {
 	return redhatAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the redhatbase analyzer
+func (a redhatOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/redhatbase/rocky.go

@@ -60,3 +60,8 @@ func (a rockyOSAnalyzer) Type() analyzer.Type {
 func (a rockyOSAnalyzer) Version() int {
 	return rockyAnalyzerVersion
 }
+
+// StaticPaths returns the static paths of the rocky analyzer
+func (a rockyOSAnalyzer) StaticPaths() []string {
+	return a.requiredFiles()
+}

pkg/fanal/analyzer/os/release/release.go

@@ -96,3 +96,8 @@ func (a osReleaseAnalyzer) Type() analyzer.Type {
 func (a osReleaseAnalyzer) Version() int {
 	return version
 }
+
+// StaticPaths returns the static paths of the os-release analyzer
+func (a osReleaseAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}

pkg/fanal/analyzer/os/ubuntu/esm.go

@@ -59,6 +59,11 @@ func (a ubuntuESMAnalyzer) Version() int {
 	return ESMAnalyzerVersion
 }
 
+// StaticPaths returns the static paths of the ubuntu ESM analyzer
+func (a ubuntuESMAnalyzer) StaticPaths() []string {
+	return ESMRequiredFiles
+}
+
 // structs to parse ESM status
 type status struct {
 	Services []service `json:"services"`

pkg/fanal/analyzer/os/ubuntu/ubuntu.go

@@ -62,3 +62,8 @@ func (a ubuntuOSAnalyzer) Type() analyzer.Type {
 func (a ubuntuOSAnalyzer) Version() int {
 	return version
 }
+
+// StaticPaths returns the static paths of the ubuntu analyzer
+func (a ubuntuOSAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}

pkg/fanal/analyzer/pkg/apk/apk.go

@@ -209,6 +209,11 @@ func (a alpinePkgAnalyzer) Version() int {
 	return analyzerVersion
 }
 
+// StaticPaths returns a list of static file paths to analyze
+func (a alpinePkgAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}
+
 // decodeChecksumLine decodes checksum line
 func (a alpinePkgAnalyzer) decodeChecksumLine(ctx context.Context, line string) digest.Digest {
 	if len(line) < 2 {

pkg/fanal/analyzer/pkg/dpkg/copyright.go

@@ -149,3 +149,7 @@ func normalizeLicense(s string) string {
 
 	return strings.TrimSpace(s)
 }
+
+func (a *dpkgLicenseAnalyzer) StaticPaths() []string {
+	return []string{"usr/share/doc/"}
+}

pkg/fanal/analyzer/pkg/dpkg/dpkg.go

@@ -372,3 +372,13 @@ func (a dpkgAnalyzer) Type() analyzer.Type {
 func (a dpkgAnalyzer) Version() int {
 	return analyzerVersion
 }
+
+// StaticPaths returns a list of static file paths to analyze
+func (a dpkgAnalyzer) StaticPaths() []string {
+	return []string{
+		statusFile,
+		availableFile,
+		statusDir,
+		infoDir,
+	}
+}

pkg/fanal/analyzer/pkg/rpm/rpm.go

@@ -208,6 +208,11 @@ func (a rpmPkgAnalyzer) Version() int {
 	return version
 }
 
+// StaticPaths returns a list of static file paths to analyze
+func (a rpmPkgAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}
+
 // splitFileName returns a name, version, release, epoch, arch:
 //
 //	e.g.

pkg/fanal/analyzer/pkg/rpm/rpmqa.go

@@ -92,3 +92,7 @@ func (a rpmqaPkgAnalyzer) Type() analyzer.Type {
 func (a rpmqaPkgAnalyzer) Version() int {
 	return versionRpmqa
 }
+
+func (a rpmqaPkgAnalyzer) StaticPaths() []string {
+	return requiredRpmqaFiles
+}

pkg/fanal/analyzer/repo/apk/apk.go

@@ -96,3 +96,7 @@ func (a apkRepoAnalyzer) Type() analyzer.Type {
 func (a apkRepoAnalyzer) Version() int {
 	return version
 }
+
+func (a apkRepoAnalyzer) StaticPaths() []string {
+	return requiredFiles
+}