Filter out unsupported systems at runtime rather than compilation time for the /etc/passwd CIS checks' unit tests.

PiperOrigin-RevId: 652436006

Author: tooryx

detector/cis/generic_linux/etcpasswdpermissions/detector_dummy.go

@@ -19,6 +19,7 @@ package etcpasswdpermissions
 import (
 	"context"
 	"fmt"
+	"io/fs"
 
 	"github.com/google/osv-scalibr/detector"
 	"github.com/google/osv-scalibr/inventoryindex"
@@ -41,3 +42,8 @@ func (Detector) RequiredExtractors() []string { return []string{} }
 func (d Detector) Scan(ctx context.Context, scanRoot string, ix *inventoryindex.InventoryIndex) ([]*detector.Finding, error) {
 	return nil, fmt.Errorf("plugin only supported on Linux")
 }
+
+// ScanFS starts the scan from a pseudo-filesystem.
+func (Detector) ScanFS(ctx context.Context, fs fs.FS, ix *inventoryindex.InventoryIndex) ([]*detector.Finding, error) {
+	return nil, fmt.Errorf("plugin only supported on Linux")
+}

detector/cis/generic_linux/etcpasswdpermissions/detector_dummy_test.go

@@ -0,0 +1,36 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !linux
+
+package etcpasswdpermissions_test
+
+import (
+	"errors"
+	"io/fs"
+	"time"
+)
+
+func (f *fakeFS) Open(name string) (fs.File, error) { return nil, errors.New("unsupported system") }
+
+func (f *fakeFile) Stat() (fs.FileInfo, error) { return nil, errors.New("unsupported system") }
+func (fakeFile) Read([]byte) (int, error)      { return 0, errors.New("unsupported system") }
+func (fakeFile) Close() error                  { return nil }
+
+func (fakeFileInfo) Name() string         { return "unsupported" }
+func (fakeFileInfo) Size() int64          { return 0 }
+func (i *fakeFileInfo) Mode() fs.FileMode { return 0 }
+func (fakeFileInfo) ModTime() time.Time   { return time.Now() }
+func (i *fakeFileInfo) IsDir() bool       { return false }
+func (i *fakeFileInfo) Sys() any          { return nil }

detector/cis/generic_linux/etcpasswdpermissions/detector_linux_test.go

@@ -0,0 +1,48 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux
+
+package etcpasswdpermissions_test
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"syscall"
+	"time"
+)
+
+func (f *fakeFS) Open(name string) (fs.File, error) {
+	if name == "etc/passwd" {
+		if f.exists {
+			return &fakeFile{perms: f.perms, uid: f.uid, gid: f.gid}, nil
+		}
+		return nil, os.ErrNotExist
+	}
+	return nil, errors.New("failed to open")
+}
+
+func (f *fakeFile) Stat() (fs.FileInfo, error) {
+	return &fakeFileInfo{perms: f.perms, uid: f.uid, gid: f.gid}, nil
+}
+func (fakeFile) Read([]byte) (int, error) { return 0, errors.New("failed to read") }
+func (fakeFile) Close() error             { return nil }
+
+func (fakeFileInfo) Name() string         { return "/etc/passwd" }
+func (fakeFileInfo) Size() int64          { return 1 }
+func (i *fakeFileInfo) Mode() fs.FileMode { return i.perms }
+func (fakeFileInfo) ModTime() time.Time   { return time.Now() }
+func (i *fakeFileInfo) IsDir() bool       { return false }
+func (i *fakeFileInfo) Sys() any          { return &syscall.Stat_t{Uid: i.uid, Gid: i.gid} }

detector/cis/generic_linux/etcpasswdpermissions/detector_test.go

@@ -12,18 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:build linux
-
 package etcpasswdpermissions_test
 
 import (
 	"context"
-	"errors"
 	"io/fs"
-	"os"
-	"syscall"
+	"runtime"
+	"slices"
 	"testing"
-	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -41,42 +37,23 @@ type fakeFS struct {
 	gid    uint32
 }
 
-func (f *fakeFS) Open(name string) (fs.File, error) {
-	if name == "etc/passwd" {
-		if f.exists {
-			return &fakeFile{perms: f.perms, uid: f.uid, gid: f.gid}, nil
-		}
-		return nil, os.ErrNotExist
-	}
-	return nil, errors.New("failed to open")
-}
-
 type fakeFile struct {
 	perms fs.FileMode
 	uid   uint32
 	gid   uint32
 }
 
-func (f *fakeFile) Stat() (fs.FileInfo, error) {
-	return &fakeFileInfo{perms: f.perms, uid: f.uid, gid: f.gid}, nil
-}
-func (fakeFile) Read([]byte) (int, error) { return 0, errors.New("failed to read") }
-func (fakeFile) Close() error             { return nil }
-
 type fakeFileInfo struct {
 	perms fs.FileMode
 	uid   uint32
 	gid   uint32
 }
 
-func (fakeFileInfo) Name() string         { return "/etc/passwd" }
-func (fakeFileInfo) Size() int64          { return 1 }
-func (i *fakeFileInfo) Mode() fs.FileMode { return i.perms }
-func (fakeFileInfo) ModTime() time.Time   { return time.Now() }
-func (i *fakeFileInfo) IsDir() bool       { return false }
-func (i *fakeFileInfo) Sys() any          { return &syscall.Stat_t{Uid: i.uid, Gid: i.gid} }
-
 func TestScan(t *testing.T) {
+	if !slices.Contains([]string{"linux"}, runtime.GOOS) {
+		t.Skipf("Skipping test for unsupported OS %q", runtime.GOOS)
+	}
+
 	wantTitle := "Ensure permissions on /etc/passwd are configured"
 	wantDesc := "The /etc/passwd file contains user account information that " +
 		"is used by many system utilities and therefore must be readable for these " +