#!/bin/sh

TIMEOUT=${TIMEOUT:-120m}
SCANNERS=${SCANNERS:-vuln,misconfig,secret}
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
LOW_PRIORITY=${LOW_PRIORITY:-true}

compare_scans() {
    echo "Comparing scans..."
    PREVIOUS_LOG="/var/log/trivy/previous_scan.log"
    CURRENT_LOG="/var/log/trivy/trivy_scan.log"
    SCAN_DATE=$(date +%Y.%m.%d)
    DIFF_LOG="/var/log/trivy/scandiff.$SCAN_DATE.log"

    if [ -f "$PREVIOUS_LOG" ]; then
        echo "Previous scan log found. Comparing with current scan..."
        diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
        if [ $? -eq 0 ]; then
            echo "No differences found between scans."
            report_scan_results false
        else
            echo "Differences found. Check $DIFF_LOG for more details."
            report_scan_results true
        fi
    else
        echo "No previous scan log found. Treating all findings as new."
        cp $CURRENT_LOG $DIFF_LOG
        report_scan_results true
    fi


    # Archive current log as previous for next run
    cp $CURRENT_LOG $PREVIOUS_LOG
}

report_scan_results() {
    is_diff=$1
    DIFF_LOG="/var/log/trivy/scandiff.$(date +%Y.%m.%d).log"

    if [ "$is_diff" = true ]; then
        echo "Scan differences detected:"
        cat $DIFF_LOG
    else
        echo "No differences to report."
    fi
}

run_scan() {
    if [ "$LOW_PRIORITY" = "true" ]; then
        echo "Running Trivy scan with low priority (nice 19)..."
        nice -n 19 trivy filesystem --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
    else
        echo "Running Trivy scan..."
        trivy filesystem --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
    fi
}

# Archive existing log for comparison
if [ -f "/var/log/trivy/trivy_scan.log" ]; then
    mv /var/log/trivy/trivy_scan.log /var/log/trivy/previous_scan.log
fi

run_scan
compare_scans