diff --git a/go.mod b/go.mod index 16b18bb21707..2e822a65563a 100644 --- a/go.mod +++ b/go.mod @@ -13,8 +13,8 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/alicebob/miniredis/v2 v2.30.4 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 - github.com/aquasecurity/defsec v0.90.3 - github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 + github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f + github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 diff --git a/go.sum b/go.sum index 0a372bcb91da..ead16ba94686 100644 --- a/go.sum +++ b/go.sum @@ -321,10 +321,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= -github.com/aquasecurity/defsec v0.90.3 h1:ZBPhzS5/+75SLGEZe6fWFyWEuNtibNc7CZZXl2yQhjw= -github.com/aquasecurity/defsec v0.90.3/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o= -github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 h1:btZmyXc4e4wDNBEI4guYzpCMeNPM0f8p0F/IzSsoP0M= -github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I= +github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f h1:JQnhl5zK5cBJKPbCLdvK0ialSkwvp+z1B9rY61SRxNI= +github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o= +github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5 h1:FA5XM/KP1l+PYH+QafFzzBjdsT+WxWTWsYGPzKrMeAQ= +github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5/go.mod h1:VjG2wX19QDny5yKN+he0v9wuZjF0k+00173mh0FJCVU= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg= diff --git a/pkg/cloud/aws/scanner/scanner.go b/pkg/cloud/aws/scanner/scanner.go index a533a72552bc..f76ca5dde6ff 100644 --- a/pkg/cloud/aws/scanner/scanner.go +++ b/pkg/cloud/aws/scanner/scanner.go @@ -77,7 +77,8 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result log.Logger.Debug("Policies successfully loaded from disk") policyPaths = append(policyPaths, downloadedPolicyPaths...) scannerOpts = append(scannerOpts, - options.ScannerWithEmbeddedPolicies(false)) + options.ScannerWithEmbeddedPolicies(false), + options.ScannerWithEmbeddedLibraries(false)) } var policyFS fs.FS diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 23d0b01dc541..cb23eee0d470 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -576,18 +576,19 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi disableEmbedded = true } configScannerOptions = misconf.ScannerOption{ - Trace: opts.Trace, - Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...), - PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...), - DataPaths: append(opts.DataPaths), - HelmValues: opts.HelmValues, - HelmValueFiles: opts.HelmValueFiles, - HelmFileValues: opts.HelmFileValues, - HelmStringValues: opts.HelmStringValues, - TerraformTFVars: opts.TerraformTFVars, - K8sVersion: opts.K8sVersion, - DisableEmbeddedPolicies: disableEmbedded, - TfExcludeDownloaded: opts.TfExcludeDownloaded, + Trace: opts.Trace, + Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...), + PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...), + DataPaths: opts.DataPaths, + HelmValues: opts.HelmValues, + HelmValueFiles: opts.HelmValueFiles, + HelmFileValues: opts.HelmFileValues, + HelmStringValues: opts.HelmStringValues, + TerraformTFVars: opts.TerraformTFVars, + K8sVersion: opts.K8sVersion, + DisableEmbeddedPolicies: disableEmbedded, + DisableEmbeddedLibraries: disableEmbedded, + TfExcludeDownloaded: opts.TfExcludeDownloaded, } } diff --git a/pkg/fanal/artifact/local/fs_test.go b/pkg/fanal/artifact/local/fs_test.go index 030b4217b18f..bbd1b0776210 100644 --- a/pkg/fanal/artifact/local/fs_test.go +++ b/pkg/fanal/artifact/local/fs_test.go @@ -382,9 +382,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -433,9 +435,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -546,9 +550,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -593,9 +599,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -657,9 +665,10 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, + DisableEmbeddedPolicies: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -776,9 +785,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -836,9 +847,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -918,9 +931,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -948,9 +963,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"}, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1034,10 +1051,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1091,10 +1109,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1178,10 +1197,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1266,10 +1286,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1328,10 +1349,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1443,10 +1465,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -1788,10 +1811,11 @@ func TestMixedConfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/mixed/rego"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/mixed/rego"}, + DisableEmbeddedPolicies: true, + DisableEmbeddedLibraries: true, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ diff --git a/pkg/fanal/external/config_scan.go b/pkg/fanal/external/config_scan.go index 237b344e0aaf..43f9ede430f4 100644 --- a/pkg/fanal/external/config_scan.go +++ b/pkg/fanal/external/config_scan.go @@ -42,10 +42,11 @@ func NewConfigScanner(cacheDir string, policyPaths, dataPaths, namespaces []stri func (s ConfigScanner) Scan(dir string) ([]types.Misconfiguration, error) { art, err := local.NewArtifact(dir, s.cache, artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - PolicyPaths: s.policyPaths, - DataPaths: s.dataPaths, - Namespaces: s.namespaces, - DisableEmbeddedPolicies: !s.allowEmbedded, + PolicyPaths: s.policyPaths, + DataPaths: s.dataPaths, + Namespaces: s.namespaces, + DisableEmbeddedPolicies: !s.allowEmbedded, + DisableEmbeddedLibraries: !s.allowEmbedded, }, }) if err != nil { diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 7d43244fa0af..e60831b95f4a 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -43,12 +43,13 @@ var enabledDefsecTypes = map[detection.FileType]string{ } type ScannerOption struct { - Trace bool - RegoOnly bool - Namespaces []string - PolicyPaths []string - DataPaths []string - DisableEmbeddedPolicies bool + Trace bool + RegoOnly bool + Namespaces []string + PolicyPaths []string + DataPaths []string + DisableEmbeddedPolicies bool + DisableEmbeddedLibraries bool HelmValues []string HelmValueFiles []string @@ -201,6 +202,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO opts := []options.ScannerOption{ options.ScannerWithSkipRequiredCheck(true), options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies), + options.ScannerWithEmbeddedLibraries(!opt.DisableEmbeddedLibraries), } policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths) diff --git a/pkg/misconf/scanner_test.go b/pkg/misconf/scanner_test.go index ac5c7519f2a4..e8fd9cbcc55c 100644 --- a/pkg/misconf/scanner_test.go +++ b/pkg/misconf/scanner_test.go @@ -118,7 +118,6 @@ func TestScanner_Scan(t *testing.T) { { name: "happy path. terraform plan file", scannerFunc: NewTerraformPlanScanner, - fields: fields{}, files: []file{ { path: "main.tfplan.json",