-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(checks): handle of unresolvable values #279
Conversation
8e5c630
to
bcb07cf
Compare
@REPO=localhost:${REGISTRY_PORT}/trivy-checks:latest ;\ | ||
echo "Pushing to repository: $$REPO" ;\ | ||
docker run --rm -it --net=host -v $$PWD/${BUNDLE_FILE}:/${BUNDLE_FILE} bitnami/oras:latest push \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need --net=host
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will allow Oras to access the local registry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my testing, I haven't had the need to allow --net=host
.
Run registry:
docker run -it --rm -p 6000:5000 registry
Push image:
oras push localhost:6000/trivy-checks:1 --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in Makefile oras runs in a container
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah that's right - I missed that, makes sense.
less_than(val, other) := false if { | ||
is_unresolvable(val) | ||
} else := val.value < other | ||
|
||
greater_than(val, other) := false if { | ||
is_unresolvable(val) | ||
} else := val.value > other |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would these cover float too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, the good thing to do is to use epsilon, but I haven't encountered floating numbers in the checks.
sg.description.value == "" | ||
res := result.new("Security group rule allows egress to multiple public addresses.", sg.description) | ||
without_description(sg) | ||
res := result.new("Network security group does not have a description.", sg.description) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change should have failed a test right? (since the resulting message has changed).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some tests, we only check the number of results, not the messages. We usually do this in tests for those checks that may return several different messages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK - I think we should improve that, at least for those checks where there isn't any more than a single message that can be in the output. We can do it in a separate PR if you like.
"Database server does not have public access enabled.", | ||
metadata.obj_by_path(server, "enablepublicnetworkaccess"), | ||
"Database server has public network access enabled.", | ||
server.enablepublicnetworkaccess, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto for test failure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Answered above.
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
bcb07cf
to
7d8d96c
Compare
Related issues:
Before
After
./trivy conf main.tf --checks-bundle-repository localhost:5111/trivy-checks:latest --cache-dir cache 2024-10-22T17:03:40+06:00 INFO [misconfig] Misconfiguration scanning is enabled 2024-10-22T17:03:41+06:00 INFO [terraform scanner] Scanning root module file_path="." 2024-10-22T17:03:41+06:00 INFO Detected config files num=1