Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(checks): handle of unresolvable values #279

Merged
merged 1 commit into from
Oct 29, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Oct 18, 2024

Related issues:

Before

trivy conf main.tf
2024-10-22T17:04:06+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-22T17:04:06+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-10-22T17:04:06+06:00       INFO    Detected config files   num=2

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:7
   via main.tf:5-8 (aws_sns_topic.test)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5   resource "aws_sns_topic" "test" {
   6     name = "user-updates-topic"
   7 [   kms_master_key_id = data.aws_kms_alias.test.target_key_id
   8   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

After

./trivy conf main.tf --checks-bundle-repository localhost:5111/trivy-checks:latest --cache-dir cache
2024-10-22T17:03:40+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-22T17:03:41+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-10-22T17:03:41+06:00       INFO    Detected config files   num=1

@nikpivkin nikpivkin force-pushed the rego-unresolvable branch 4 times, most recently from 8e5c630 to bcb07cf Compare October 22, 2024 10:51
@nikpivkin nikpivkin marked this pull request as ready for review October 22, 2024 10:54
@nikpivkin nikpivkin requested a review from simar7 as a code owner October 22, 2024 10:54
@REPO=localhost:${REGISTRY_PORT}/trivy-checks:latest ;\
echo "Pushing to repository: $$REPO" ;\
docker run --rm -it --net=host -v $$PWD/${BUNDLE_FILE}:/${BUNDLE_FILE} bitnami/oras:latest push \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need --net=host?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will allow Oras to access the local registry.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my testing, I haven't had the need to allow --net=host.

Run registry:

docker run -it --rm -p 6000:5000 registry

Push image:

oras push localhost:6000/trivy-checks:1 --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json  bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in Makefile oras runs in a container

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah that's right - I missed that, makes sense.

Comment on lines +18 to +24
less_than(val, other) := false if {
is_unresolvable(val)
} else := val.value < other

greater_than(val, other) := false if {
is_unresolvable(val)
} else := val.value > other
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would these cover float too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, the good thing to do is to use epsilon, but I haven't encountered floating numbers in the checks.

Comment on lines -31 to +34
sg.description.value == ""
res := result.new("Security group rule allows egress to multiple public addresses.", sg.description)
without_description(sg)
res := result.new("Network security group does not have a description.", sg.description)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change should have failed a test right? (since the resulting message has changed).

Copy link
Contributor Author

@nikpivkin nikpivkin Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In some tests, we only check the number of results, not the messages. We usually do this in tests for those checks that may return several different messages.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK - I think we should improve that, at least for those checks where there isn't any more than a single message that can be in the output. We can do it in a separate PR if you like.

Comment on lines -40 to +41
"Database server does not have public access enabled.",
metadata.obj_by_path(server, "enablepublicnetworkaccess"),
"Database server has public network access enabled.",
server.enablepublicnetworkaccess,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto for test failure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answered above.

@simar7 simar7 self-requested a review October 29, 2024 22:48
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
@simar7 simar7 force-pushed the rego-unresolvable branch from bcb07cf to 7d8d96c Compare October 29, 2024 22:49
@simar7 simar7 added this pull request to the merge queue Oct 29, 2024
Merged via the queue into aquasecurity:main with commit 878623c Oct 29, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants