Skip to content

Commit

Permalink
fix(misconf): support deprecating for Go checks (#7377)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
  • Loading branch information
nikpivkin authored Aug 23, 2024
1 parent b65b32d commit 2a6c7ab
Show file tree
Hide file tree
Showing 6 changed files with 123 additions and 41 deletions.
38 changes: 22 additions & 16 deletions pkg/iac/scanners/azure/arm/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,24 @@ var _ scanners.FSScanner = (*Scanner)(nil)
var _ options.ConfigurableScanner = (*Scanner)(nil)

type Scanner struct {
mu sync.Mutex
scannerOptions []options.ScannerOption
logger *log.Logger
frameworks []framework.Framework
regoOnly bool
loadEmbeddedPolicies bool
loadEmbeddedLibraries bool
policyDirs []string
policyReaders []io.Reader
regoScanner *rego.Scanner
spec string
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {}
mu sync.Mutex
scannerOptions []options.ScannerOption
logger *log.Logger
frameworks []framework.Framework
regoOnly bool
loadEmbeddedPolicies bool
loadEmbeddedLibraries bool
policyDirs []string
policyReaders []io.Reader
regoScanner *rego.Scanner
spec string
includeDeprecatedChecks bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
s.includeDeprecatedChecks = b
}

func (s *Scanner) SetCustomSchemas(map[string][]byte) {}

func (s *Scanner) SetSpec(spec string) {
Expand Down Expand Up @@ -150,9 +154,11 @@ func (s *Scanner) scanDeployment(ctx context.Context, deployment azure.Deploymen
return nil, ctx.Err()
default:
}
if rule.GetRule().RegoPackage != "" {
continue

if !s.includeDeprecatedChecks && rule.Deprecated {
continue // skip deprecated checks
}

ruleResults := rule.Evaluate(deploymentState)
if len(ruleResults) > 0 {
results = append(results, ruleResults...)
Expand Down
38 changes: 22 additions & 16 deletions pkg/iac/scanners/cloudformation/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,22 +48,26 @@ var _ scanners.FSScanner = (*Scanner)(nil)
var _ options.ConfigurableScanner = (*Scanner)(nil)

type Scanner struct {
mu sync.Mutex
logger *log.Logger
policyDirs []string
policyReaders []io.Reader
parser *parser.Parser
regoScanner *rego.Scanner
regoOnly bool
loadEmbeddedPolicies bool
loadEmbeddedLibraries bool
options []options.ScannerOption
parserOptions []parser.Option
frameworks []framework.Framework
spec string
mu sync.Mutex
logger *log.Logger
policyDirs []string
policyReaders []io.Reader
parser *parser.Parser
regoScanner *rego.Scanner
regoOnly bool
loadEmbeddedPolicies bool
loadEmbeddedLibraries bool
options []options.ScannerOption
parserOptions []parser.Option
frameworks []framework.Framework
spec string
includeDeprecatedChecks bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {
s.includeDeprecatedChecks = true
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}
func (s *Scanner) SetCustomSchemas(map[string][]byte) {}

func (s *Scanner) addParserOption(opt parser.Option) {
Expand Down Expand Up @@ -211,9 +215,11 @@ func (s *Scanner) scanFileContext(ctx context.Context, regoScanner *rego.Scanner
return nil, ctx.Err()
default:
}
if rule.GetRule().RegoPackage != "" {
continue

if !s.includeDeprecatedChecks && rule.Deprecated {
continue // skip deprecated checks
}

evalResult := rule.Evaluate(state)
if len(evalResult) > 0 {
for _, scanResult := range evalResult {
Expand Down
25 changes: 17 additions & 8 deletions pkg/iac/scanners/terraform/executor/executor.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"runtime"
"sort"

"github.com/samber/lo"
"github.com/zclconf/go-cty/cty"

adapter "github.com/aquasecurity/trivy/pkg/iac/adapters/terraform"
Expand All @@ -15,17 +16,19 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/terraform"
"github.com/aquasecurity/trivy/pkg/iac/types"
ruleTypes "github.com/aquasecurity/trivy/pkg/iac/types/rules"
"github.com/aquasecurity/trivy/pkg/log"
)

// Executor scans HCL blocks by running all registered rules against them
type Executor struct {
workspaceName string
logger *log.Logger
resultsFilters []func(scan.Results) scan.Results
regoScanner *rego.Scanner
regoOnly bool
frameworks []framework.Framework
workspaceName string
logger *log.Logger
resultsFilters []func(scan.Results) scan.Results
regoScanner *rego.Scanner
regoOnly bool
includeDeprecatedChecks bool
frameworks []framework.Framework
}

// New creates a new Executor
Expand Down Expand Up @@ -53,8 +56,14 @@ func (e *Executor) Execute(modules terraform.Modules) (scan.Results, error) {

e.logger.Debug("Using max routines", log.Int("count", threads))

registeredRules := rules.GetRegistered(e.frameworks...)
e.logger.Debug("Initialized rule(s).", log.Int("count", len(registeredRules)))
registeredRules := lo.Filter(rules.GetRegistered(e.frameworks...), func(r ruleTypes.RegisteredRule, _ int) bool {
if !e.includeDeprecatedChecks && r.Deprecated {
return false // skip deprecated checks
}

return true
})
e.logger.Debug("Initialized Go check(s).", log.Int("count", len(registeredRules)))

pool := NewPool(threads, registeredRules, modules, infra, e.regoScanner, e.regoOnly)

Expand Down
6 changes: 6 additions & 0 deletions pkg/iac/scanners/terraform/executor/option.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,9 @@ func OptionWithRegoOnly(regoOnly bool) Option {
e.regoOnly = regoOnly
}
}

func OptionWithIncludeDeprecatedChecks(b bool) Option {
return func(e *Executor) {
e.includeDeprecatedChecks = b
}
}
5 changes: 4 additions & 1 deletion pkg/iac/scanners/terraform/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ type Scanner struct {
loadEmbeddedPolicies bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {}
func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
s.executorOpt = append(s.executorOpt, executor.OptionWithIncludeDeprecatedChecks(b))
}

func (s *Scanner) SetCustomSchemas(map[string][]byte) {}

func (s *Scanner) SetSpec(spec string) {
Expand Down
52 changes: 52 additions & 0 deletions pkg/iac/scanners/terraform/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,13 @@ import (
"github.com/stretchr/testify/require"

"github.com/aquasecurity/trivy/internal/testutil"
"github.com/aquasecurity/trivy/pkg/iac/providers"
"github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
"github.com/aquasecurity/trivy/pkg/iac/severity"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

const emptyBucketRule = `
Expand Down Expand Up @@ -1065,3 +1070,50 @@ deny[res] {
occurrences := failed[0].Occurrences()
assert.Equal(t, "code/example/main.tf", occurrences[0].Filename)
}

func TestSkipDeprecatedGoChecks(t *testing.T) {

check := scan.Rule{
Provider: providers.AWSProvider,
Service: "service",
ShortCode: "abc",
Severity: severity.High,
Check: func(s *state.State) (results scan.Results) {
results.Add("Deny", types.NewTestMetadata())
return
},
}

fsys := testutil.CreateFS(t, map[string]string{
"main.tf": `resource "foo" "bar" {}`,
})

scanner := New(
options.ScannerWithPolicyFilesystem(fsys),
options.ScannerWithEmbeddedLibraries(false),
options.ScannerWithEmbeddedPolicies(false),
ScannerWithAllDirectories(true),
)

t.Run("deprecated", func(t *testing.T) {
check.Deprecated = true
reg := rules.Register(check)
defer rules.Deregister(reg)

results, err := scanner.ScanFS(context.TODO(), fsys, ".")
require.NoError(t, err)

require.Empty(t, results)
})

t.Run("not deprecated", func(t *testing.T) {
check.Deprecated = false
reg := rules.Register(check)
defer rules.Deregister(reg)

results, err := scanner.ScanFS(context.TODO(), fsys, ".")
require.NoError(t, err)

require.Len(t, results, 1)
})
}

0 comments on commit 2a6c7ab

Please sign in to comment.