Skip to content

Commit

Permalink
feat(misconf): Add support for independently enabling libraries (#4070)
Browse files Browse the repository at this point in the history
* feat(misconf): Add support for independently enabling libraries

Implements: #4181

Signed-off-by: Simar <simar@linux.com>

* update tests

Signed-off-by: Simar <simar@linux.com>

* fix lint

Signed-off-by: Simar <simar@linux.com>

* fix tests

Signed-off-by: Simar <simar@linux.com>

* update defsec

Signed-off-by: Simar <simar@linux.com>

* fix test

Signed-off-by: Simar <simar@linux.com>

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
simar7 and knqyf263 authored Jul 23, 2023
1 parent 4aa9ea0 commit a7bd7bb
Show file tree
Hide file tree
Showing 8 changed files with 113 additions and 85 deletions.
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.30.4
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.90.3
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f
github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -321,10 +321,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.90.3 h1:ZBPhzS5/+75SLGEZe6fWFyWEuNtibNc7CZZXl2yQhjw=
github.com/aquasecurity/defsec v0.90.3/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o=
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3 h1:btZmyXc4e4wDNBEI4guYzpCMeNPM0f8p0F/IzSsoP0M=
github.com/aquasecurity/go-dep-parser v0.0.0-20230713131216-85ebd0d79cd3/go.mod h1:Cl6aYro+Ddzh1MB451j/C6rvwKdn/Ifa7z98sFirJ9I=
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f h1:JQnhl5zK5cBJKPbCLdvK0ialSkwvp+z1B9rY61SRxNI=
github.com/aquasecurity/defsec v0.90.4-0.20230716083016-931764ac907f/go.mod h1:VPkgjZz3dx3znIIVLZgbtFhSzN9aZC2409s5V5Oqb7o=
github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5 h1:FA5XM/KP1l+PYH+QafFzzBjdsT+WxWTWsYGPzKrMeAQ=
github.com/aquasecurity/go-dep-parser v0.0.0-20230627073354-fb7eb3159bd5/go.mod h1:VjG2wX19QDny5yKN+he0v9wuZjF0k+00173mh0FJCVU=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
Expand Down
3 changes: 2 additions & 1 deletion pkg/cloud/aws/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,8 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
log.Logger.Debug("Policies successfully loaded from disk")
policyPaths = append(policyPaths, downloadedPolicyPaths...)
scannerOpts = append(scannerOpts,
options.ScannerWithEmbeddedPolicies(false))
options.ScannerWithEmbeddedPolicies(false),
options.ScannerWithEmbeddedLibraries(false))
}

var policyFS fs.FS
Expand Down
25 changes: 13 additions & 12 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -576,18 +576,19 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
disableEmbedded = true
}
configScannerOptions = misconf.ScannerOption{
Trace: opts.Trace,
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...),
DataPaths: append(opts.DataPaths),
HelmValues: opts.HelmValues,
HelmValueFiles: opts.HelmValueFiles,
HelmFileValues: opts.HelmFileValues,
HelmStringValues: opts.HelmStringValues,
TerraformTFVars: opts.TerraformTFVars,
K8sVersion: opts.K8sVersion,
DisableEmbeddedPolicies: disableEmbedded,
TfExcludeDownloaded: opts.TfExcludeDownloaded,
Trace: opts.Trace,
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
PolicyPaths: append(opts.PolicyPaths, downloadedPolicyPaths...),
DataPaths: opts.DataPaths,
HelmValues: opts.HelmValues,
HelmValueFiles: opts.HelmValueFiles,
HelmFileValues: opts.HelmFileValues,
HelmStringValues: opts.HelmStringValues,
TerraformTFVars: opts.TerraformTFVars,
K8sVersion: opts.K8sVersion,
DisableEmbeddedPolicies: disableEmbedded,
DisableEmbeddedLibraries: disableEmbedded,
TfExcludeDownloaded: opts.TfExcludeDownloaded,
}
}

Expand Down
134 changes: 79 additions & 55 deletions pkg/fanal/artifact/local/fs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -382,9 +382,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -433,9 +435,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -546,9 +550,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -593,9 +599,11 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -657,9 +665,10 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -776,9 +785,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -836,9 +847,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -918,9 +931,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -948,9 +963,11 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"},
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1034,10 +1051,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1091,10 +1109,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1178,10 +1197,11 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1266,10 +1286,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1328,10 +1349,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1443,10 +1465,11 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -1788,10 +1811,11 @@ func TestMixedConfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/mixed/rego"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/mixed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down
9 changes: 5 additions & 4 deletions pkg/fanal/external/config_scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@ func NewConfigScanner(cacheDir string, policyPaths, dataPaths, namespaces []stri
func (s ConfigScanner) Scan(dir string) ([]types.Misconfiguration, error) {
art, err := local.NewArtifact(dir, s.cache, artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
PolicyPaths: s.policyPaths,
DataPaths: s.dataPaths,
Namespaces: s.namespaces,
DisableEmbeddedPolicies: !s.allowEmbedded,
PolicyPaths: s.policyPaths,
DataPaths: s.dataPaths,
Namespaces: s.namespaces,
DisableEmbeddedPolicies: !s.allowEmbedded,
DisableEmbeddedLibraries: !s.allowEmbedded,
},
})
if err != nil {
Expand Down
14 changes: 8 additions & 6 deletions pkg/misconf/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,12 +43,13 @@ var enabledDefsecTypes = map[detection.FileType]string{
}

type ScannerOption struct {
Trace bool
RegoOnly bool
Namespaces []string
PolicyPaths []string
DataPaths []string
DisableEmbeddedPolicies bool
Trace bool
RegoOnly bool
Namespaces []string
PolicyPaths []string
DataPaths []string
DisableEmbeddedPolicies bool
DisableEmbeddedLibraries bool

HelmValues []string
HelmValueFiles []string
Expand Down Expand Up @@ -201,6 +202,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
opts := []options.ScannerOption{
options.ScannerWithSkipRequiredCheck(true),
options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
options.ScannerWithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
}

policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
Expand Down
1 change: 0 additions & 1 deletion pkg/misconf/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,6 @@ func TestScanner_Scan(t *testing.T) {
{
name: "happy path. terraform plan file",
scannerFunc: NewTerraformPlanScanner,
fields: fields{},
files: []file{
{
path: "main.tfplan.json",
Expand Down

0 comments on commit a7bd7bb

Please sign in to comment.