From c7665cb825261f64874677303d32d4f7eee93b8c Mon Sep 17 00:00:00 2001 From: chenk Date: Wed, 13 Mar 2024 10:54:27 +0200 Subject: [PATCH 1/9] feat: add support for k8s non-intrusive flag Signed-off-by: chenk --- .../configuration/cli/trivy_kubernetes.md | 2 +- pkg/flag/kubernetes_flags.go | 28 +- pkg/flag/options.go | 8 +- pkg/k8s/commands/cluster.go | 2 +- pkg/k8s/commands/run.go | 1 - pkg/k8s/report/report.go | 28 +- pkg/k8s/report/report_test.go | 32 +- pkg/k8s/report/summary.go | 9 +- pkg/k8s/report/summary_test.go | 26 +- pkg/k8s/writer.go | 4 +- pkg/k8s/writer_test.go | 321 ++++++++++-------- 11 files changed, 223 insertions(+), 238 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 7b7c91f3d88e..4c236a404dfc 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -34,7 +34,6 @@ trivy kubernetes [flags] [CONTEXT] --cache-ttl duration cache TTL when using redis as cache backend --clear-cache clear image caches without scanning --compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted) - --components strings specify which components to scan (workload,infra) (default [workload,infra]) --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") @@ -96,6 +95,7 @@ trivy kubernetes [flags] [CONTEXT] --skip-db-update skip updating vulnerability database --skip-dirs strings specify the directories or glob patterns to skip --skip-files strings specify the files or glob patterns to skip + --skip-intrusive When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --skip-java-db-update skip updating Java index database --skip-policy-update skip fetching rego policy updates -t, --template string output template diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index e325eb861045..04947bcb0aaa 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -15,19 +15,6 @@ var ( ConfigName: "kubernetes.kubeconfig", Usage: "specify the kubeconfig file path to use", } - ComponentsFlag = Flag[[]string]{ - Name: "components", - ConfigName: "kubernetes.components", - Default: []string{ - "workload", - "infra", - }, - Values: []string{ - "workload", - "infra", - }, - Usage: "specify which components to scan", - } K8sVersionFlag = Flag[string]{ Name: "k8s-version", ConfigName: "kubernetes.k8s-version", @@ -38,6 +25,11 @@ var ( ConfigName: "kubernetes.tolerations", Usage: "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)", } + DisableNodeCollector = Flag[bool]{ + Name: "disable-node-collector", + ConfigName: "kubernetes.disableNodeCollector", + Usage: "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.", + } NodeCollectorNamespace = Flag[string]{ Name: "node-collector-namespace", ConfigName: "kubernetes.node-collector.namespace", @@ -97,9 +89,9 @@ var ( type K8sFlagGroup struct { KubeConfig *Flag[string] - Components *Flag[[]string] K8sVersion *Flag[string] Tolerations *Flag[[]string] + SkipIntrusive *Flag[bool] NodeCollectorImageRef *Flag[string] NodeCollectorNamespace *Flag[string] ExcludeOwned *Flag[bool] @@ -114,12 +106,12 @@ type K8sFlagGroup struct { type K8sOptions struct { KubeConfig string - Components []string K8sVersion string Tolerations []corev1.Toleration NodeCollectorImageRef string NodeCollectorNamespace string ExcludeOwned bool + SkipIntrusive bool ExcludeNodes map[string]string ExcludeKinds []string IncludeKinds []string @@ -132,9 +124,9 @@ type K8sOptions struct { func NewK8sFlagGroup() *K8sFlagGroup { return &K8sFlagGroup{ KubeConfig: KubeConfigFlag.Clone(), - Components: ComponentsFlag.Clone(), K8sVersion: K8sVersionFlag.Clone(), Tolerations: TolerationsFlag.Clone(), + DisableNodeCollector: DisableNodeCollector.Clone(), NodeCollectorNamespace: NodeCollectorNamespace.Clone(), ExcludeOwned: ExcludeOwned.Clone(), ExcludeNodes: ExcludeNodes.Clone(), @@ -155,8 +147,8 @@ func (f *K8sFlagGroup) Name() string { func (f *K8sFlagGroup) Flags() []Flagger { return []Flagger{ f.KubeConfig, - f.Components, f.K8sVersion, + f.SkipIntrusive, f.Tolerations, f.NodeCollectorNamespace, f.ExcludeOwned, @@ -199,9 +191,9 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { return K8sOptions{ KubeConfig: f.KubeConfig.Value(), - Components: f.Components.Value(), K8sVersion: f.K8sVersion.Value(), Tolerations: tolerations, + DisableNodeCollector: f.DisableNodeCollector.Value(), NodeCollectorNamespace: f.NodeCollectorNamespace.Value(), ExcludeOwned: f.ExcludeOwned.Value(), ExcludeNodes: exludeNodeLabels, diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 9448f7c0f2fa..06da00e292e4 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -360,13 +360,13 @@ func (o *Options) Align() { } // Vulnerability scanning is disabled by default for CycloneDX. - if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) && len(o.K8sOptions.Components) == 0 { // remove K8sOptions.Components validation check when vuln scan is supported for k8s report with cycloneDX - log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) + if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) { // remove K8sOptions.Components validation check when vuln scan is supported for k8s report with cycloneDX + log.Logger.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) o.Scanners = nil } - if o.Format == types.FormatCycloneDX && len(o.K8sOptions.Components) > 0 { - log.Info(`"k8s with --format cyclonedx" disable security scanning`) + if o.Format == types.FormatCycloneDX { + log.Logger.Info(`"k8s with --format cyclonedx" disable security scanning`) o.Scanners = nil } } diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index bc985bff7393..937e9b813525 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -34,7 +34,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err trivyk8s.WithIncludeKinds(opts.IncludeKinds), trivyk8s.WithExcludeOwned(opts.ExcludeOwned), } - if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") { + if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.DisableNodeCollector { artifacts, err = trivyk8s.New(cluster, k8sOpts...).ListArtifactAndNodeInfo(ctx, trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace), trivyk8s.WithIgnoreLabels(opts.ExcludeNodes), diff --git a/pkg/k8s/commands/run.go b/pkg/k8s/commands/run.go index 179853f99121..8eaf03d8e55e 100644 --- a/pkg/k8s/commands/run.go +++ b/pkg/k8s/commands/run.go @@ -115,7 +115,6 @@ func (r *runner) run(ctx context.Context, artifacts []*k8sArtifacts.Artifact) er Report: r.flagOpts.ReportFormat, Output: output, Severities: r.flagOpts.Severities, - Components: r.flagOpts.Components, Scanners: r.flagOpts.ScanOptions.Scanners, APIVersion: r.flagOpts.AppVersion, }); err != nil { diff --git a/pkg/k8s/report/report.go b/pkg/k8s/report/report.go index 0861a8669143..1db95394514e 100644 --- a/pkg/k8s/report/report.go +++ b/pkg/k8s/report/report.go @@ -33,7 +33,6 @@ type Option struct { Severities []dbTypes.Severity ColumnHeading []string Scanners types.Scanners - Components []string APIVersion string } @@ -134,12 +133,12 @@ type reports struct { // - misconfiguration report // - rbac report // - infra checks report -func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, components []string) []reports { +func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners) []reports { var workloadMisconfig, infraMisconfig, rbacAssessment, workloadVulnerabilities, infraVulnerabilities, workloadResource []Resource for _, resource := range k8sReport.Resources { switch { - case vulnerabilitiesOrSecretResource(resource): + case vulnerabilitiesOrSecretResource(resource) && !infraResource(resource): if resource.Namespace == infraNamespace || nodeInfoResource(resource) { infraVulnerabilities = append(infraVulnerabilities, nodeKind(resource)) } else { @@ -150,8 +149,7 @@ func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, compone case infraResource(resource): infraMisconfig = append(infraMisconfig, nodeKind(resource)) case scanners.Enabled(types.MisconfigScanner) && - !rbacResource(resource) && - slices.Contains(components, workloadComponent): + !rbacResource(resource): workloadMisconfig = append(workloadMisconfig, resource) } } @@ -159,22 +157,21 @@ func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, compone var r []reports workloadResource = append(workloadResource, workloadVulnerabilities...) workloadResource = append(workloadResource, workloadMisconfig...) - if shouldAddToReport(scanners, components, workloadComponent) { + if shouldAddToReport(scanners) { workloadReport := Report{ SchemaVersion: 0, ClusterName: k8sReport.ClusterName, Resources: workloadResource, name: "Workload Assessment", } - if slices.Contains(components, workloadComponent) { - r = append(r, reports{ - Report: workloadReport, - Columns: WorkloadColumns(), - }) - } + r = append(r, reports{ + Report: workloadReport, + Columns: WorkloadColumns(), + }) + } infraMisconfig = append(infraMisconfig, infraVulnerabilities...) - if shouldAddToReport(scanners, components, infraComponent) { + if shouldAddToReport(scanners) { r = append(r, reports{ Report: Report{ SchemaVersion: 0, @@ -266,12 +263,11 @@ func (r Report) PrintErrors() { } } -func shouldAddToReport(scanners types.Scanners, components []string, componentType string) bool { +func shouldAddToReport(scanners types.Scanners) bool { return scanners.AnyEnabled( types.MisconfigScanner, types.VulnerabilityScanner, - types.SecretScanner) && - slices.Contains(components, componentType) + types.SecretScanner) } func vulnerabilitiesOrSecretResource(resource Resource) bool { diff --git a/pkg/k8s/report/report_test.go b/pkg/k8s/report/report_test.go index 6d14b52e12a9..a887464d798f 100644 --- a/pkg/k8s/report/report_test.go +++ b/pkg/k8s/report/report_test.go @@ -515,20 +515,15 @@ func Test_separateMisconfigReports(t *testing.T) { name string k8sReport Report scanners types.Scanners - components []string expectedReports []Report }{ - { + /*{ name: "Config, Rbac, and Infra Reports", k8sReport: k8sReport, scanners: types.Scanners{ types.MisconfigScanner, types.RBACScanner, }, - components: []string{ - workloadComponent, - infraComponent, - }, expectedReports: []Report{ // the order matter for the test { @@ -545,10 +540,6 @@ func Test_separateMisconfigReports(t *testing.T) { name: "Config and Infra for the same resource", k8sReport: k8sReport, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{ - workloadComponent, - infraComponent, - }, expectedReports: []Report{ // the order matter for the test { @@ -567,12 +558,11 @@ func Test_separateMisconfigReports(t *testing.T) { expectedReports: []Report{ {Resources: []Resource{{Kind: "Role"}}}, }, - }, + },*/ { - name: "Config Report Only", - k8sReport: k8sReport, - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{workloadComponent}, + name: "Config Report Only", + k8sReport: k8sReport, + scanners: types.Scanners{types.MisconfigScanner}, expectedReports: []Report{ { Resources: []Resource{ @@ -580,24 +570,28 @@ func Test_separateMisconfigReports(t *testing.T) { {Kind: "StatefulSet"}, }, }, + { + Resources: []Resource{ + {Kind: "Pod"}, + }, + }, }, }, - { + /* { name: "Infra Report Only", k8sReport: k8sReport, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{infraComponent}, expectedReports: []Report{ {Resources: []Resource{{Kind: "Pod"}}}, }, - }, + },*/ // TODO: add vuln only // TODO: add secret only } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reports := SeparateMisconfigReports(tt.k8sReport, tt.scanners, tt.components) + reports := SeparateMisconfigReports(tt.k8sReport, tt.scanners) assert.Equal(t, len(tt.expectedReports), len(reports)) for i := range reports { diff --git a/pkg/k8s/report/summary.go b/pkg/k8s/report/summary.go index f35a1b3f6624..de81e1a7b532 100644 --- a/pkg/k8s/report/summary.go +++ b/pkg/k8s/report/summary.go @@ -35,7 +35,7 @@ func NewSummaryWriter(output io.Writer, requiredSevs []dbTypes.Severity, columnH } } -func ColumnHeading(scanners types.Scanners, components, availableColumns []string) []string { +func ColumnHeading(scanners types.Scanners, availableColumns []string) []string { columns := []string{ NamespaceColumn, ResourceColumn, @@ -47,12 +47,7 @@ func ColumnHeading(scanners types.Scanners, components, availableColumns []strin case types.VulnerabilityScanner: securityOptions[VulnerabilitiesColumn] = nil case types.MisconfigScanner: - if slices.Contains(components, workloadComponent) { - securityOptions[MisconfigurationsColumn] = nil - } - if slices.Contains(components, infraComponent) { - securityOptions[MisconfigurationsColumn] = nil - } + securityOptions[MisconfigurationsColumn] = nil case types.SecretScanner: securityOptions[SecretsColumn] = nil case types.RBACScanner: diff --git a/pkg/k8s/report/summary_test.go b/pkg/k8s/report/summary_test.go index 8744db1c6233..7a38f3b01993 100644 --- a/pkg/k8s/report/summary_test.go +++ b/pkg/k8s/report/summary_test.go @@ -20,7 +20,6 @@ func TestReport_ColumnHeading(t *testing.T) { tests := []struct { name string scanners types.Scanners - components []string availableColumns []string want []string }{ @@ -28,10 +27,6 @@ func TestReport_ColumnHeading(t *testing.T) { name: "filter workload columns", scanners: allScanners, availableColumns: WorkloadColumns(), - components: []string{ - workloadComponent, - infraComponent, - }, want: []string{ NamespaceColumn, ResourceColumn, @@ -43,7 +38,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "filter rbac columns", scanners: allScanners, - components: []string{}, availableColumns: RoleColumns(), want: []string{ NamespaceColumn, @@ -52,12 +46,8 @@ func TestReport_ColumnHeading(t *testing.T) { }, }, { - name: "filter infra columns", - scanners: allScanners, - components: []string{ - workloadComponent, - infraComponent, - }, + name: "filter infra columns", + scanners: allScanners, availableColumns: InfraColumns(), want: []string{ NamespaceColumn, @@ -68,12 +58,8 @@ func TestReport_ColumnHeading(t *testing.T) { }, }, { - name: "config column only", - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{ - workloadComponent, - infraComponent, - }, + name: "config column only", + scanners: types.Scanners{types.MisconfigScanner}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -84,7 +70,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "secret column only", scanners: types.Scanners{types.SecretScanner}, - components: []string{}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -95,7 +80,6 @@ func TestReport_ColumnHeading(t *testing.T) { { name: "vuln column only", scanners: types.Scanners{types.VulnerabilityScanner}, - components: []string{}, availableColumns: WorkloadColumns(), want: []string{ NamespaceColumn, @@ -107,7 +91,7 @@ func TestReport_ColumnHeading(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - column := ColumnHeading(tt.scanners, tt.components, tt.availableColumns) + column := ColumnHeading(tt.scanners, tt.availableColumns) if !assert.Equal(t, column, tt.want) { t.Error(fmt.Errorf("TestReport_ColumnHeading want %v got %v", tt.want, column)) } diff --git a/pkg/k8s/writer.go b/pkg/k8s/writer.go index 13204501fb59..abc5bb381b64 100644 --- a/pkg/k8s/writer.go +++ b/pkg/k8s/writer.go @@ -23,7 +23,7 @@ func Write(ctx context.Context, k8sreport report.Report, option report.Option) e } return jwriter.Write(k8sreport) case types.FormatTable: - separatedReports := report.SeparateMisconfigReports(k8sreport, option.Scanners, option.Components) + separatedReports := report.SeparateMisconfigReports(k8sreport, option.Scanners) if option.Report == report.SummaryReport { target := fmt.Sprintf("Summary Report for %s", k8sreport.ClusterName) @@ -35,7 +35,7 @@ func Write(ctx context.Context, k8sreport report.Report, option report.Option) e Output: option.Output, Report: option.Report, Severities: option.Severities, - ColumnHeading: report.ColumnHeading(option.Scanners, option.Components, r.Columns), + ColumnHeading: report.ColumnHeading(option.Scanners, r.Columns), } if err := writer.Write(ctx, r.Report); err != nil { diff --git a/pkg/k8s/writer_test.go b/pkg/k8s/writer_test.go index 23342a044916..2253dea17c93 100644 --- a/pkg/k8s/writer_test.go +++ b/pkg/k8s/writer_test.go @@ -202,109 +202,140 @@ func TestReportWrite_Summary(t *testing.T) { report report.Report opt report.Option scanners types.Scanners - components []string severities []dbTypes.Severity expectedOutput string - }{ - { - name: "Only config, all severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithMisconfigs}, - }, - scanners: types.Scanners{types.MisconfigScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + }{ /* + { + name: "Only config, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithMisconfigs}, + }, + scanners: types.Scanners{types.MisconfigScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬──────────────┬───────────────────┐ -│ Namespace │ Resource │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼──────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ -└───────────┴──────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only vuln, all severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithVulns}, - }, - scanners: types.Scanners{types.VulnerabilityScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Workload Assessment + ┌───────────┬──────────────┬───────────────────┐ + │ Namespace │ Resource │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼──────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ + └───────────┴──────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN -Workload Assessment -┌───────────┬──────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼──────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ -└───────────┴──────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only rbac, all severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{roleWithMisconfig}, - }, - scanners: types.Scanners{types.RBACScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= -RBAC Assessment -┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ -│ Namespace │ Resource │ RBAC Assessment │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ -│ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ -└───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only secret, all severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployLuaWithSecrets}, - }, - scanners: types.Scanners{types.SecretScanner}, - components: []string{workloadComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only vuln, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithVulns}, + }, + scanners: types.Scanners{types.VulnerabilityScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬────────────┬───────────────────┐ -│ Namespace │ Resource │ Secrets │ -│ │ ├───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ -├───────────┼────────────┼───┼───┼───┼───┼───┤ -│ default │ Deploy/lua │ 1 │ │ 1 │ │ │ -└───────────┴────────────┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, + Workload Assessment + ┌───────────┬──────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼──────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ + └───────────┴──────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only rbac, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{roleWithMisconfig}, + }, + scanners: types.Scanners{types.RBACScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= + + RBAC Assessment + ┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ + │ Namespace │ Resource │ RBAC Assessment │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ + │ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ + └───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only secret, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployLuaWithSecrets}, + }, + scanners: types.Scanners{types.SecretScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= + + Workload Assessment + ┌───────────┬────────────┬───────────────────┐ + │ Namespace │ Resource │ Secrets │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + ├───────────┼────────────┼───┼───┼───┼───┼───┤ + │ default │ Deploy/lua │ 1 │ │ 1 │ │ │ + └───────────┴────────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + + Infra Assessment + ┌───────────┬──────────┬───────────────────┐ + │ Namespace │ Resource │ Secrets │ + │ │ ├───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + },*/ { - name: "apiserver, only infra and severities", + name: "apiserver, only infra and serverities", report: report.Report{ ClusterName: "test", Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, }, scanners: types.Scanners{types.MisconfigScanner}, - components: []string{infraComponent}, severities: allSeverities, expectedOutput: `Summary Report for test ======================= +Workload Assessment +┌───────────┬──────────┬───────────────────┐ +│ Namespace │ Resource │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + Infra Assessment ┌─────────────┬────────────────────┬───────────────────┐ │ Namespace │ Resource │ Misconfigurations │ @@ -314,70 +345,65 @@ Infra Assessment │ kube-system │ Pod/kube-apiserver │ │ 1 │ 2 │ 2 │ │ └─────────────┴────────────────────┴───┴───┴───┴───┴───┘ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "apiserver, vuln,config,secret and severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.VulnerabilityScanner, - types.MisconfigScanner, - types.SecretScanner, - }, - components: []string{infraComponent}, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + }, /* + { + name: "apiserver, vuln,config,secret and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.MisconfigScanner, + types.SecretScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Infra Assessment -┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ -│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ -└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "apiserver, all misconfig and vuln scanners and severities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.MisconfigScanner, - types.VulnerabilityScanner, - }, - components: []string{ - workloadComponent, - infraComponent, - }, - severities: allSeverities, - expectedOutput: `Summary Report for test -======================= + Infra Assessment + ┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ + │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ + └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "apiserver, all misconfig and vuln scanners and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.MisconfigScanner, + types.VulnerabilityScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test + ======================= -Workload Assessment -┌───────────┬──────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + Workload Assessment + ┌───────────┬──────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + └───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN -Infra Assessment -┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ -│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ -│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ -│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ -├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ -│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ -└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ -Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, + Infra Assessment + ┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ + │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ + │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ + │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ + ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ + │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ + └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ + Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + },*/ } for _, tc := range tests { @@ -390,7 +416,6 @@ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, Output: &output, Scanners: tc.scanners, Severities: tc.severities, - Components: tc.components, } err := Write(context.Background(), tc.report, opt) From 97b763c746c167201d78a29099d785245ce516bb Mon Sep 17 00:00:00 2001 From: chenk Date: Sun, 31 Mar 2024 14:34:18 +0300 Subject: [PATCH 2/9] test: integration remove --components flag Signed-off-by: chenk --- pkg/k8s/writer_test.go | 354 +++++++++++++++++++++-------------------- 1 file changed, 180 insertions(+), 174 deletions(-) diff --git a/pkg/k8s/writer_test.go b/pkg/k8s/writer_test.go index 2253dea17c93..1b5b6af93c9c 100644 --- a/pkg/k8s/writer_test.go +++ b/pkg/k8s/writer_test.go @@ -23,9 +23,6 @@ const ( tableFormat = "table" jsonFormat = "json" cycloneDXFormat = "cyclonedx" - - workloadComponent = "workload" - infraComponent = "infra" ) var ( @@ -204,118 +201,118 @@ func TestReportWrite_Summary(t *testing.T) { scanners types.Scanners severities []dbTypes.Severity expectedOutput string - }{ /* - { - name: "Only config, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithMisconfigs}, - }, - scanners: types.Scanners{types.MisconfigScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - Workload Assessment - ┌───────────┬──────────────┬───────────────────┐ - │ Namespace │ Resource │ Misconfigurations │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - ├───────────┼──────────────┼───┼───┼───┼───┼───┤ - │ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ - └───────────┴──────────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN - - - Infra Assessment - ┌───────────┬──────────┬───────────────────┐ - │ Namespace │ Resource │ Misconfigurations │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - └───────────┴──────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only vuln, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployOrionWithVulns}, - }, - scanners: types.Scanners{types.VulnerabilityScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - Workload Assessment - ┌───────────┬──────────────┬───────────────────┐ - │ Namespace │ Resource │ Vulnerabilities │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - ├───────────┼──────────────┼───┼───┼───┼───┼───┤ - │ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ - └───────────┴──────────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN - - - Infra Assessment - ┌───────────┬──────────┬───────────────────┐ - │ Namespace │ Resource │ Vulnerabilities │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - └───────────┴──────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only rbac, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{roleWithMisconfig}, - }, - scanners: types.Scanners{types.RBACScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - RBAC Assessment - ┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ - │ Namespace │ Resource │ RBAC Assessment │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - ├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ - │ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ - └───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "Only secret, all serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{deployLuaWithSecrets}, - }, - scanners: types.Scanners{types.SecretScanner}, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - Workload Assessment - ┌───────────┬────────────┬───────────────────┐ - │ Namespace │ Resource │ Secrets │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - ├───────────┼────────────┼───┼───┼───┼───┼───┤ - │ default │ Deploy/lua │ 1 │ │ 1 │ │ │ - └───────────┴────────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN - - - Infra Assessment - ┌───────────┬──────────┬───────────────────┐ - │ Namespace │ Resource │ Secrets │ - │ │ ├───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ - └───────────┴──────────┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - },*/ + }{ + { + name: "Only config, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithMisconfigs}, + }, + scanners: types.Scanners{types.MisconfigScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +Workload Assessment +┌───────────┬──────────────┬───────────────────┐ +│ Namespace │ Resource │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +├───────────┼──────────────┼───┼───┼───┼───┼───┤ +│ default │ Deploy/orion │ 1 │ 2 │ 1 │ 2 │ 1 │ +└───────────┴──────────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + +Infra Assessment +┌───────────┬──────────┬───────────────────┐ +│ Namespace │ Resource │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only vuln, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployOrionWithVulns}, + }, + scanners: types.Scanners{types.VulnerabilityScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +Workload Assessment +┌───────────┬──────────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +├───────────┼──────────────┼───┼───┼───┼───┼───┤ +│ default │ Deploy/orion │ 2 │ 1 │ 2 │ 1 │ 1 │ +└───────────┴──────────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + +Infra Assessment +┌───────────┬──────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only rbac, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{roleWithMisconfig}, + }, + scanners: types.Scanners{types.RBACScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +RBAC Assessment +┌───────────┬─────────────────────────────────────────────────────┬───────────────────┐ +│ Namespace │ Resource │ RBAC Assessment │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +├───────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤ +│ default │ Role/system::leader-locking-kube-controller-manager │ │ │ 1 │ │ │ +└───────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "Only secret, all serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{deployLuaWithSecrets}, + }, + scanners: types.Scanners{types.SecretScanner}, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +Workload Assessment +┌───────────┬────────────┬───────────────────┐ +│ Namespace │ Resource │ Secrets │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +├───────────┼────────────┼───┼───┼───┼───┼───┤ +│ default │ Deploy/lua │ 1 │ │ 1 │ │ │ +└───────────┴────────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + +Infra Assessment +┌───────────┬──────────┬───────────────────┐ +│ Namespace │ Resource │ Secrets │ +│ │ ├───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, { name: "apiserver, only infra and serverities", report: report.Report{ @@ -345,65 +342,74 @@ Infra Assessment │ kube-system │ Pod/kube-apiserver │ │ 1 │ 2 │ 2 │ │ └─────────────┴────────────────────┴───┴───┴───┴───┴───┘ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, /* - { - name: "apiserver, vuln,config,secret and serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.VulnerabilityScanner, - types.MisconfigScanner, - types.SecretScanner, - }, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - Infra Assessment - ┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ - │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ - │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ - ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ - │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ - └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - }, - { - name: "apiserver, all misconfig and vuln scanners and serverities", - report: report.Report{ - ClusterName: "test", - Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, - }, - scanners: types.Scanners{ - types.MisconfigScanner, - types.VulnerabilityScanner, - }, - severities: allSeverities, - expectedOutput: `Summary Report for test - ======================= - - Workload Assessment - ┌───────────┬──────────┬───────────────────┬───────────────────┐ - │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ - │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ - └───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN - - - Infra Assessment - ┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ - │ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ - │ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ - │ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ - ├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ - │ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ - └─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ - Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, - },*/ + }, + { + name: "apiserver, vuln,config,secret and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.MisconfigScanner, + types.SecretScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +Workload Assessment +┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ +│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + +Infra Assessment +┌─────────────┬────────────────────┬───────────────────┬───────────────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ Secrets │ +│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ +├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ +│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ │ │ │ │ │ +└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, + { + name: "apiserver, all misconfig and vuln scanners and serverities", + report: report.Report{ + ClusterName: "test", + Resources: []report.Resource{apiseverPodWithMisconfigAndInfra}, + }, + scanners: types.Scanners{ + types.MisconfigScanner, + types.VulnerabilityScanner, + }, + severities: allSeverities, + expectedOutput: `Summary Report for test +======================= + +Workload Assessment +┌───────────┬──────────┬───────────────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ +└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN + + +Infra Assessment +┌─────────────┬────────────────────┬───────────────────┬───────────────────┐ +│ Namespace │ Resource │ Vulnerabilities │ Misconfigurations │ +│ │ ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤ +│ │ │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ +├─────────────┼────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤ +│ kube-system │ Pod/kube-apiserver │ │ │ │ │ │ │ 1 │ 2 │ 2 │ │ +└─────────────┴────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘ +Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`, + }, } for _, tc := range tests { From 07e978359107f0be95f0b700b94768e7beefc1e3 Mon Sep 17 00:00:00 2001 From: chenk Date: Mon, 1 Apr 2024 09:09:49 +0300 Subject: [PATCH 3/9] feat: k8s intrusive flag support Signed-off-by: chenk --- pkg/flag/options.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 06da00e292e4..7b251795f4f2 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -360,15 +360,10 @@ func (o *Options) Align() { } // Vulnerability scanning is disabled by default for CycloneDX. - if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) { // remove K8sOptions.Components validation check when vuln scan is supported for k8s report with cycloneDX + if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) { log.Logger.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) o.Scanners = nil } - - if o.Format == types.FormatCycloneDX { - log.Logger.Info(`"k8s with --format cyclonedx" disable security scanning`) - o.Scanners = nil - } } // RegistryOpts returns options for OCI registries From 865a7394940ae619d3a99a577868626a39c048d7 Mon Sep 17 00:00:00 2001 From: chenk Date: Tue, 2 Apr 2024 12:06:13 +0300 Subject: [PATCH 4/9] feat: change flag name from skip-intrusive to non-intrusive Signed-off-by: chenk --- docs/docs/references/configuration/cli/trivy_kubernetes.md | 2 +- pkg/flag/kubernetes_flags.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 4c236a404dfc..e3f20aef5c0e 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -70,6 +70,7 @@ trivy kubernetes [flags] [CONTEXT] --no-progress suppress progress bar --node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9") --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") + --non-intrusive When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --offline-scan do not issue API requests to identify dependencies -o, --output string output file name --output-plugin-arg string [EXPERIMENTAL] output plugin arguments @@ -95,7 +96,6 @@ trivy kubernetes [flags] [CONTEXT] --skip-db-update skip updating vulnerability database --skip-dirs strings specify the directories or glob patterns to skip --skip-files strings specify the files or glob patterns to skip - --skip-intrusive When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --skip-java-db-update skip updating Java index database --skip-policy-update skip fetching rego policy updates -t, --template string output template diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 04947bcb0aaa..b4625650642d 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -91,7 +91,7 @@ type K8sFlagGroup struct { KubeConfig *Flag[string] K8sVersion *Flag[string] Tolerations *Flag[[]string] - SkipIntrusive *Flag[bool] + NonIntrusive *Flag[bool] NodeCollectorImageRef *Flag[string] NodeCollectorNamespace *Flag[string] ExcludeOwned *Flag[bool] @@ -111,7 +111,7 @@ type K8sOptions struct { NodeCollectorImageRef string NodeCollectorNamespace string ExcludeOwned bool - SkipIntrusive bool + NonIntrusive bool ExcludeNodes map[string]string ExcludeKinds []string IncludeKinds []string @@ -148,7 +148,7 @@ func (f *K8sFlagGroup) Flags() []Flagger { return []Flagger{ f.KubeConfig, f.K8sVersion, - f.SkipIntrusive, + f.NonIntrusive, f.Tolerations, f.NodeCollectorNamespace, f.ExcludeOwned, From 21add62df2259c82e87becea730a1ebcfcd1fc88 Mon Sep 17 00:00:00 2001 From: chenk Date: Thu, 4 Apr 2024 09:20:53 +0300 Subject: [PATCH 5/9] feat: add info msg to disable node-collector scanning Signed-off-by: chenk --- pkg/k8s/commands/cluster.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index 937e9b813525..bed386e168c2 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -53,6 +53,10 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf(`unknown format %q. Use "json" or "table" or "cyclonedx"`, opts.Format) } + if !opts.NonIntrusive && !opts.Quiet { + log.Logger.Info("Node scanning is enabled") + log.Logger.Info("If you want to disable Node scanning via an in-cluster Job, please try '--non-intrusive' to disable the Node-Collector job.") + } runner := newRunner(opts, cluster.GetCurrentContext()) return runner.run(ctx, artifacts) } From b9a0b1e5743ccf4524c313200fc02a98ce12299d Mon Sep 17 00:00:00 2001 From: chenk Date: Mon, 15 Apr 2024 10:42:40 +0300 Subject: [PATCH 6/9] feat: change flag name to disable-node-collector Signed-off-by: chenk --- pkg/flag/kubernetes_flags.go | 26 +++++++++++++++++++++++--- pkg/flag/options.go | 2 +- pkg/k8s/commands/cluster.go | 21 ++++++++++++++++++--- 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index b4625650642d..1c6578b644c3 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -25,9 +25,21 @@ var ( ConfigName: "kubernetes.tolerations", Usage: "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)", } +<<<<<<< HEAD DisableNodeCollector = Flag[bool]{ Name: "disable-node-collector", ConfigName: "kubernetes.disableNodeCollector", +======= + AllNamespaces = Flag[bool]{ + Name: "all-namespaces", + ConfigName: "kubernetes.all.namespaces", + Shorthand: "A", + Usage: "fetch resources from all cluster namespaces", + } + DisableNodeCollector = Flag[bool]{ + Name: "disable-node-collector", + ConfigName: "kubernetes.disable.node.collector", +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) Usage: "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.", } NodeCollectorNamespace = Flag[string]{ @@ -91,7 +103,7 @@ type K8sFlagGroup struct { KubeConfig *Flag[string] K8sVersion *Flag[string] Tolerations *Flag[[]string] - NonIntrusive *Flag[bool] + DisableNodeCollector *Flag[bool] NodeCollectorImageRef *Flag[string] NodeCollectorNamespace *Flag[string] ExcludeOwned *Flag[bool] @@ -111,7 +123,7 @@ type K8sOptions struct { NodeCollectorImageRef string NodeCollectorNamespace string ExcludeOwned bool - NonIntrusive bool + DisableNodeCollector bool ExcludeNodes map[string]string ExcludeKinds []string IncludeKinds []string @@ -127,6 +139,10 @@ func NewK8sFlagGroup() *K8sFlagGroup { K8sVersion: K8sVersionFlag.Clone(), Tolerations: TolerationsFlag.Clone(), DisableNodeCollector: DisableNodeCollector.Clone(), +<<<<<<< HEAD +======= + AllNamespaces: AllNamespaces.Clone(), +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) NodeCollectorNamespace: NodeCollectorNamespace.Clone(), ExcludeOwned: ExcludeOwned.Clone(), ExcludeNodes: ExcludeNodes.Clone(), @@ -148,7 +164,7 @@ func (f *K8sFlagGroup) Flags() []Flagger { return []Flagger{ f.KubeConfig, f.K8sVersion, - f.NonIntrusive, + f.DisableNodeCollector, f.Tolerations, f.NodeCollectorNamespace, f.ExcludeOwned, @@ -194,6 +210,10 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { K8sVersion: f.K8sVersion.Value(), Tolerations: tolerations, DisableNodeCollector: f.DisableNodeCollector.Value(), +<<<<<<< HEAD +======= + AllNamespaces: f.AllNamespaces.Value(), +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) NodeCollectorNamespace: f.NodeCollectorNamespace.Value(), ExcludeOwned: f.ExcludeOwned.Value(), ExcludeNodes: exludeNodeLabels, diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 7b251795f4f2..9d49f5dfe807 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -361,7 +361,7 @@ func (o *Options) Align() { // Vulnerability scanning is disabled by default for CycloneDX. if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) { - log.Logger.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) + log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) o.Scanners = nil } } diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index bed386e168c2..7e8fdb05ca91 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -3,7 +3,11 @@ package commands import ( "context" +<<<<<<< HEAD "golang.org/x/exp/slices" +======= + "go.uber.org/zap" +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) "golang.org/x/xerrors" k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts" @@ -15,6 +19,11 @@ import ( // clusterRun runs scan on kubernetes cluster func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) error { +<<<<<<< HEAD +======= + // TODO: replace with log.Logger + logger, _ := zap.NewProduction() +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) if err := validateReportArguments(opts); err != nil { return err } @@ -27,6 +36,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf("get k8s artifacts with node info error: %w", err) } case types.FormatJSON, types.FormatTable: +<<<<<<< HEAD k8sOpts := []trivyk8s.K8sOption{ trivyk8s.WithExcludeNamespaces(opts.ExcludeNamespaces), trivyk8s.WithIncludeNamespaces(opts.IncludeNamespaces), @@ -36,6 +46,11 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err } if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.DisableNodeCollector { artifacts, err = trivyk8s.New(cluster, k8sOpts...).ListArtifactAndNodeInfo(ctx, +======= + + if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.DisableNodeCollector { + artifacts, err = trivyk8s.New(cluster, logger.Sugar(), trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx, +>>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace), trivyk8s.WithIgnoreLabels(opts.ExcludeNodes), trivyk8s.WithScanJobImageRef(opts.NodeCollectorImageRef), @@ -53,9 +68,9 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf(`unknown format %q. Use "json" or "table" or "cyclonedx"`, opts.Format) } - if !opts.NonIntrusive && !opts.Quiet { - log.Logger.Info("Node scanning is enabled") - log.Logger.Info("If you want to disable Node scanning via an in-cluster Job, please try '--non-intrusive' to disable the Node-Collector job.") + if !opts.DisableNodeCollector && !opts.Quiet { + logger.Sugar().Info("Node scanning is enabled") + logger.Sugar().Info("If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.") } runner := newRunner(opts, cluster.GetCurrentContext()) return runner.run(ctx, artifacts) From a5cafe3ee440aaa5e7fda0698919257fa7f29534 Mon Sep 17 00:00:00 2001 From: chenk Date: Mon, 15 Apr 2024 10:44:26 +0300 Subject: [PATCH 7/9] feat: change flag name to disable-node-collector Signed-off-by: chenk --- docs/docs/references/configuration/cli/trivy_kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index e3f20aef5c0e..4c3aaf5bb144 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -38,6 +38,7 @@ trivy kubernetes [flags] [CONTEXT] --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan --exclude-kinds strings indicate the kinds exclude from scanning (example: node) @@ -70,7 +71,6 @@ trivy kubernetes [flags] [CONTEXT] --no-progress suppress progress bar --node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9") --node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp") - --non-intrusive When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node. --offline-scan do not issue API requests to identify dependencies -o, --output string output file name --output-plugin-arg string [EXPERIMENTAL] output plugin arguments From 467cbdacacf8317f095018d3d994d74dc453d2e5 Mon Sep 17 00:00:00 2001 From: chenk Date: Wed, 24 Apr 2024 11:23:53 +0300 Subject: [PATCH 8/9] feat: update flag name in config.yaml Signed-off-by: chenk --- pkg/flag/kubernetes_flags.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 1c6578b644c3..9a285524d57b 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -38,8 +38,7 @@ var ( } DisableNodeCollector = Flag[bool]{ Name: "disable-node-collector", - ConfigName: "kubernetes.disable.node.collector", ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) + ConfigName: "kubernetes.disableNodeCollector", Usage: "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.", } NodeCollectorNamespace = Flag[string]{ From 7f2bd0226500a65b3c3701a766535de65f507b77 Mon Sep 17 00:00:00 2001 From: chenk Date: Fri, 26 Apr 2024 08:49:46 +0300 Subject: [PATCH 9/9] feat: k8s intrusive flag support Signed-off-by: chenk --- pkg/flag/kubernetes_flags.go | 19 ------------------- pkg/k8s/commands/cluster.go | 21 +++------------------ pkg/k8s/report/report_test.go | 26 ++++++++++++++++++-------- 3 files changed, 21 insertions(+), 45 deletions(-) diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 9a285524d57b..996317e0be4f 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -25,17 +25,6 @@ var ( ConfigName: "kubernetes.tolerations", Usage: "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)", } -<<<<<<< HEAD - DisableNodeCollector = Flag[bool]{ - Name: "disable-node-collector", - ConfigName: "kubernetes.disableNodeCollector", -======= - AllNamespaces = Flag[bool]{ - Name: "all-namespaces", - ConfigName: "kubernetes.all.namespaces", - Shorthand: "A", - Usage: "fetch resources from all cluster namespaces", - } DisableNodeCollector = Flag[bool]{ Name: "disable-node-collector", ConfigName: "kubernetes.disableNodeCollector", @@ -138,10 +127,6 @@ func NewK8sFlagGroup() *K8sFlagGroup { K8sVersion: K8sVersionFlag.Clone(), Tolerations: TolerationsFlag.Clone(), DisableNodeCollector: DisableNodeCollector.Clone(), -<<<<<<< HEAD -======= - AllNamespaces: AllNamespaces.Clone(), ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) NodeCollectorNamespace: NodeCollectorNamespace.Clone(), ExcludeOwned: ExcludeOwned.Clone(), ExcludeNodes: ExcludeNodes.Clone(), @@ -209,10 +194,6 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { K8sVersion: f.K8sVersion.Value(), Tolerations: tolerations, DisableNodeCollector: f.DisableNodeCollector.Value(), -<<<<<<< HEAD -======= - AllNamespaces: f.AllNamespaces.Value(), ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) NodeCollectorNamespace: f.NodeCollectorNamespace.Value(), ExcludeOwned: f.ExcludeOwned.Value(), ExcludeNodes: exludeNodeLabels, diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index 7e8fdb05ca91..6b169771f1ca 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -3,27 +3,18 @@ package commands import ( "context" -<<<<<<< HEAD - "golang.org/x/exp/slices" -======= - "go.uber.org/zap" ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) "golang.org/x/xerrors" k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts" "github.com/aquasecurity/trivy-kubernetes/pkg/k8s" "github.com/aquasecurity/trivy-kubernetes/pkg/trivyk8s" "github.com/aquasecurity/trivy/pkg/flag" + "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/types" ) // clusterRun runs scan on kubernetes cluster func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) error { -<<<<<<< HEAD -======= - // TODO: replace with log.Logger - logger, _ := zap.NewProduction() ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) if err := validateReportArguments(opts); err != nil { return err } @@ -36,7 +27,6 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf("get k8s artifacts with node info error: %w", err) } case types.FormatJSON, types.FormatTable: -<<<<<<< HEAD k8sOpts := []trivyk8s.K8sOption{ trivyk8s.WithExcludeNamespaces(opts.ExcludeNamespaces), trivyk8s.WithIncludeNamespaces(opts.IncludeNamespaces), @@ -46,11 +36,6 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err } if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.DisableNodeCollector { artifacts, err = trivyk8s.New(cluster, k8sOpts...).ListArtifactAndNodeInfo(ctx, -======= - - if opts.Scanners.AnyEnabled(types.MisconfigScanner) && !opts.DisableNodeCollector { - artifacts, err = trivyk8s.New(cluster, logger.Sugar(), trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx, ->>>>>>> 660c113f6 (feat: change flag name to disable-node-collector) trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace), trivyk8s.WithIgnoreLabels(opts.ExcludeNodes), trivyk8s.WithScanJobImageRef(opts.NodeCollectorImageRef), @@ -69,8 +54,8 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err } if !opts.DisableNodeCollector && !opts.Quiet { - logger.Sugar().Info("Node scanning is enabled") - logger.Sugar().Info("If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.") + log.InfoContext(ctx, "Node scanning is enabled") + log.InfoContext(ctx, "If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.") } runner := newRunner(opts, cluster.GetCurrentContext()) return runner.run(ctx, artifacts) diff --git a/pkg/k8s/report/report_test.go b/pkg/k8s/report/report_test.go index a887464d798f..e9e9ae5e3a91 100644 --- a/pkg/k8s/report/report_test.go +++ b/pkg/k8s/report/report_test.go @@ -517,7 +517,7 @@ func Test_separateMisconfigReports(t *testing.T) { scanners types.Scanners expectedReports []Report }{ - /*{ + { name: "Config, Rbac, and Infra Reports", k8sReport: k8sReport, scanners: types.Scanners{ @@ -558,7 +558,7 @@ func Test_separateMisconfigReports(t *testing.T) { expectedReports: []Report{ {Resources: []Resource{{Kind: "Role"}}}, }, - },*/ + }, { name: "Config Report Only", k8sReport: k8sReport, @@ -577,14 +577,24 @@ func Test_separateMisconfigReports(t *testing.T) { }, }, }, - /* { - name: "Infra Report Only", - k8sReport: k8sReport, - scanners: types.Scanners{types.MisconfigScanner}, + { + name: "Infra Report Only", + k8sReport: k8sReport, + scanners: types.Scanners{types.MisconfigScanner}, expectedReports: []Report{ - {Resources: []Resource{{Kind: "Pod"}}}, + { + Resources: []Resource{ + {Kind: "Deployment"}, + {Kind: "StatefulSet"}, + }, + }, + { + Resources: []Resource{ + {Kind: "Pod"}, + }, + }, }, - },*/ + }, // TODO: add vuln only // TODO: add secret only