Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(misconf): Add support for --include-deprecated-checks #6671

Merged
merged 3 commits into from
May 14, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-aws v0.8.0
github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: update this when aquasecurity/trivy-aws#148 is merged

github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -773,8 +773,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334 h1:MgvbLyL
github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334/go.mod h1:TKXn7bPfMM52ETP4sjjwkTKCZ18CqCs+I/vtFePSdBc=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-aws v0.8.0 h1:4ij8MiZ2sJUH+vWpSeoGVhPr109ZBcNp7LNLfPuv5Cw=
github.com/aquasecurity/trivy-aws v0.8.0/go.mod h1:Pb9xqOuTKMHVgjsnjvudjqZh3nmzdFqFVfRkXnoIZBM=
github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b h1:mBMM6+kLTPaqSxNLO51rL6HiCKL1ElV5RXM+BEAK8fg=
github.com/aquasecurity/trivy-aws v0.8.1-0.20240511051125-4393910b056b/go.mod h1:z638DsULU5CCIk8QZqcj8u2D5IIRzvjq4jI1VDQGda4=
github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e h1:s0P4VeCqb7tWw06/L1cZ5/42AWy6VZFuLZ96THPJmmM=
github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e/go.mod h1:UIFQxYlKcL7EGhNVicFmZ6XxZ2UpFZU7bNKEv/Y/6XM=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
Expand Down
1 change: 1 addition & 0 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
K8sVersion: opts.K8sVersion,
DisableEmbeddedPolicies: disableEmbedded,
DisableEmbeddedLibraries: disableEmbedded,
IncludeDeprecatedChecks: opts.IncludeDeprecatedChecks,
TfExcludeDownloaded: opts.TfExcludeDownloaded,
}
}
Expand Down
50 changes: 30 additions & 20 deletions pkg/flag/rego_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ package flag
// config-policy: "custom-policy/policy"
// policy-namespaces: "user"
var (
IncludeDeprecatedChecksFlag = Flag[bool]{
Name: "include-deprecated-checks",
ConfigName: "rego.include-deprecated-checks",
Usage: "include deprecated checks",
}
SkipCheckUpdateFlag = Flag[bool]{
Name: "skip-check-update",
ConfigName: "rego.skip-check-update",
Expand Down Expand Up @@ -53,28 +58,31 @@ var (

// RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
type RegoFlagGroup struct {
SkipCheckUpdate *Flag[bool]
Trace *Flag[bool]
CheckPaths *Flag[[]string]
DataPaths *Flag[[]string]
CheckNamespaces *Flag[[]string]
IncludeDeprecatedChecks *Flag[bool]
SkipCheckUpdate *Flag[bool]
Trace *Flag[bool]
CheckPaths *Flag[[]string]
DataPaths *Flag[[]string]
CheckNamespaces *Flag[[]string]
}

type RegoOptions struct {
SkipCheckUpdate bool
Trace bool
CheckPaths []string
DataPaths []string
CheckNamespaces []string
IncludeDeprecatedChecks bool
SkipCheckUpdate bool
Trace bool
CheckPaths []string
DataPaths []string
CheckNamespaces []string
}

func NewRegoFlagGroup() *RegoFlagGroup {
return &RegoFlagGroup{
SkipCheckUpdate: SkipCheckUpdateFlag.Clone(),
Trace: TraceFlag.Clone(),
CheckPaths: ConfigCheckFlag.Clone(),
DataPaths: ConfigDataFlag.Clone(),
CheckNamespaces: CheckNamespaceFlag.Clone(),
IncludeDeprecatedChecks: IncludeDeprecatedChecksFlag.Clone(),
SkipCheckUpdate: SkipCheckUpdateFlag.Clone(),
Trace: TraceFlag.Clone(),
CheckPaths: ConfigCheckFlag.Clone(),
DataPaths: ConfigDataFlag.Clone(),
CheckNamespaces: CheckNamespaceFlag.Clone(),
}
}

Expand All @@ -84,6 +92,7 @@ func (f *RegoFlagGroup) Name() string {

func (f *RegoFlagGroup) Flags() []Flagger {
return []Flagger{
f.IncludeDeprecatedChecks,
f.SkipCheckUpdate,
f.Trace,
f.CheckPaths,
Expand All @@ -98,10 +107,11 @@ func (f *RegoFlagGroup) ToOptions() (RegoOptions, error) {
}

return RegoOptions{
SkipCheckUpdate: f.SkipCheckUpdate.Value(),
Trace: f.Trace.Value(),
CheckPaths: f.CheckPaths.Value(),
DataPaths: f.DataPaths.Value(),
CheckNamespaces: f.CheckNamespaces.Value(),
IncludeDeprecatedChecks: f.IncludeDeprecatedChecks.Value(),
SkipCheckUpdate: f.SkipCheckUpdate.Value(),
Trace: f.Trace.Value(),
CheckPaths: f.CheckPaths.Value(),
DataPaths: f.DataPaths.Value(),
CheckNamespaces: f.CheckNamespaces.Value(),
}, nil
}
45 changes: 28 additions & 17 deletions pkg/iac/rego/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,33 @@ import (
var _ options.ConfigurableScanner = (*Scanner)(nil)

type Scanner struct {
ruleNamespaces map[string]struct{}
policies map[string]*ast.Module
store storage.Store
dataDirs []string
runtimeValues *ast.Term
compiler *ast.Compiler
regoErrorLimit int
debug debug.Logger
traceWriter io.Writer
tracePerResult bool
retriever *MetadataRetriever
policyFS fs.FS
dataFS fs.FS
frameworks []framework.Framework
spec string
inputSchema interface{} // unmarshalled into this from a json schema document
sourceType types.Source
ruleNamespaces map[string]struct{}
policies map[string]*ast.Module
store storage.Store
dataDirs []string
runtimeValues *ast.Term
compiler *ast.Compiler
regoErrorLimit int
debug debug.Logger
traceWriter io.Writer
tracePerResult bool
retriever *MetadataRetriever
policyFS fs.FS
dataFS fs.FS
frameworks []framework.Framework
spec string
inputSchema interface{} // unmarshalled into this from a json schema document
sourceType types.Source
includeDeprecatedChecks bool

embeddedLibs map[string]*ast.Module
embeddedChecks map[string]*ast.Module
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
s.includeDeprecatedChecks = b
}

func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
// handled externally
}
Expand Down Expand Up @@ -248,6 +253,12 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
continue
}

if !s.includeDeprecatedChecks {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

conditions can be combined

if staticMeta.Deprecated {
continue // skip deprecated checks
}
}

if isPolicyWithSubtype(s.sourceType) {
// skip if check isn't relevant to what is being scanned
if !isPolicyApplicable(staticMeta, inputs...) {
Expand Down
75 changes: 75 additions & 0 deletions pkg/iac/rego/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1011,3 +1011,78 @@ deny {
assert.Contains(t, buf.String(),
`Error occurred while applying rule "deny" from check "checks/bad.rego"`)
}

func Test_RegoScanning_WithDeprecatedCheck(t *testing.T) {
var testCases = []struct {
name string
policy string
expectedResults int
}{
{
name: "happy path check is deprecated",
policy: `# METADATA
# title: i am a deprecated check
# description: i am a description
# related_resources:
# - https://google.com
# custom:
# id: EG123
# avd_id: AVD-EG-0123
# severity: LOW
# recommended_action: have a cup of tea
# deprecated: true
package defsec.test

deny {
input.text
}

`,
expectedResults: 0,
},
{
name: "happy path check is not deprecated",
policy: `# METADATA
# title: i am a deprecated check
# description: i am a description
# related_resources:
# - https://google.com
# custom:
# id: EG123
# avd_id: AVD-EG-0123
# severity: LOW
# recommended_action: have a cup of tea
package defsec.test

deny {
input.text
}

`,
expectedResults: 1,
},
}

for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
srcFS := CreateFS(t, map[string]string{
"policies/test.rego": tc.policy,
})

scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Path: "/evil.lol",
Contents: map[string]interface{}{
"text": "test",
},
})
require.NoError(t, err)
require.Len(t, results, tc.expectedResults, tc.name)
})
}
}
2 changes: 2 additions & 0 deletions pkg/iac/scanners/azure/arm/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ type Scanner struct { // nolint: gocritic
sync.Mutex
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/cloudformation/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ type Scanner struct { // nolint: gocritic
sync.Mutex
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) addParserOptions(opt options.ParserOption) {
s.parserOptions = append(s.parserOptions, opt)
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/dockerfile/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedPolicies bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/helm/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ type Scanner struct {
mu sync.Mutex
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/json/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedLibraries bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetRegoOnly(bool) {
}

Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/kubernetes/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedLibraries bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand Down
7 changes: 7 additions & 0 deletions pkg/iac/scanners/options/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ type ConfigurableScanner interface {
SetRegoOnly(regoOnly bool)
SetRegoErrorLimit(limit int)
SetUseEmbeddedLibraries(bool)
SetIncludeDeprecatedChecks(bool)
}

type ScannerOption func(s ConfigurableScanner)
Expand Down Expand Up @@ -65,6 +66,12 @@ func ScannerWithEmbeddedLibraries(enabled bool) ScannerOption {
}
}

func ScannerWithIncludeDeprecatedChecks(enabled bool) ScannerOption {
return func(s ConfigurableScanner) {
s.SetIncludeDeprecatedChecks(enabled)
}
}

// ScannerWithTrace specifies an io.Writer for trace logs (mainly rego tracing) - if not set, they are discarded
func ScannerWithTrace(w io.Writer) ScannerOption {
return func(s ConfigurableScanner) {
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/terraform/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedPolicies bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/terraformplan/tfjson/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ type Scanner struct {
policyReaders []io.Reader
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
s.loadEmbeddedLibraries = b
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/toml/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedLibraries bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetRegoOnly(bool) {}

func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
Expand Down
2 changes: 2 additions & 0 deletions pkg/iac/scanners/yaml/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ type Scanner struct { // nolint: gocritic
loadEmbeddedPolicies bool
}

func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}

func (s *Scanner) SetRegoOnly(bool) {}

func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
Expand Down
2 changes: 2 additions & 0 deletions pkg/misconf/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ type ScannerOption struct {
DataPaths []string
DisableEmbeddedPolicies bool
DisableEmbeddedLibraries bool
IncludeDeprecatedChecks bool

HelmValues []string
HelmValueFiles []string
Expand Down Expand Up @@ -217,6 +218,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
options.ScannerWithSkipRequiredCheck(true),
options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
options.ScannerWithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
}

policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
Expand Down
Loading