gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(config): change selector type (fanal#189)

Browse Source 
* fix(config): change selector type

* test(policy): fix test data
This commit is contained in:
Teppei Fukuda
2021-06-28 14:52:57 +03:00
committed by GitHub
parent ac56d1c24d
commit cb66108f4d
25 changed files with 123 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/fanal/main.go
View File

@@ -60,6 +60,11 @@ func run() (err error) {
Aliases: []string{"fs"}, Aliases: []string{"fs"},
Usage: "inspect a local directory", Usage: "inspect a local directory",
Flags: []cli.Flag{ Flags: []cli.Flag{
&cli.StringSliceFlag{
Name: "namespace",
Usage: "namespaces",
Value: cli.NewStringSlice("appshield"),
},
&cli.StringSliceFlag{ &cli.StringSliceFlag{
Name: "policy", Name: "policy",
Usage: "policy paths", Usage: "policy paths",
@@ -141,6 +146,7 @@ func archiveAction(c *cli.Context, fsCache cache.Cache) error {
func fsAction(c *cli.Context, fsCache cache.Cache) error { func fsAction(c *cli.Context, fsCache cache.Cache) error {
art, err := local.NewArtifact(c.Args().First(), fsCache, nil, config.ScannerOption{ art, err := local.NewArtifact(c.Args().First(), fsCache, nil, config.ScannerOption{
Namespaces: []string{"appshield"},
PolicyPaths: c.StringSlice("policy"), PolicyPaths: c.StringSlice("policy"),
}) })
if err != nil { if err != nil {
@@ -189,6 +195,9 @@ func inspect(ctx context.Context, art artifact.Artifact, c cache.LocalArtifactCa
} }
for _, misconf := range mergedLayer.Misconfigurations { for _, misconf := range mergedLayer.Misconfigurations {
fmt.Printf(" %s: failures %d, warnings %d\n", misconf.FilePath, len(misconf.Failures), len(misconf.Warnings)) fmt.Printf(" %s: failures %d, warnings %d\n", misconf.FilePath, len(misconf.Failures), len(misconf.Warnings))
for _, failure := range misconf.Failures {
fmt.Printf(" %s: %s\n", failure.ID, failure.Message)
}
} }
return nil return nil
} }

14
policy/engine.go
View File

@@ -196,13 +196,13 @@ func (e *Engine) Check(ctx context.Context, configs []types.Config, namespaces [
} }
var selectedConfigs []types.Config var selectedConfigs []types.Config
if len(inputOption.Selector.Types) > 0 { if len(inputOption.Selectors) > 0 {
// Pass only the config files that match the selector types // Pass only the config files that match the selector types
for _, t := range inputOption.Selector.Types { for _, t := range uniqueSelectorTypes(inputOption.Selectors) {
selectedConfigs = append(selectedConfigs, typedConfigs[t]...) selectedConfigs = append(selectedConfigs, typedConfigs[t]...)
} }
} else { } else {
// When the 'types' is not specified, it means '*'. // When the 'selector' is not specified, it means '*'.
selectedConfigs = configs selectedConfigs = configs
} }
@@ -666,6 +666,14 @@ func removeRulePrefix(rule string) string {
return rule return rule
} }
func uniqueSelectorTypes(selectors []types.PolicyInputSelector) []string {
selectorTypes := map[string]struct{}{}
for _, s := range selectors {
selectorTypes[s.Type] = struct{}{}
}
return utils.Keys(selectorTypes)
}
func uniqueResults(results []types.MisconfResult) []types.MisconfResult { func uniqueResults(results []types.MisconfResult) []types.MisconfResult {
uniq := map[string]types.MisconfResult{} uniq := map[string]types.MisconfResult{}
for _, result := range results { for _, result := range results {

2
policy/testdata/combine/combined_deployment.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": true, "combine": true,
"selector": [{"type": "kubernetes"}],
} }
deny[res] { deny[res] {

2
policy/testdata/combine/docker.rego → policy/testdata/combine/combined_docker.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["dockerfile"]},
"combine": true, "combine": true,
"selector": [{"type": "dockerfile"}],
} }
deny[res] { deny[res] {

4
policy/testdata/combine/combined_pod.rego vendored
View File

@@ -9,10 +9,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {
"types": ["kubernetes"]
},
"combine": true, "combine": true,
"selector": [{"type": "kubernetes"}],
} }
deny[res] { deny[res] {

2
policy/testdata/combine/deployment.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": false, "combine": false,
"selector": [{"type": "kubernetes"}],
} }
warn[msg] { warn[msg] {

2
policy/testdata/combine_exception/combined_deployment.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": true, "combine": true,
"selector": [{"type": "kubernetes"}],
} }
warn[res] { warn[res] {

2
policy/testdata/combine_exception/deployment.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": false, "combine": false,
"selector": [{"type": "kubernetes"}],
} }
warn[msg] { warn[msg] {

2
policy/testdata/combine_exception/fail.rego vendored
View File

@@ -11,8 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": true, "combine": true,
"selector": [{"type": "kubernetes"}],
} }
deny[res] { deny[res] {

4
policy/testdata/happy/deployment.rego vendored
View File

@@ -11,10 +11,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {
"types": ["kubernetes"]
},
"combine": false, "combine": false,
"selector": [{"type": "kubernetes"}],
} }
deny[msg] { deny[msg] {

4
policy/testdata/happy/docker.rego vendored
View File

@@ -9,10 +9,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {
"types": ["dockerfile"]
},
"combine": false, "combine": false,
"selector": [{"type": "dockerfile"}],
} }
deny[msg] { deny[msg] {

4
policy/testdata/happy/pod.rego vendored
View File

@@ -9,10 +9,8 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {
"types": ["kubernetes"]
},
"combine": false, "combine": false,
"selector": [{"type": "kubernetes"}],
} }
deny[msg] { deny[msg] {

6
policy/testdata/sad/missing_filepath.rego vendored
View File

@@ -11,14 +11,12 @@ __rego_metadata__ := {
} }
__rego_input__ := { __rego_input__ := {
"selector": {"types": ["kubernetes"]},
"combine": true, "combine": true,
"selector": [{"type": "kubernetes"}],
} }
warn[res] { warn[res] {
input[i].contents.kind == "Deployment" input[i].contents.kind == "Deployment"
services.ports[_] == 22 services.ports[_] == 22
res := { res := {"msg": sprintf("deny combined %s", [input[i].contents.metadata.name])}
"msg": sprintf("deny combined %s", [input[i].contents.metadata.name]),
}
} }

6
types/misconf.go
View File

@@ -26,12 +26,12 @@ type PolicyMetadata struct {
} }
type PolicyInputOption struct { type PolicyInputOption struct {
Combine bool Combine bool `mapstructure:"combine"`
Selector PolicyInputSelector Selectors []PolicyInputSelector `mapstructure:"selector"`
} }
type PolicyInputSelector struct { type PolicyInputSelector struct {
Types []string Type string `mapstructure:"type"`
} }
func (r MisconfResults) Len() int { func (r MisconfResults) Len() int {

8
utils/utils.go
View File

@@ -43,3 +43,11 @@ func IsGzip(f *bufio.Reader) bool {
} }
return buf[0] == 0x1F && buf[1] == 0x8B && buf[2] == 0x8 return buf[0] == 0x1F && buf[1] == 0x8B && buf[2] == 0x8
} }
func Keys(m map[string]struct{}) []string {
var keys []string
for k := range m {
keys = append(keys, k)
}
return keys
}