fix(misconf): add missing fields to proto (#4861)

* fix(misconf): add missing fields to proto * mark deleted fields as reserved
2025-12-22 07:10:41 -08:00 · 2023-07-30 14:15:36 +03:00
parent 8b8e0e83d1
commit e1c2a8c804
7 changed files with 832 additions and 281 deletions
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.19
+FROM --platform=linux/amd64 golang:1.19

 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
--- a/magefiles/magefile.go
+++ b/magefiles/magefile.go
@@ -154,7 +154,7 @@ func Protoc() error {
 	if err := sh.RunV("bash", "-c", "docker build -t trivy-protoc - < Dockerfile.protoc"); err != nil {
 		return err
 	}
-	return sh.Run("docker", "run", "--rm", "-it", "-v", "${PWD}:/app", "-w", "/app", "trivy-protoc", "mage", "protoc")
+	return sh.Run("docker", "run", "--rm", "-it", "--platform", "linux/x86_64", "-v", "${PWD}:/app", "-w", "/app", "trivy-protoc", "mage", "protoc")
 }

 // Yacc generates parser
--- a/pkg/cache/remote.go
+++ b/pkg/cache/remote.go
@@ -53,7 +53,7 @@ func (c RemoteCache) PutArtifact(imageID string, artifactInfo types.ArtifactInfo
 func (c RemoteCache) PutBlob(diffID string, blobInfo types.BlobInfo) error {
 	err := rpc.Retry(func() error {
 		var err error
-		_, err = c.client.PutBlob(c.ctx, rpc.ConvertToRPCBlobInfo(diffID, blobInfo))
+		_, err = c.client.PutBlob(c.ctx, rpc.ConvertToRPCPutBlobRequest(diffID, blobInfo))
 		return err
 	})
 	if err != nil {
--- a/pkg/rpc/convert.go
+++ b/pkg/rpc/convert.go
@@ -217,18 +217,21 @@ func ConvertToRPCMisconfs(misconfs []types.DetectedMisconfiguration) []*common.D
 		}

 		rpcMisconfs = append(rpcMisconfs, &common.DetectedMisconfiguration{
-			Type:        m.Type,
-			Id:          m.ID,
-			Title:       m.Title,
-			Description: m.Description,
-			Message:     m.Message,
-			Namespace:   m.Namespace,
-			Resolution:  m.Resolution,
-			Severity:    common.Severity(severity),
-			PrimaryUrl:  m.PrimaryURL,
-			References:  m.References,
-			Status:      string(m.Status),
-			Layer:       ConvertToRPCLayer(m.Layer),
+			Type:          m.Type,
+			Id:            m.ID,
+			AvdId:         m.AVDID,
+			Title:         m.Title,
+			Description:   m.Description,
+			Message:       m.Message,
+			Namespace:     m.Namespace,
+			Query:         m.Query,
+			Resolution:    m.Resolution,
+			Severity:      common.Severity(severity),
+			PrimaryUrl:    m.PrimaryURL,
+			References:    m.References,
+			Status:        string(m.Status),
+			Layer:         ConvertToRPCLayer(m.Layer),
+			CauseMetadata: ConvertToRPCCauseMetadata(m.CauseMetadata),
 		})
 	}
 	return rpcMisconfs
@@ -243,6 +246,30 @@ func ConvertToRPCLayer(layer ftypes.Layer) *common.Layer {
 	}
 }

+func ConvertToRPCPolicyMetadata(policy ftypes.PolicyMetadata) *common.PolicyMetadata {
+	return &common.PolicyMetadata{
+		Id:                 policy.ID,
+		AdvId:              policy.AVDID,
+		Type:               policy.Type,
+		Title:              policy.Title,
+		Description:        policy.Description,
+		Severity:           policy.Severity,
+		RecommendedActions: policy.RecommendedActions,
+		References:         policy.References,
+	}
+}
+
+func ConvertToRPCCauseMetadata(cause ftypes.CauseMetadata) *common.CauseMetadata {
+	return &common.CauseMetadata{
+		Resource:  cause.Resource,
+		Provider:  cause.Provider,
+		Service:   cause.Service,
+		StartLine: int32(cause.StartLine),
+		EndLine:   int32(cause.EndLine),
+		Code:      ConvertToRPCCode(cause.Code),
+	}
+}
+
 // ConvertToRPCDataSource returns common.DataSource
 func ConvertToRPCDataSource(ds *dbTypes.DataSource) *common.DataSource {
 	if ds == nil {
@@ -407,18 +434,21 @@ func ConvertFromRPCMisconfs(rpcMisconfs []*common.DetectedMisconfiguration) []ty
 	var misconfs []types.DetectedMisconfiguration
 	for _, rpcMisconf := range rpcMisconfs {
 		misconfs = append(misconfs, types.DetectedMisconfiguration{
-			Type:        rpcMisconf.Type,
-			ID:          rpcMisconf.Id,
-			Title:       rpcMisconf.Title,
-			Description: rpcMisconf.Description,
-			Message:     rpcMisconf.Message,
-			Namespace:   rpcMisconf.Namespace,
-			Resolution:  rpcMisconf.Resolution,
-			Severity:    rpcMisconf.Severity.String(),
-			PrimaryURL:  rpcMisconf.PrimaryUrl,
-			References:  rpcMisconf.References,
-			Status:      types.MisconfStatus(rpcMisconf.Status),
-			Layer:       ConvertFromRPCLayer(rpcMisconf.Layer),
+			Type:          rpcMisconf.Type,
+			ID:            rpcMisconf.Id,
+			AVDID:         rpcMisconf.AvdId,
+			Title:         rpcMisconf.Title,
+			Description:   rpcMisconf.Description,
+			Message:       rpcMisconf.Message,
+			Namespace:     rpcMisconf.Namespace,
+			Query:         rpcMisconf.Query,
+			Resolution:    rpcMisconf.Resolution,
+			Severity:      rpcMisconf.Severity.String(),
+			PrimaryURL:    rpcMisconf.PrimaryUrl,
+			References:    rpcMisconf.References,
+			Status:        types.MisconfStatus(rpcMisconf.Status),
+			Layer:         ConvertFromRPCLayer(rpcMisconf.Layer),
+			CauseMetadata: ConvertFromRPCCauseMetadata(rpcMisconf.CauseMetadata),
 		})
 	}
 	return misconfs
@@ -430,8 +460,40 @@ func ConvertFromRPCLayer(rpcLayer *common.Layer) ftypes.Layer {
 		return ftypes.Layer{}
 	}
 	return ftypes.Layer{
-		Digest: rpcLayer.Digest,
-		DiffID: rpcLayer.DiffId,
+		Digest:    rpcLayer.Digest,
+		DiffID:    rpcLayer.DiffId,
+		CreatedBy: rpcLayer.CreatedBy,
+	}
+}
+
+func ConvertFromRPCPolicyMetadata(rpcPolicy *common.PolicyMetadata) ftypes.PolicyMetadata {
+	if rpcPolicy == nil {
+		return ftypes.PolicyMetadata{}
+	}
+
+	return ftypes.PolicyMetadata{
+		ID:                 rpcPolicy.Id,
+		AVDID:              rpcPolicy.AdvId,
+		Type:               rpcPolicy.Type,
+		Title:              rpcPolicy.Title,
+		Description:        rpcPolicy.Description,
+		Severity:           rpcPolicy.Severity,
+		RecommendedActions: rpcPolicy.RecommendedActions,
+		References:         rpcPolicy.References,
+	}
+}
+
+func ConvertFromRPCCauseMetadata(rpcCause *common.CauseMetadata) ftypes.CauseMetadata {
+	if rpcCause == nil {
+		return ftypes.CauseMetadata{}
+	}
+	return ftypes.CauseMetadata{
+		Resource:  rpcCause.Resource,
+		Provider:  rpcCause.Provider,
+		Service:   rpcCause.Service,
+		StartLine: int(rpcCause.StartLine),
+		EndLine:   int(rpcCause.EndLine),
+		Code:      ConvertFromRPCCode(rpcCause.Code),
 	}
 }

@@ -518,14 +580,10 @@ func ConvertFromRPCMisconfResults(rpcResults []*common.MisconfResult) []ftypes.M
 	var results []ftypes.MisconfResult
 	for _, r := range rpcResults {
 		results = append(results, ftypes.MisconfResult{
-			Namespace: r.Namespace,
-			Message:   r.Message,
-			PolicyMetadata: ftypes.PolicyMetadata{
-				ID:       r.Id,
-				Type:     r.Type,
-				Title:    r.Title,
-				Severity: r.Severity,
-			},
+			Namespace:      r.Namespace,
+			Message:        r.Message,
+			PolicyMetadata: ConvertFromRPCPolicyMetadata(r.PolicyMetadata),
+			CauseMetadata:  ConvertFromRPCCauseMetadata(r.CauseMetadata),
 		})
 	}
 	return results
@@ -603,8 +661,8 @@ func ConvertToRPCArtifactInfo(imageID string, imageInfo ftypes.ArtifactInfo) *ca
 	}
 }

-// ConvertToRPCBlobInfo returns PutBlobRequest
-func ConvertToRPCBlobInfo(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlobRequest {
+// ConvertToRPCPutBlobRequest returns PutBlobRequest
+func ConvertToRPCPutBlobRequest(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlobRequest {
 	var packageInfos []*common.PackageInfo
 	for _, pkgInfo := range blobInfo.PackageInfos {
 		packageInfos = append(packageInfos, &common.PackageInfo{
@@ -677,12 +735,10 @@ func ConvertToMisconfResults(results []ftypes.MisconfResult) []*common.MisconfRe
 	var rpcResults []*common.MisconfResult
 	for _, r := range results {
 		rpcResults = append(rpcResults, &common.MisconfResult{
-			Namespace: r.Namespace,
-			Message:   r.Message,
-			Id:        r.ID,
-			Type:      r.Type,
-			Title:     r.Title,
-			Severity:  r.Severity,
+			Namespace:      r.Namespace,
+			Message:        r.Message,
+			PolicyMetadata: ConvertToRPCPolicyMetadata(r.PolicyMetadata),
+			CauseMetadata:  ConvertToRPCCauseMetadata(r.CauseMetadata),
 		})
 	}
 	return rpcResults
--- a/pkg/rpc/convert_test.go
+++ b/pkg/rpc/convert_test.go
@@ -465,3 +465,207 @@ func TestConvertFromRPCResults(t *testing.T) {
 		})
 	}
 }
+
+func TestConvertFromRPCMisconfs(t *testing.T) {
+	type args struct {
+		misconfs []*common.DetectedMisconfiguration
+	}
+	tests := []struct {
+		name string
+		args args
+		want []types.DetectedMisconfiguration
+	}{
+		{
+			name: "happy path misconf",
+			args: args{misconfs: []*common.DetectedMisconfiguration{
+				{
+					Type:        "Dockerfile Security Check",
+					Id:          "DS005",
+					AvdId:       "AVD-DS-0005",
+					Title:       "ADD instead of COPY",
+					Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
+					Message:     "Consider using 'COPY . /app' command instead of 'ADD . /app'",
+					Namespace:   "builtin.dockerfile.DS005",
+					Query:       "data.builtin.dockerfile.DS005.deny",
+					Resolution:  "Use COPY instead of ADD",
+					Severity:    common.Severity_LOW,
+					PrimaryUrl:  "https://avd.aquasec.com/misconfig/ds005",
+					References: []string{
+						"https://docs.docker.com/engine/reference/builder/#add",
+						"https://avd.aquasec.com/misconfig/ds005",
+					},
+					Status: "FAIL",
+					Layer:  &common.Layer{},
+					CauseMetadata: &common.CauseMetadata{
+						Provider:  "Dockerfile",
+						Service:   "general",
+						StartLine: 3,
+						EndLine:   3,
+						Code: &common.Code{
+							Lines: []*common.Line{
+								{
+									Number:     3,
+									Content:    "ADD . /app",
+									IsCause:    true,
+									Annotation: "",
+									Truncated:  false,
+									FirstCause: true,
+									LastCause:  true,
+								},
+							},
+						},
+					},
+				},
+			}},
+			want: []types.DetectedMisconfiguration{
+				{
+					Type:        "Dockerfile Security Check",
+					ID:          "DS005",
+					AVDID:       "AVD-DS-0005",
+					Title:       "ADD instead of COPY",
+					Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
+					Message:     "Consider using 'COPY . /app' command instead of 'ADD . /app'",
+					Namespace:   "builtin.dockerfile.DS005",
+					Query:       "data.builtin.dockerfile.DS005.deny",
+					Resolution:  "Use COPY instead of ADD",
+					Severity:    "LOW",
+					PrimaryURL:  "https://avd.aquasec.com/misconfig/ds005",
+					References: []string{
+						"https://docs.docker.com/engine/reference/builder/#add",
+						"https://avd.aquasec.com/misconfig/ds005",
+					},
+					Status: "FAIL",
+					Layer:  ftypes.Layer{},
+					CauseMetadata: ftypes.CauseMetadata{
+						Provider:  "Dockerfile",
+						Service:   "general",
+						StartLine: 3,
+						EndLine:   3,
+						Code: ftypes.Code{
+							Lines: []ftypes.Line{
+								{
+									Number:     3,
+									Content:    "ADD . /app",
+									IsCause:    true,
+									Annotation: "",
+									Truncated:  false,
+									FirstCause: true,
+									LastCause:  true,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ConvertFromRPCMisconfs(tt.args.misconfs)
+			assert.Equal(t, tt.want, got, tt.name)
+		})
+	}
+}
+
+func TestConvertToRPCMiconfs(t *testing.T) {
+	type args struct {
+		misconfs []types.DetectedMisconfiguration
+	}
+	tests := []struct {
+		name string
+		args args
+		want []*common.DetectedMisconfiguration
+	}{
+		{
+			name: "happy path misconf",
+			args: args{misconfs: []types.DetectedMisconfiguration{
+				{
+					Type:        "Dockerfile Security Check",
+					ID:          "DS005",
+					AVDID:       "AVD-DS-0005",
+					Title:       "ADD instead of COPY",
+					Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
+					Message:     "Consider using 'COPY . /app' command instead of 'ADD . /app'",
+					Namespace:   "builtin.dockerfile.DS005",
+					Query:       "data.builtin.dockerfile.DS005.deny",
+					Resolution:  "Use COPY instead of ADD",
+					Severity:    "LOW",
+					PrimaryURL:  "https://avd.aquasec.com/misconfig/ds005",
+					References: []string{
+						"https://docs.docker.com/engine/reference/builder/#add",
+						"https://avd.aquasec.com/misconfig/ds005",
+					},
+					Status: "FAIL",
+					Layer:  ftypes.Layer{},
+					CauseMetadata: ftypes.CauseMetadata{
+						Provider:  "Dockerfile",
+						Service:   "general",
+						StartLine: 3,
+						EndLine:   3,
+						Code: ftypes.Code{
+							Lines: []ftypes.Line{
+								{
+									Number:     3,
+									Content:    "ADD . /app",
+									IsCause:    true,
+									Annotation: "",
+									Truncated:  false,
+									FirstCause: true,
+									LastCause:  true,
+								},
+							},
+						},
+					},
+				},
+			}},
+			want: []*common.DetectedMisconfiguration{
+				{
+					Type:        "Dockerfile Security Check",
+					Id:          "DS005",
+					AvdId:       "AVD-DS-0005",
+					Title:       "ADD instead of COPY",
+					Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
+					Message:     "Consider using 'COPY . /app' command instead of 'ADD . /app'",
+					Namespace:   "builtin.dockerfile.DS005",
+					Query:       "data.builtin.dockerfile.DS005.deny",
+					Resolution:  "Use COPY instead of ADD",
+					Severity:    common.Severity_LOW,
+					PrimaryUrl:  "https://avd.aquasec.com/misconfig/ds005",
+					References: []string{
+						"https://docs.docker.com/engine/reference/builder/#add",
+						"https://avd.aquasec.com/misconfig/ds005",
+					},
+					Status: "FAIL",
+					Layer:  &common.Layer{},
+					CauseMetadata: &common.CauseMetadata{
+						Provider:  "Dockerfile",
+						Service:   "general",
+						StartLine: 3,
+						EndLine:   3,
+						Code: &common.Code{
+							Lines: []*common.Line{
+								{
+									Number:     3,
+									Content:    "ADD . /app",
+									IsCause:    true,
+									Annotation: "",
+									Truncated:  false,
+									FirstCause: true,
+									LastCause:  true,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ConvertToRPCMisconfs(tt.args.misconfs)
+			assert.Equal(t, tt.want, got, tt.name)
+		})
+	}
+}
--- a/rpc/common/service.pb.go
+++ b/rpc/common/service.pb.go
--- a/rpc/common/service.proto
+++ b/rpc/common/service.proto
@@ -65,25 +65,39 @@ message Misconfiguration {
 message MisconfResult {
  string namespace = 1;
  string message   = 2;
-  string type      = 3;
-  string id        = 4;
-  string title     = 5;
-  string severity  = 6;
+  reserved 3 to 6;
+  reserved "type", "id", "title", "severity";
+  PolicyMetadata policy_metadata = 7;
+  CauseMetadata  cause_metadata  = 8;
+}
+
+message PolicyMetadata {
+  string          id                  = 1;
+  string          adv_id              = 2;
+  string          type                = 3;
+  string          title               = 4;
+  string          description         = 5;
+  string          severity            = 6;
+  string          recommended_actions = 7;
+  repeated string references          = 8;
 }

 message DetectedMisconfiguration {
-  string type                 = 1;
-  string id                   = 2;
-  string title                = 3;
-  string description          = 4;
-  string message              = 5;
-  string namespace            = 6;
-  string          resolution  = 7;
-  Severity        severity    = 8;
-  string          primary_url = 9;
-  repeated string references  = 10;
-  string          status      = 11;
-  Layer           layer       = 12;
+  string type                    = 1;
+  string id                      = 2;
+  string title                   = 3;
+  string description             = 4;
+  string message                 = 5;
+  string namespace               = 6;
+  string          resolution     = 7;
+  Severity        severity       = 8;
+  string          primary_url    = 9;
+  repeated string references     = 10;
+  string          status         = 11;
+  Layer           layer          = 12;
+  CauseMetadata   cause_metadata = 13;
+  string          avd_id         = 14;
+  string          query          = 15;
 }

 message Vulnerability {
@@ -124,6 +138,15 @@ message Layer {
  string created_by = 3;
 }

+message CauseMetadata {
+  string resource   = 1;
+  string provider   = 2;
+  string service    = 3;
+  int32  start_line = 4;
+  int32  end_line   = 5;
+  Code   code       = 6;
+}
+
 enum Severity {
  UNKNOWN  = 0;
  LOW      = 1;