diff --git a/go.mod b/go.mod index 230470d8f12c..844135ff79f8 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807 + github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b diff --git a/go.sum b/go.sum index 860b788ae605..e760459b4d51 100644 --- a/go.sum +++ b/go.sum @@ -348,8 +348,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807 h1:yw2INXrbfekt1yHDQAlNZlHIUZQXMcSS+mWI9XWJUN0= -github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E= +github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd h1:/6sPLCU4JICPPYAmY2iUsLGpgYBXUH6M/0fy57AhNWY= +github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd/go.mod h1:zLBeXaTJkAvPZqKiRACAsP49ZywCEXFEjXMLa8kmc8Q= github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM= github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= diff --git a/pkg/fanal/artifact/local/fs_test.go b/pkg/fanal/artifact/local/fs_test.go index ba6d2879bda2..dbef68e893bb 100644 --- a/pkg/fanal/artifact/local/fs_test.go +++ b/pkg/fanal/artifact/local/fs_test.go @@ -299,15 +299,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/single-failure", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - DisableEmbeddedPolicies: true, - DisableEmbeddedLibraries: true, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -352,15 +343,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/multiple-failures", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - DisableEmbeddedPolicies: true, - DisableEmbeddedLibraries: true, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -437,13 +419,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/no-results", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -467,15 +442,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/passed", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - DisableEmbeddedPolicies: true, - DisableEmbeddedLibraries: true, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -516,15 +482,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/busted-relative-paths/child/main.tf", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - DisableEmbeddedPolicies: true, - DisableEmbeddedLibraries: true, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -584,12 +541,7 @@ func TestTerraformMisconfigurationScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - TerraformTFVars: []string{"./testdata/misconfig/terraform/tfvar-outside/main.tfvars"}, - TfExcludeDownloaded: true, - DisableEmbeddedPolicies: true, + TerraformTFVars: []string{"./testdata/misconfig/terraform/tfvar-outside/main.tfvars"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -632,14 +584,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) { fields: fields{ dir: "./testdata/misconfig/terraform/relative-paths/child", }, - artifactOpt: artifact.Option{ - MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/terraform/rego"}, - DisableEmbeddedPolicies: true, - }, - }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ BlobIDAnything: true, @@ -726,6 +670,8 @@ func TestTerraformMisconfigurationScan(t *testing.T) { types.SystemFileFilteringPostHandler, } tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true + tt.artifactOpt.MisconfScannerOption.Namespaces = []string{"user"} + tt.artifactOpt.MisconfScannerOption.PolicyPaths = []string{"./testdata/misconfig/terraform/rego"} a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt) require.NoError(t, err) @@ -972,9 +918,8 @@ func TestTerraformPlanSnapshotMisconfScan(t *testing.T) { types.SystemFileFilteringPostHandler, }, MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - DisableEmbeddedPolicies: true, - + RegoOnly: true, + DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: false, Namespaces: []string{"user"}, PolicyPaths: []string{tmpDir}, @@ -983,7 +928,6 @@ func TestTerraformPlanSnapshotMisconfScan(t *testing.T) { SkipFiles: []string{"*.tf"}, }, } - a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), opt) require.NoError(t, err) @@ -1015,7 +959,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1077,7 +1020,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1161,7 +1103,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1194,7 +1135,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/params/code/rego"}, CloudFormationParamVars: []string{"./testdata/misconfig/cloudformation/params/cfparams.json"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1251,7 +1191,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1339,7 +1278,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1397,7 +1335,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1485,7 +1422,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1543,6 +1479,7 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { tt.artifactOpt.DisabledHandlers = []types.HandlerType{ types.SystemFileFilteringPostHandler, } + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt) require.NoError(t, err) @@ -1574,7 +1511,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1637,7 +1573,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1753,7 +1688,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -1811,6 +1745,7 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { tt.artifactOpt.DisabledHandlers = []types.HandlerType{ types.SystemFileFilteringPostHandler, } + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt) require.NoError(t, err) @@ -2068,6 +2003,7 @@ func TestAzureARMMisconfigurationScan(t *testing.T) { tt.artifactOpt.DisabledHandlers = []types.HandlerType{ types.SystemFileFilteringPostHandler, } + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt) require.NoError(t, err) @@ -2099,7 +2035,6 @@ func TestMixedConfigurationScan(t *testing.T) { RegoOnly: true, Namespaces: []string{"user"}, PolicyPaths: []string{"./testdata/misconfig/mixed/rego"}, - DisableEmbeddedPolicies: true, DisableEmbeddedLibraries: true, }, }, @@ -2184,6 +2119,7 @@ func TestMixedConfigurationScan(t *testing.T) { tt.artifactOpt.DisabledHandlers = []types.HandlerType{ types.SystemFileFilteringPostHandler, } + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt) require.NoError(t, err) @@ -2217,10 +2153,9 @@ func TestJSONConfigScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/json/passed/checks"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/json/passed/checks"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -2291,10 +2226,9 @@ func TestJSONConfigScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/json/with-schema/checks"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/json/with-schema/checks"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -2342,6 +2276,7 @@ func TestJSONConfigScan(t *testing.T) { c := new(cache.MockArtifactCache) c.ApplyPutBlobExpectation(tt.putBlobExpectation) + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true if len(tt.fields.schemas) > 0 { schemas, err := misconf.LoadConfigSchemas(tt.fields.schemas) require.NoError(t, err) @@ -2381,10 +2316,9 @@ func TestYAMLConfigScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/yaml/passed/checks"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/yaml/passed/checks"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -2455,10 +2389,9 @@ func TestYAMLConfigScan(t *testing.T) { }, artifactOpt: artifact.Option{ MisconfScannerOption: misconf.ScannerOption{ - RegoOnly: true, - Namespaces: []string{"user"}, - PolicyPaths: []string{"./testdata/misconfig/yaml/with-schema/checks"}, - DisableEmbeddedPolicies: true, + RegoOnly: true, + Namespaces: []string{"user"}, + PolicyPaths: []string{"./testdata/misconfig/yaml/with-schema/checks"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ @@ -2506,6 +2439,7 @@ func TestYAMLConfigScan(t *testing.T) { c := new(cache.MockArtifactCache) c.ApplyPutBlobExpectation(tt.putBlobExpectation) + tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true if len(tt.fields.schemas) > 0 { schemas, err := misconf.LoadConfigSchemas(tt.fields.schemas) require.NoError(t, err) diff --git a/pkg/iac/rego/load.go b/pkg/iac/rego/load.go index 249e55992c2c..26a6c9e6f2d1 100644 --- a/pkg/iac/rego/load.go +++ b/pkg/iac/rego/load.go @@ -290,6 +290,11 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error { if err != nil { return err } + + if !meta.hasAnyFramework(s.frameworks) { + continue + } + if len(meta.InputOptions.Selectors) == 0 { s.logger.Warn( "Module has no input selectors - it will be loaded for all inputs!", diff --git a/pkg/iac/rego/metadata.go b/pkg/iac/rego/metadata.go index 57602ce97b8c..cb1d38724e8a 100644 --- a/pkg/iac/rego/metadata.go +++ b/pkg/iac/rego/metadata.go @@ -49,11 +49,13 @@ func NewStaticMetadata(pkgPath string, inputOpt InputOptions) *StaticMetadata { Description: fmt.Sprintf("Rego module: %s", pkgPath), Package: pkgPath, InputOptions: inputOpt, - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, } } -func (sm *StaticMetadata) Update(meta map[string]any) error { +func (sm *StaticMetadata) update(meta map[string]any) error { if sm.Frameworks == nil { sm.Frameworks = make(map[framework.Framework][]string) } @@ -125,21 +127,31 @@ func (sm *StaticMetadata) Update(meta map[string]any) error { } func (sm *StaticMetadata) updateFrameworks(meta map[string]any) error { - if raw, ok := meta["frameworks"]; ok { - frameworks, ok := raw.(map[string]any) + raw, ok := meta["frameworks"] + if !ok { + return nil + } + + frameworks, ok := raw.(map[string]any) + if !ok { + return fmt.Errorf("frameworks metadata is not an object, got %T", raw) + } + + if len(frameworks) > 0 { + sm.Frameworks = make(map[framework.Framework][]string) + } + + for fw, rawIDs := range frameworks { + ids, ok := rawIDs.([]any) if !ok { - return fmt.Errorf("frameworks metadata is not an object, got %T", raw) + return fmt.Errorf("framework ids is not an array, got %T", rawIDs) } - for fw, rawIDs := range frameworks { - ids, ok := rawIDs.([]any) - if !ok { - return fmt.Errorf("framework ids is not an array, got %T", rawIDs) - } - fr := framework.Framework(fw) - for _, id := range ids { - if str, ok := id.(string); ok { - sm.Frameworks[fr] = append(sm.Frameworks[fr], str) - } + fr := framework.Framework(fw) + for _, id := range ids { + if str, ok := id.(string); ok { + sm.Frameworks[fr] = append(sm.Frameworks[fr], str) + } else { + sm.Frameworks[fr] = []string{} } } } @@ -166,7 +178,7 @@ func (sm *StaticMetadata) FromAnnotations(annotations *ast.Annotations) error { sm.References = append(sm.References, resource.Ref.String()) } if custom := annotations.Custom; custom != nil { - if err := sm.Update(custom); err != nil { + if err := sm.update(custom); err != nil { return err } } @@ -329,7 +341,7 @@ func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Mo return nil, fmt.Errorf("failed to parse metadata: not an object") } - if err := metadata.Update(meta); err != nil { + if err := metadata.update(meta); err != nil { return nil, err } @@ -436,3 +448,17 @@ func metadataFromRegoModule(module *ast.Module) (*StaticMetadata, error) { } return meta, nil } + +func (m *StaticMetadata) hasAnyFramework(frameworks []framework.Framework) bool { + if len(frameworks) == 0 { + frameworks = []framework.Framework{framework.Default} + } + + for _, fr := range frameworks { + if _, exists := m.Frameworks[fr]; exists { + return true + } + } + + return false +} diff --git a/pkg/iac/rego/metadata_test.go b/pkg/iac/rego/metadata_test.go index 6535e21c14ac..b421df69bb30 100644 --- a/pkg/iac/rego/metadata_test.go +++ b/pkg/iac/rego/metadata_test.go @@ -27,12 +27,9 @@ func Test_UpdateStaticMetadata(t *testing.T) { Provider: "pr", Service: "srvc", Library: false, - Frameworks: map[framework.Framework][]string{ - framework.Default: {"dd"}, - }, } - require.NoError(t, sm.Update( + require.NoError(t, sm.update( map[string]any{ "id": "i_n", "avd_id": "a_n", @@ -68,8 +65,7 @@ func Test_UpdateStaticMetadata(t *testing.T) { Service: "srvc_n", Library: true, Frameworks: map[framework.Framework][]string{ - framework.Default: {"dd"}, - framework.ALL: {"aa"}, + framework.ALL: {"aa"}, }, CloudFormation: &scan.EngineMetadata{}, Terraform: &scan.EngineMetadata{}, @@ -82,7 +78,7 @@ func Test_UpdateStaticMetadata(t *testing.T) { sm := StaticMetadata{ References: []string{"r"}, } - require.NoError(t, sm.Update(map[string]any{ + require.NoError(t, sm.update(map[string]any{ "related_resources": []map[string]any{ { "ref": "r1_n", @@ -107,7 +103,7 @@ func Test_UpdateStaticMetadata(t *testing.T) { sm := StaticMetadata{ References: []string{"r"}, } - require.NoError(t, sm.Update(map[string]any{ + require.NoError(t, sm.update(map[string]any{ "related_resources": []string{"r1_n", "r2_n"}, })) @@ -125,7 +121,7 @@ func Test_UpdateStaticMetadata(t *testing.T) { sm := StaticMetadata{ Deprecated: false, } - require.NoError(t, sm.Update(map[string]any{ + require.NoError(t, sm.update(map[string]any{ "deprecated": true, })) @@ -141,7 +137,7 @@ func Test_UpdateStaticMetadata(t *testing.T) { t.Run("frameworks is not initialized", func(t *testing.T) { sm := StaticMetadata{} - err := sm.Update(map[string]any{ + err := sm.update(map[string]any{ "frameworks": map[string]any{"all": []any{"a", "b", "c"}}, }) require.NoError(t, err) diff --git a/pkg/iac/scanners/cloudformation/scanner_test.go b/pkg/iac/scanners/cloudformation/scanner_test.go index baa8ed81ba59..21d185c5ec06 100644 --- a/pkg/iac/scanners/cloudformation/scanner_test.go +++ b/pkg/iac/scanners/cloudformation/scanner_test.go @@ -82,7 +82,9 @@ deny[res] { Terraform: (*scan.TerraformCustomCheck)(nil), }, RegoPackage: "data.builtin.dockerfile.DS006", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule()) failure := results.GetFailed()[0] diff --git a/pkg/iac/scanners/dockerfile/scanner_test.go b/pkg/iac/scanners/dockerfile/scanner_test.go index 437c37ec9660..4cbd86667a17 100644 --- a/pkg/iac/scanners/dockerfile/scanner_test.go +++ b/pkg/iac/scanners/dockerfile/scanner_test.go @@ -10,7 +10,6 @@ import ( "github.com/aquasecurity/trivy/internal/testutil" "github.com/aquasecurity/trivy/pkg/iac/framework" - "github.com/aquasecurity/trivy/pkg/iac/rego" "github.com/aquasecurity/trivy/pkg/iac/rego/schemas" "github.com/aquasecurity/trivy/pkg/iac/scan" "github.com/aquasecurity/trivy/pkg/iac/scanners/options" @@ -252,7 +251,9 @@ USER root CustomChecks: scan.CustomChecks{ Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.dockerfile.DS006", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule(), ) @@ -553,27 +554,23 @@ res := true for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - regoMap := make(map[string]string) - libs, err := rego.LoadEmbeddedLibraries() - require.NoError(t, err) - for name, library := range libs { - regoMap["/rules/"+name] = library.String() - } - regoMap["/code/Dockerfile"] = `FROM golang:1.7.3 as dep + fsysMap := make(map[string]string) + fsysMap["/code/Dockerfile"] = `FROM golang:1.7.3 as dep COPY --from=dep /binary /` - regoMap["/rules/rule.rego"] = tc.inputRegoPolicy - regoMap["/rules/schemas/myfancydockerfile.json"] = string(schemas.Dockerfile) // just use the same for testing - fs := testutil.CreateFS(t, regoMap) + fsysMap["/rules/rule.rego"] = tc.inputRegoPolicy + fsysMap["/rules/schemas/myfancydockerfile.json"] = string(schemas.Dockerfile) // just use the same for testing + fsys := testutil.CreateFS(t, fsysMap) var traceBuf bytes.Buffer scanner := NewScanner( options.ScannerWithPolicyDirs("rules"), + options.ScannerWithEmbeddedLibraries(true), options.ScannerWithTrace(&traceBuf), options.ScannerWithRegoErrorLimits(0), ) - results, err := scanner.ScanFS(context.TODO(), fs, "code") + results, err := scanner.ScanFS(context.TODO(), fsys, "code") if tc.expectedError != "" && err != nil { require.Equal(t, tc.expectedError, err.Error(), tc.name) } else { @@ -605,7 +602,9 @@ COPY --from=dep /binary /` CustomChecks: scan.CustomChecks{ Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.dockerfile.DS006", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule(), ) diff --git a/pkg/iac/scanners/json/scanner_test.go b/pkg/iac/scanners/json/scanner_test.go index 7e7f1c308186..e126768e55d8 100644 --- a/pkg/iac/scanners/json/scanner_test.go +++ b/pkg/iac/scanners/json/scanner_test.go @@ -73,6 +73,8 @@ deny[res] { Terraform: (*scan.TerraformCustomCheck)(nil), }, RegoPackage: "data.builtin.json.lol", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule()) } diff --git a/pkg/iac/scanners/kubernetes/scanner_test.go b/pkg/iac/scanners/kubernetes/scanner_test.go index d972e52e8e80..c981634a0ee6 100644 --- a/pkg/iac/scanners/kubernetes/scanner_test.go +++ b/pkg/iac/scanners/kubernetes/scanner_test.go @@ -119,7 +119,9 @@ deny[res] { CloudFormation: &scan.EngineMetadata{}, CustomChecks: scan.CustomChecks{Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.kubernetes.KSV011", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule()) failure := results.GetFailed()[0] @@ -279,7 +281,9 @@ deny[res] { CloudFormation: &scan.EngineMetadata{}, CustomChecks: scan.CustomChecks{Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.kubernetes.KSV011", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule()) failure := results.GetFailed()[0] diff --git a/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go b/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go index 5b684dc77ed0..dd77c2d89f6e 100644 --- a/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go +++ b/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go @@ -33,7 +33,7 @@ func Test_Scanning_Plan(t *testing.T) { failedResults = append(failedResults, r) } } - assert.Len(t, results, 15) + assert.Len(t, failedResults, 9) } diff --git a/pkg/iac/scanners/toml/scanner_test.go b/pkg/iac/scanners/toml/scanner_test.go index c2fdcda26faa..d3c4e51e3b63 100644 --- a/pkg/iac/scanners/toml/scanner_test.go +++ b/pkg/iac/scanners/toml/scanner_test.go @@ -76,7 +76,9 @@ deny[res] { CustomChecks: scan.CustomChecks{ Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.toml.lol", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule(), ) diff --git a/pkg/iac/scanners/yaml/scanner_test.go b/pkg/iac/scanners/yaml/scanner_test.go index 771bf45ef7d2..02468158fcf9 100644 --- a/pkg/iac/scanners/yaml/scanner_test.go +++ b/pkg/iac/scanners/yaml/scanner_test.go @@ -79,7 +79,9 @@ deny[res] { CustomChecks: scan.CustomChecks{ Terraform: (*scan.TerraformCustomCheck)(nil)}, RegoPackage: "data.builtin.yaml.lol", - Frameworks: make(map[framework.Framework][]string), + Frameworks: map[framework.Framework][]string{ + framework.Default: {}, + }, }, results.GetFailed()[0].Rule(), )