False positive on CIS benchmark 4.2.7 - general problem with booleans compared to strings

[OlofKalufs]

What steps did you take and what happened:
I get a misreporting error on CIS benchmark 4.2.7 - "Ensure that the --make-iptables-util-chains argument is set to true" even though that parameter is set to true

What did you expect to happen:
It shouldn't report that failure

Anything else you would like to add:
It is caused by the node-collector returning the value of kubeletMakeIptablesUtilChainsArgumentSet as a boolean:

"kubeletMakeIptablesUtilChainsArgumentSet": {
  "values": [
    true
  ]

while the rego rule in https://github.com/aquasecurity/trivy-policies/blob/main/checks/kubernetes/cisbenchmarks/kubelet/kubelet_make_iptables_util_chains.rego expects it to be a string.

I've tried to alter the input in the Rego playground, and changing it to

"kubeletMakeIptablesUtilChainsArgumentSet": {
  "values": [
    "true"
  ]

prevents the false positive.

I think it is the same problem with the variable kubeletAnonymousAuthArgumentSet even though that will lead to a false negative instead. That variable is also set to a boolean value but the rule makes a string comparison.

Environment:

• Trivy-Operator version (use trivy-operator version): 0.18.5
• Kubernetes version (use kubectl version): 1.25.7
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): The Kubernetes nodes run on Ubuntu 22

[chen-keinan]

@OlofKalufs thanks for the inout and analysis , I'll update a look at it and update you