fix: filter Rego checks by frameworks like Go checks

Signed-off-by: nikpivkin <[email protected]>
aquasecurity · Aug 29, 2024 · 40d3595 · 40d3595
1 parent 1eccad9
commit 40d3595
Show file tree

Hide file tree

Showing 12 changed files with 81 additions and 38 deletions.
diff --git a/go.mod b/go.mod
@@ -4,6 +4,8 @@ go 1.22.0
 
 toolchain go1.22.4
 
+replace github.com/aquasecurity/trivy-checks => /Users/nikita/projects/trivy-policies
+
 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0

diff --git a/go.sum b/go.sum
@@ -348,8 +348,6 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-checks v0.13.1-0.20240828192740-fb12f73814ce h1:oE+JfRmPR0Mn/hxUZi+ib+r16upsn439Y4TqcC1/8k0=
-github.com/aquasecurity/trivy-checks v0.13.1-0.20240828192740-fb12f73814ce/go.mod h1:zLBeXaTJkAvPZqKiRACAsP49ZywCEXFEjXMLa8kmc8Q=
 github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
 github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=

diff --git a/pkg/iac/rego/load.go b/pkg/iac/rego/load.go
@@ -290,6 +290,11 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
 		if err != nil {
 			return err
 		}
+
+		if !meta.hasAnyFramework(s.frameworks) {
+			continue
+		}
+
 		if len(meta.InputOptions.Selectors) == 0 {
 			s.logger.Warn(
 				"Module has no input selectors - it will be loaded for all inputs!",

diff --git a/pkg/iac/rego/metadata.go b/pkg/iac/rego/metadata.go
@@ -49,11 +49,13 @@ func NewStaticMetadata(pkgPath string, inputOpt InputOptions) *StaticMetadata {
 		Description:  fmt.Sprintf("Rego module: %s", pkgPath),
 		Package:      pkgPath,
 		InputOptions: inputOpt,
-		Frameworks:   make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	}
 }
 
-func (sm *StaticMetadata) Update(meta map[string]any) error {
+func (sm *StaticMetadata) update(meta map[string]any) error {
 	if sm.Frameworks == nil {
 		sm.Frameworks = make(map[framework.Framework][]string)
 	}
@@ -125,21 +127,31 @@ func (sm *StaticMetadata) Update(meta map[string]any) error {
 }
 
 func (sm *StaticMetadata) updateFrameworks(meta map[string]any) error {
-	if raw, ok := meta["frameworks"]; ok {
-		frameworks, ok := raw.(map[string]any)
+	raw, ok := meta["frameworks"]
+	if !ok {
+		return nil
+	}
+
+	frameworks, ok := raw.(map[string]any)
+	if !ok {
+		return fmt.Errorf("frameworks metadata is not an object, got %T", raw)
+	}
+
+	if len(frameworks) > 0 {
+		sm.Frameworks = make(map[framework.Framework][]string)
+	}
+
+	for fw, rawIDs := range frameworks {
+		ids, ok := rawIDs.([]any)
 		if !ok {
-			return fmt.Errorf("frameworks metadata is not an object, got %T", raw)
+			return fmt.Errorf("framework ids is not an array, got %T", rawIDs)
 		}
-		for fw, rawIDs := range frameworks {
-			ids, ok := rawIDs.([]any)
-			if !ok {
-				return fmt.Errorf("framework ids is not an array, got %T", rawIDs)
-			}
-			fr := framework.Framework(fw)
-			for _, id := range ids {
-				if str, ok := id.(string); ok {
-					sm.Frameworks[fr] = append(sm.Frameworks[fr], str)
-				}
+		fr := framework.Framework(fw)
+		for _, id := range ids {
+			if str, ok := id.(string); ok {
+				sm.Frameworks[fr] = append(sm.Frameworks[fr], str)
+			} else {
+				sm.Frameworks[fr] = []string{}
 			}
 		}
 	}
@@ -166,7 +178,7 @@ func (sm *StaticMetadata) FromAnnotations(annotations *ast.Annotations) error {
 		sm.References = append(sm.References, resource.Ref.String())
 	}
 	if custom := annotations.Custom; custom != nil {
-		if err := sm.Update(custom); err != nil {
+		if err := sm.update(custom); err != nil {
 			return err
 		}
 	}
@@ -329,7 +341,7 @@ func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Mo
 		return nil, fmt.Errorf("failed to parse metadata: not an object")
 	}
 
-	if err := metadata.Update(meta); err != nil {
+	if err := metadata.update(meta); err != nil {
 		return nil, err
 	}
 
@@ -436,3 +448,17 @@ func metadataFromRegoModule(module *ast.Module) (*StaticMetadata, error) {
 	}
 	return meta, nil
 }
+
+func (m *StaticMetadata) hasAnyFramework(frameworks []framework.Framework) bool {
+	if len(frameworks) == 0 {
+		frameworks = []framework.Framework{framework.Default}
+	}
+
+	for _, fr := range frameworks {
+		if _, exists := m.Frameworks[fr]; exists {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/pkg/iac/rego/metadata_test.go b/pkg/iac/rego/metadata_test.go
@@ -27,12 +27,9 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 			Provider:           "pr",
 			Service:            "srvc",
 			Library:            false,
-			Frameworks: map[framework.Framework][]string{
-				framework.Default: {"dd"},
-			},
 		}
 
-		require.NoError(t, sm.Update(
+		require.NoError(t, sm.update(
 			map[string]any{
 				"id":                  "i_n",
 				"avd_id":              "a_n",
@@ -68,8 +65,7 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 			Service:            "srvc_n",
 			Library:            true,
 			Frameworks: map[framework.Framework][]string{
-				framework.Default: {"dd"},
-				framework.ALL:     {"aa"},
+				framework.ALL: {"aa"},
 			},
 			CloudFormation: &scan.EngineMetadata{},
 			Terraform:      &scan.EngineMetadata{},
@@ -82,7 +78,7 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 		sm := StaticMetadata{
 			References: []string{"r"},
 		}
-		require.NoError(t, sm.Update(map[string]any{
+		require.NoError(t, sm.update(map[string]any{
 			"related_resources": []map[string]any{
 				{
 					"ref": "r1_n",
@@ -107,7 +103,7 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 		sm := StaticMetadata{
 			References: []string{"r"},
 		}
-		require.NoError(t, sm.Update(map[string]any{
+		require.NoError(t, sm.update(map[string]any{
 			"related_resources": []string{"r1_n", "r2_n"},
 		}))
 
@@ -125,7 +121,7 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 		sm := StaticMetadata{
 			Deprecated: false,
 		}
-		require.NoError(t, sm.Update(map[string]any{
+		require.NoError(t, sm.update(map[string]any{
 			"deprecated": true,
 		}))
 
@@ -141,7 +137,7 @@ func Test_UpdateStaticMetadata(t *testing.T) {
 
 	t.Run("frameworks is not initialized", func(t *testing.T) {
 		sm := StaticMetadata{}
-		err := sm.Update(map[string]any{
+		err := sm.update(map[string]any{
 			"frameworks": map[string]any{"all": []any{"a", "b", "c"}},
 		})
 		require.NoError(t, err)

diff --git a/pkg/iac/scanners/cloudformation/scanner_test.go b/pkg/iac/scanners/cloudformation/scanner_test.go
@@ -82,7 +82,9 @@ deny[res] {
 			Terraform: (*scan.TerraformCustomCheck)(nil),
 		},
 		RegoPackage: "data.builtin.dockerfile.DS006",
-		Frameworks:  make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	}, results.GetFailed()[0].Rule())
 
 	failure := results.GetFailed()[0]

diff --git a/pkg/iac/scanners/dockerfile/scanner_test.go b/pkg/iac/scanners/dockerfile/scanner_test.go
@@ -251,7 +251,9 @@ USER root
 			CustomChecks: scan.CustomChecks{
 				Terraform: (*scan.TerraformCustomCheck)(nil)},
 			RegoPackage: "data.builtin.dockerfile.DS006",
-			Frameworks:  make(map[framework.Framework][]string),
+			Frameworks: map[framework.Framework][]string{
+				framework.Default: {},
+			},
 		},
 		results.GetFailed()[0].Rule(),
 	)
@@ -600,7 +602,9 @@ COPY --from=dep /binary /`
 						CustomChecks: scan.CustomChecks{
 							Terraform: (*scan.TerraformCustomCheck)(nil)},
 						RegoPackage: "data.builtin.dockerfile.DS006",
-						Frameworks:  make(map[framework.Framework][]string),
+						Frameworks: map[framework.Framework][]string{
+							framework.Default: {},
+						},
 					},
 					results.GetFailed()[0].Rule(),
 				)

diff --git a/pkg/iac/scanners/json/scanner_test.go b/pkg/iac/scanners/json/scanner_test.go
@@ -73,6 +73,8 @@ deny[res] {
 			Terraform: (*scan.TerraformCustomCheck)(nil),
 		},
 		RegoPackage: "data.builtin.json.lol",
-		Frameworks:  make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	}, results.GetFailed()[0].Rule())
 }
diff --git a/pkg/iac/scanners/kubernetes/scanner_test.go b/pkg/iac/scanners/kubernetes/scanner_test.go
@@ -119,7 +119,9 @@ deny[res] {
 		CloudFormation: &scan.EngineMetadata{},
 		CustomChecks:   scan.CustomChecks{Terraform: (*scan.TerraformCustomCheck)(nil)},
 		RegoPackage:    "data.builtin.kubernetes.KSV011",
-		Frameworks:     make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	}, results.GetFailed()[0].Rule())
 
 	failure := results.GetFailed()[0]
@@ -279,7 +281,9 @@ deny[res] {
 		CloudFormation: &scan.EngineMetadata{},
 		CustomChecks:   scan.CustomChecks{Terraform: (*scan.TerraformCustomCheck)(nil)},
 		RegoPackage:    "data.builtin.kubernetes.KSV011",
-		Frameworks:     make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	}, results.GetFailed()[0].Rule())
 
 	failure := results.GetFailed()[0]

diff --git a/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go b/pkg/iac/scanners/terraformplan/tfjson/test/scanner_test.go
@@ -33,7 +33,7 @@ func Test_Scanning_Plan(t *testing.T) {
 			failedResults = append(failedResults, r)
 		}
 	}
-	assert.Len(t, results, 15)
+
 	assert.Len(t, failedResults, 9)
 
 }
diff --git a/pkg/iac/scanners/toml/scanner_test.go b/pkg/iac/scanners/toml/scanner_test.go
@@ -76,7 +76,9 @@ deny[res] {
 		CustomChecks: scan.CustomChecks{
 			Terraform: (*scan.TerraformCustomCheck)(nil)},
 		RegoPackage: "data.builtin.toml.lol",
-		Frameworks:  make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	},
 		results.GetFailed()[0].Rule(),
 	)

diff --git a/pkg/iac/scanners/yaml/scanner_test.go b/pkg/iac/scanners/yaml/scanner_test.go
@@ -79,7 +79,9 @@ deny[res] {
 		CustomChecks: scan.CustomChecks{
 			Terraform: (*scan.TerraformCustomCheck)(nil)},
 		RegoPackage: "data.builtin.yaml.lol",
-		Frameworks:  make(map[framework.Framework][]string),
+		Frameworks: map[framework.Framework][]string{
+			framework.Default: {},
+		},
 	},
 		results.GetFailed()[0].Rule(),
 	)