diff --git a/pkg/cloud/aws/commands/run_test.go b/pkg/cloud/aws/commands/run_test.go index b5a81ef9a995..738be63ecd78 100644 --- a/pkg/cloud/aws/commands/run_test.go +++ b/pkg/cloud/aws/commands/run_test.go @@ -8,6 +8,8 @@ import ( "testing" "time" + defsecTypes "github.com/aquasecurity/defsec/pkg/types" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy/pkg/compliance/spec" "github.com/aquasecurity/trivy/pkg/flag" @@ -649,18 +651,18 @@ deny[res] { }, ReportOptions: flag.ReportOptions{ Compliance: spec.ComplianceSpec{ - Spec: spec.Spec{ + Spec: defsecTypes.Spec{ // TODO: refactor defsec so that the parsed spec can be passed ID: "@testdata/example-spec.yaml", Title: "my-custom-spec", Description: "My fancy spec", Version: "1.2", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { ID: "1.1", Name: "Unencrypted S3 bucket", Description: "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-AWS-0088"}, }, Severity: "HIGH", diff --git a/pkg/compliance/report/report_test.go b/pkg/compliance/report/report_test.go index b1b4cc9b6afa..cbb33fd1d186 100644 --- a/pkg/compliance/report/report_test.go +++ b/pkg/compliance/report/report_test.go @@ -4,6 +4,8 @@ import ( "fmt" "testing" + defsecTypes "github.com/aquasecurity/defsec/pkg/types" + "github.com/stretchr/testify/assert" dbTypes "github.com/aquasecurity/trivy-db/pkg/types" @@ -97,7 +99,7 @@ func TestBuildComplianceReport(t *testing.T) { }, }, cs: spec.ComplianceSpec{ - Spec: spec.Spec{ + Spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -105,13 +107,13 @@ func TestBuildComplianceReport(t *testing.T) { RelatedResources: []string{ "https://example.com", }, - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { ID: "1.0", Name: "Non-root containers", Description: "Check that container is not running as root", Severity: "MEDIUM", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV-0001"}, }, }, @@ -120,7 +122,7 @@ func TestBuildComplianceReport(t *testing.T) { Name: "Immutable container file systems", Description: "Check that container root file system is immutable", Severity: "LOW", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV-0002"}, }, }, @@ -129,7 +131,7 @@ func TestBuildComplianceReport(t *testing.T) { Name: "tzdata - new upstream version", Description: "Bad tzdata package", Severity: "CRITICAL", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "DLA-2424-1"}, }, }, diff --git a/pkg/compliance/spec/compliance_test.go b/pkg/compliance/spec/compliance_test.go index 44c256e00897..23914251df51 100644 --- a/pkg/compliance/spec/compliance_test.go +++ b/pkg/compliance/spec/compliance_test.go @@ -5,6 +5,8 @@ import ( "sort" "testing" + defsecTypes "github.com/aquasecurity/defsec/pkg/types" + "github.com/stretchr/testify/assert" "github.com/aquasecurity/trivy/pkg/compliance/spec" @@ -14,13 +16,13 @@ import ( func TestComplianceSpec_Scanners(t *testing.T) { tests := []struct { name string - spec spec.Spec + spec defsecTypes.Spec want types.Scanners wantErr assert.ErrorAssertionFunc }{ { name: "get config scanner type by check id prefix", - spec: spec.Spec{ + spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -28,12 +30,12 @@ func TestComplianceSpec_Scanners(t *testing.T) { "https://example.com", }, Version: "1.0", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { Name: "Non-root containers", Description: "Check that container is not running as root", ID: "1.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV012"}, }, }, @@ -41,7 +43,7 @@ func TestComplianceSpec_Scanners(t *testing.T) { Name: "Check that encryption resource has been set", Description: "Control checks whether encryption resource has been set", ID: "1.1", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-1.2.31"}, {ID: "AVD-1.2.32"}, }, @@ -53,7 +55,7 @@ func TestComplianceSpec_Scanners(t *testing.T) { }, { name: "get config and vuln scanners types by check id prefix", - spec: spec.Spec{ + spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -61,12 +63,12 @@ func TestComplianceSpec_Scanners(t *testing.T) { "https://example.com", }, Version: "1.0", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { Name: "Non-root containers", Description: "Check that container is not running as root", ID: "1.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV012"}, }, }, @@ -74,7 +76,7 @@ func TestComplianceSpec_Scanners(t *testing.T) { Name: "Check that encryption resource has been set", Description: "Control checks whether encryption resource has been set", ID: "1.1", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-1.2.31"}, {ID: "AVD-1.2.32"}, }, @@ -83,7 +85,7 @@ func TestComplianceSpec_Scanners(t *testing.T) { Name: "Ensure no critical vulnerabilities", Description: "Control checks whether critical vulnerabilities are not found", ID: "7.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "CVE-9999-9999"}, }, }, @@ -97,7 +99,7 @@ func TestComplianceSpec_Scanners(t *testing.T) { }, { name: "unknown prefix", - spec: spec.Spec{ + spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -105,11 +107,11 @@ func TestComplianceSpec_Scanners(t *testing.T) { "https://example.com", }, Version: "1.0", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { Name: "Unknown", ID: "1.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "UNKNOWN-001"}, }, }, @@ -138,12 +140,12 @@ func TestComplianceSpec_Scanners(t *testing.T) { func TestComplianceSpec_CheckIDs(t *testing.T) { tests := []struct { name string - spec spec.Spec + spec defsecTypes.Spec want map[types.Scanner][]string }{ { name: "get config scanner type by check id prefix", - spec: spec.Spec{ + spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -151,12 +153,12 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { "https://example.com", }, Version: "1.0", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { Name: "Non-root containers", Description: "Check that container is not running as root", ID: "1.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV012"}, }, }, @@ -164,7 +166,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { Name: "Check that encryption resource has been set", Description: "Control checks whether encryption resource has been set", ID: "1.1", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-1.2.31"}, {ID: "AVD-1.2.32"}, }, @@ -181,7 +183,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { }, { name: "get config and vuln scanners types by check id prefix", - spec: spec.Spec{ + spec: defsecTypes.Spec{ ID: "1234", Title: "NSA", Description: "National Security Agency - Kubernetes Hardening Guidance", @@ -189,12 +191,12 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { "https://example.com", }, Version: "1.0", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { Name: "Non-root containers", Description: "Check that container is not running as root", ID: "1.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-KSV012"}, }, }, @@ -202,7 +204,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { Name: "Check that encryption resource has been set", Description: "Control checks whether encryption resource has been set", ID: "1.1", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-1.2.31"}, {ID: "AVD-1.2.32"}, }, @@ -211,7 +213,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) { Name: "Ensure no critical vulnerabilities", Description: "Control checks whether critical vulnerabilities are not found", ID: "7.0", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "CVE-9999-9999"}, }, }, diff --git a/pkg/flag/report_flags_test.go b/pkg/flag/report_flags_test.go index 17397f453da9..e2fbab4ab984 100644 --- a/pkg/flag/report_flags_test.go +++ b/pkg/flag/report_flags_test.go @@ -4,6 +4,8 @@ import ( "os" "testing" + defsecTypes "github.com/aquasecurity/defsec/pkg/types" + "github.com/spf13/viper" "github.com/stretchr/testify/assert" "go.uber.org/zap" @@ -182,17 +184,17 @@ func TestReportFlagGroup_ToOptions(t *testing.T) { want: flag.ReportOptions{ Output: os.Stdout, Compliance: spec.ComplianceSpec{ - Spec: spec.Spec{ + Spec: defsecTypes.Spec{ ID: "0001", Title: "my-custom-spec", Description: "My fancy spec", Version: "1.2", - Controls: []spec.Control{ + Controls: []defsecTypes.Control{ { ID: "1.1", Name: "Unencrypted S3 bucket", Description: "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - Checks: []spec.SpecCheck{ + Checks: []defsecTypes.SpecCheck{ {ID: "AVD-AWS-0088"}, }, Severity: "HIGH", diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 25be0851246b..2e0cd4ce268b 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -18,8 +18,9 @@ import ( ) const ( - bundleVersion = 0 // Latest released MAJOR version for defsec - bundleRepository = "ghcr.io/aquasecurity/defsec" + bundleVersion = 0 // Latest released MAJOR version for defsec + //bundleRepository = "ghcr.io/aquasecurity/defsec" + bundleRepository = "localhost:5000/defsec" policyMediaType = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip" updateInterval = 24 * time.Hour )