Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(deps): Merge defsec into Trivy #6006

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
7 changes: 6 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ require (
)

require (
github.com/Masterminds/semver v1.5.0
github.com/alecthomas/chroma v0.10.0
github.com/apparentlymart/go-cidr v1.1.0
github.com/aws/smithy-go v1.19.0
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
Expand All @@ -127,6 +129,7 @@ require (
github.com/liamg/memoryfs v1.6.0
github.com/mitchellh/go-homedir v1.1.0
github.com/olekukonko/tablewriter v0.0.5
github.com/owenrumney/squealer v1.2.1
github.com/zclconf/go-cty v1.13.0
github.com/zclconf/go-cty-yaml v1.0.3
golang.org/x/crypto v0.18.0
Expand Down Expand Up @@ -164,7 +167,6 @@ require (
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alecthomas/chroma v0.10.0 // indirect
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
Expand Down Expand Up @@ -337,6 +339,7 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runc v1.1.5 // indirect
github.com/opencontainers/runtime-spec v1.1.0 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
Expand Down Expand Up @@ -430,3 +433,5 @@ require (
// testcontainers-go has a bug with versions v0.25.0 and v0.26.0
// ref: https://github.com/testcontainers/testcontainers-go/issues/1782
replace github.com/testcontainers/testcontainers-go => github.com/testcontainers/testcontainers-go v0.23.0

replace github.com/aquasecurity/trivy-aws => /Users/simarpreetsingh/repos/trivy-aws
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR requires the changes here to be merged.

2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -344,8 +344,6 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-aws v0.7.1 h1:XElKZsP9Hqe2JVekQgGCIkFtgRgVlP+80wKL2JWBctk=
github.com/aquasecurity/trivy-aws v0.7.1/go.mod h1:bJT7pzsqo9q5yi3arJSt789bAH0eDb7c+niFYMBNcMQ=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
Expand Down
50 changes: 50 additions & 0 deletions internal/adapters/arm/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
package arm

import (
"context"

"github.com/aquasecurity/trivy/internal/adapters/arm/appservice"
"github.com/aquasecurity/trivy/internal/adapters/arm/authorization"
"github.com/aquasecurity/trivy/internal/adapters/arm/compute"
"github.com/aquasecurity/trivy/internal/adapters/arm/container"
"github.com/aquasecurity/trivy/internal/adapters/arm/database"
"github.com/aquasecurity/trivy/internal/adapters/arm/datafactory"
"github.com/aquasecurity/trivy/internal/adapters/arm/datalake"
"github.com/aquasecurity/trivy/internal/adapters/arm/keyvault"
"github.com/aquasecurity/trivy/internal/adapters/arm/monitor"
"github.com/aquasecurity/trivy/internal/adapters/arm/network"
"github.com/aquasecurity/trivy/internal/adapters/arm/securitycenter"
"github.com/aquasecurity/trivy/internal/adapters/arm/storage"
"github.com/aquasecurity/trivy/internal/adapters/arm/synapse"

"github.com/aquasecurity/trivy/pkg/providers/azure"
scanner "github.com/aquasecurity/trivy/pkg/scanners/azure"
"github.com/aquasecurity/trivy/pkg/state"
)

// Adapt ...
func Adapt(ctx context.Context, deployment scanner.Deployment) *state.State {
return &state.State{
Azure: adaptAzure(deployment),
}
}

func adaptAzure(deployment scanner.Deployment) azure.Azure {

return azure.Azure{
AppService: appservice.Adapt(deployment),
Authorization: authorization.Adapt(deployment),
Compute: compute.Adapt(deployment),
Container: container.Adapt(deployment),
Database: database.Adapt(deployment),
DataFactory: datafactory.Adapt(deployment),
DataLake: datalake.Adapt(deployment),
KeyVault: keyvault.Adapt(deployment),
Monitor: monitor.Adapt(deployment),
Network: network.Adapt(deployment),
SecurityCenter: securitycenter.Adapt(deployment),
Storage: storage.Adapt(deployment),
Synapse: synapse.Adapt(deployment),
}

}
58 changes: 58 additions & 0 deletions internal/adapters/arm/appservice/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package appservice

import (
"github.com/aquasecurity/trivy/pkg/providers/azure/appservice"
"github.com/aquasecurity/trivy/pkg/scanners/azure"
defsecTypes "github.com/aquasecurity/trivy/pkg/types"
)

func Adapt(deployment azure.Deployment) appservice.AppService {
return appservice.AppService{
Services: adaptServices(deployment),
FunctionApps: adaptFunctionApps(deployment),
}
}

func adaptFunctionApps(deployment azure.Deployment) []appservice.FunctionApp {
var functionApps []appservice.FunctionApp

for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
functionApps = append(functionApps, adaptFunctionApp(resource))
}
return functionApps
}

func adaptServices(deployment azure.Deployment) []appservice.Service {
var services []appservice.Service
for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
services = append(services, adaptService(resource))
}
return services
}

func adaptFunctionApp(resource azure.Resource) appservice.FunctionApp {
return appservice.FunctionApp{
Metadata: resource.Metadata,
HTTPSOnly: resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
}
}

func adaptService(resource azure.Resource) appservice.Service {
return appservice.Service{
Metadata: resource.Metadata,
EnableClientCert: resource.Properties.GetMapValue("clientCertEnabled").AsBoolValue(false, resource.Properties.GetMetadata()),
Identity: struct{ Type defsecTypes.StringValue }{
Type: resource.Properties.GetMapValue("identity").GetMapValue("type").AsStringValue("", resource.Properties.GetMetadata()),
},
Authentication: struct{ Enabled defsecTypes.BoolValue }{
Enabled: resource.Properties.GetMapValue("siteAuthSettings").GetMapValue("enabled").AsBoolValue(false, resource.Properties.GetMetadata()),
},
Site: struct {
EnableHTTP2 defsecTypes.BoolValue
MinimumTLSVersion defsecTypes.StringValue
}{
EnableHTTP2: resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
MinimumTLSVersion: resource.Properties.GetMapValue("minTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
},
}
}
38 changes: 38 additions & 0 deletions internal/adapters/arm/authorization/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package authorization

import (
"github.com/aquasecurity/trivy/pkg/providers/azure/authorization"
"github.com/aquasecurity/trivy/pkg/scanners/azure"
)

func Adapt(deployment azure.Deployment) authorization.Authorization {
return authorization.Authorization{
RoleDefinitions: adaptRoleDefinitions(deployment),
}
}

func adaptRoleDefinitions(deployment azure.Deployment) (roleDefinitions []authorization.RoleDefinition) {
for _, resource := range deployment.GetResourcesByType("Microsoft.Authorization/roleDefinitions") {
roleDefinitions = append(roleDefinitions, adaptRoleDefinition(resource))
}
return roleDefinitions
}

func adaptRoleDefinition(resource azure.Resource) authorization.RoleDefinition {

return authorization.RoleDefinition{
Metadata: resource.Metadata,
Permissions: adaptPermissions(resource),
AssignableScopes: resource.Properties.GetMapValue("assignableScopes").AsStringValuesList(""),
}
}

func adaptPermissions(resource azure.Resource) (permissions []authorization.Permission) {
for _, permission := range resource.Properties.GetMapValue("permissions").AsList() {
permissions = append(permissions, authorization.Permission{
Metadata: resource.Metadata,
Actions: permission.GetMapValue("actions").AsStringValuesList(""),
})
}
return permissions
}
85 changes: 85 additions & 0 deletions internal/adapters/arm/compute/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
package compute

import (
"github.com/aquasecurity/trivy/pkg/providers/azure/compute"
"github.com/aquasecurity/trivy/pkg/scanners/azure"
defsecTypes "github.com/aquasecurity/trivy/pkg/types"
)

func Adapt(deployment azure.Deployment) compute.Compute {
return compute.Compute{
LinuxVirtualMachines: adaptLinuxVirtualMachines(deployment),
WindowsVirtualMachines: adaptWindowsVirtualMachines(deployment),
ManagedDisks: adaptManagedDisks(deployment),
}
}

func adaptManagedDisks(deployment azure.Deployment) (managedDisks []compute.ManagedDisk) {

for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/disks") {
managedDisks = append(managedDisks, adaptManagedDisk(resource))
}

return managedDisks
}

func adaptManagedDisk(resource azure.Resource) compute.ManagedDisk {
hasEncryption := resource.Properties.HasKey("encryption")

return compute.ManagedDisk{
Metadata: resource.Metadata,
Encryption: compute.Encryption{
Metadata: resource.Metadata,
Enabled: defsecTypes.Bool(hasEncryption, resource.Metadata),
},
}
}

func adaptWindowsVirtualMachines(deployment azure.Deployment) (windowsVirtualMachines []compute.WindowsVirtualMachine) {
for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
if resource.Properties.GetMapValue("osProfile").GetMapValue("windowsConfiguration").AsMap() != nil {
windowsVirtualMachines = append(windowsVirtualMachines, adaptWindowsVirtualMachine(resource))
}
}

return windowsVirtualMachines
}

func adaptWindowsVirtualMachine(resource azure.Resource) compute.WindowsVirtualMachine {
return compute.WindowsVirtualMachine{
Metadata: resource.Metadata,
VirtualMachine: compute.VirtualMachine{
Metadata: resource.Metadata,
CustomData: resource.Properties.GetMapValue("osProfile").
GetMapValue("customData").AsStringValue("", resource.Metadata),
},
}
}

func adaptLinuxVirtualMachines(deployment azure.Deployment) (linuxVirtualMachines []compute.LinuxVirtualMachine) {
for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
if resource.Properties.GetMapValue("osProfile").GetMapValue("linuxConfiguration").AsMap() != nil {
linuxVirtualMachines = append(linuxVirtualMachines, adaptLinuxVirtualMachine(resource))
}
}

return linuxVirtualMachines
}

func adaptLinuxVirtualMachine(resource azure.Resource) compute.LinuxVirtualMachine {
return compute.LinuxVirtualMachine{
Metadata: resource.Metadata,
VirtualMachine: compute.VirtualMachine{
Metadata: resource.Metadata,
CustomData: resource.Properties.GetMapValue("osProfile").
GetMapValue("customData").AsStringValue("", resource.Metadata),
},
OSProfileLinuxConfig: compute.OSProfileLinuxConfig{
Metadata: resource.Metadata,
DisablePasswordAuthentication: resource.Properties.GetMapValue("osProfile").
GetMapValue("linuxConfiguration").
GetMapValue("disablePasswordAuthentication").AsBoolValue(false, resource.Metadata),
},
}

}
60 changes: 60 additions & 0 deletions internal/adapters/arm/compute/adapt_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
package compute

import (
"testing"

"github.com/aquasecurity/trivy/pkg/scanners/azure"
"github.com/aquasecurity/trivy/pkg/types"

"github.com/stretchr/testify/assert"

"github.com/stretchr/testify/require"
)

func Test_AdaptLinuxVM(t *testing.T) {

input := azure.Deployment{
Resources: []azure.Resource{
{
Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMisconfigMetadata()),
Properties: azure.NewValue(map[string]azure.Value{
"osProfile": azure.NewValue(map[string]azure.Value{
"linuxConfiguration": azure.NewValue(map[string]azure.Value{
"disablePasswordAuthentication": azure.NewValue(true, types.NewTestMisconfigMetadata()),
}, types.NewTestMisconfigMetadata()),
}, types.NewTestMisconfigMetadata()),
}, types.NewTestMisconfigMetadata()),
},
},
}

output := Adapt(input)

require.Len(t, output.LinuxVirtualMachines, 1)
require.Len(t, output.WindowsVirtualMachines, 0)

linuxVM := output.LinuxVirtualMachines[0]
assert.True(t, linuxVM.OSProfileLinuxConfig.DisablePasswordAuthentication.IsTrue())

}

func Test_AdaptWindowsVM(t *testing.T) {

input := azure.Deployment{
Resources: []azure.Resource{
{
Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMisconfigMetadata()),
Properties: azure.NewValue(map[string]azure.Value{
"osProfile": azure.NewValue(map[string]azure.Value{
"windowsConfiguration": azure.NewValue(map[string]azure.Value{}, types.NewTestMisconfigMetadata()),
}, types.NewTestMisconfigMetadata()),
}, types.NewTestMisconfigMetadata()),
},
},
}

output := Adapt(input)

require.Len(t, output.LinuxVirtualMachines, 0)
require.Len(t, output.WindowsVirtualMachines, 1)
}
17 changes: 17 additions & 0 deletions internal/adapters/arm/container/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package container

import (
"github.com/aquasecurity/trivy/pkg/providers/azure/container"
"github.com/aquasecurity/trivy/pkg/scanners/azure"
)

func Adapt(deployment azure.Deployment) container.Container {
return container.Container{
KubernetesClusters: adaptKubernetesClusters(deployment),
}
}

func adaptKubernetesClusters(deployment azure.Deployment) []container.KubernetesCluster {

return nil
}
35 changes: 35 additions & 0 deletions internal/adapters/arm/database/adapt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package database

import (
"github.com/aquasecurity/trivy/pkg/providers/azure/database"
"github.com/aquasecurity/trivy/pkg/scanners/azure"
)

func Adapt(deployment azure.Deployment) database.Database {
return database.Database{
MSSQLServers: adaptMSSQLServers(deployment),
MariaDBServers: adaptMariaDBServers(deployment),
MySQLServers: adaptMySQLServers(deployment),
PostgreSQLServers: adaptPostgreSQLServers(deployment),
}
}

func adaptMySQLServers(deployment azure.Deployment) (mysqlDbServers []database.MySQLServer) {
for _, resource := range deployment.GetResourcesByType("Microsoft.DBforMySQL/servers") {
mysqlDbServers = append(mysqlDbServers, adaptMySQLServer(resource, deployment))
}
return mysqlDbServers
}

func adaptMySQLServer(resource azure.Resource, deployment azure.Deployment) database.MySQLServer {
return database.MySQLServer{
Metadata: resource.Metadata,
Server: database.Server{
Metadata: resource.Metadata,
EnableSSLEnforcement: resource.Properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
MinimumTLSVersion: resource.Properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
EnablePublicNetworkAccess: resource.Properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
FirewallRules: addFirewallRule(resource),
},
}
}
Loading
Loading