refactor(deps): Merge pkg/specs from trivy-policies into trivy

.github/CODEOWNERS

@@ -6,6 +6,7 @@ docs/docs/scanner/misconfiguration  @knqyf263 @simar7
 docs/docs/target/aws.md             @knqyf263 @simar7
 pkg/fanal/analyzer/config           @knqyf263 @simar7
 pkg/cloud                           @knqyf263 @simar7
+pkg/iac                             @knqyf263 @simar7
 
 # Helm chart
 helm/trivy/ @chen-keinan

go.mod

@@ -25,10 +25,9 @@ require (
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-aws v0.7.1
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
-	github.com/aquasecurity/trivy-iac v0.8.0
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1
-	github.com/aquasecurity/trivy-policies v0.8.0
+	github.com/aquasecurity/trivy-policies v0.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.24.1
 	github.com/aws/aws-sdk-go-v2/config v1.26.3
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.14
@@ -117,7 +116,22 @@ require (
 	modernc.org/sqlite v1.28.0
 )
 
-require github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
+require (
+	github.com/apparentlymart/go-cidr v1.1.0
+	github.com/aws/smithy-go v1.19.0
+	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/liamg/iamgo v0.0.9
+	github.com/liamg/jfather v0.0.7
+	github.com/liamg/memoryfs v1.6.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/olekukonko/tablewriter v0.0.5
+	github.com/zclconf/go-cty v1.13.0
+	github.com/zclconf/go-cty-yaml v1.0.3
+	golang.org/x/crypto v0.18.0
+	helm.sh/helm/v3 v3.14.0
+)
 
 require (
 	cloud.google.com/go v0.110.8 // indirect
@@ -141,7 +155,6 @@ require (
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
@@ -154,7 +167,6 @@ require (
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -204,7 +216,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/workspaces v1.35.6 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
@@ -281,11 +292,9 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -299,9 +308,6 @@ require (
 	github.com/klauspost/compress v1.16.6 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/liamg/iamgo v0.0.9 // indirect
-	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/liamg/memoryfs v1.6.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
@@ -313,7 +319,6 @@ require (
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/miekg/dns v1.1.53 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -331,7 +336,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/runc v1.1.5 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
@@ -369,8 +373,6 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yuin/gopher-lua v1.1.0 // indirect
-	github.com/zclconf/go-cty v1.13.0 // indirect
-	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
@@ -381,7 +383,6 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
@@ -398,7 +399,6 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	helm.sh/helm/v3 v3.14.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/apimachinery v0.29.0 // indirect
 	k8s.io/apiserver v0.29.0 // indirect

go.sum

@@ -252,8 +252,6 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
-github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
@@ -353,8 +351,6 @@ github.com/aquasecurity/trivy-aws v0.7.1 h1:XElKZsP9Hqe2JVekQgGCIkFtgRgVlP+80wKL
 github.com/aquasecurity/trivy-aws v0.7.1/go.mod h1:bJT7pzsqo9q5yi3arJSt789bAH0eDb7c+niFYMBNcMQ=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
-github.com/aquasecurity/trivy-iac v0.8.0 h1:NKFhk/BTwQ0jIh4t74V8+6UIGUvPlaxO9HPlSMQi3fo=
-github.com/aquasecurity/trivy-iac v0.8.0/go.mod h1:ARiMeNqcaVWOXJmp8hmtMnNm/Jd836IOmDBUW5r4KEk=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1 h1:/LsIHMQJ4SOxZeib/bvLP7S3YDTXJVIsQyS4kIIP0GQ=

pkg/compliance/spec/compliance.go

@@ -10,7 +10,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
-	sp "github.com/aquasecurity/trivy-policies/pkg/spec"
+	sp "github.com/aquasecurity/trivy/pkg/iac/spec"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 

pkg/extrafs/extrafs.go

@@ -0,0 +1,54 @@
+package extrafs
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+)
+
+/*
+   Go does not currently support symlinks in io/fs.
+   We work around this by wrapping the fs.FS returned by os.DirFS with our own type which bolts on the ReadLinkFS
+*/
+
+type OSFS interface {
+	fs.FS
+	fs.StatFS
+}
+
+type ReadLinkFS interface {
+	ResolveSymlink(name, dir string) (string, error)
+}
+
+type FS interface {
+	OSFS
+	ReadLinkFS
+}
+
+type filesystem struct {
+	root       string
+	underlying OSFS
+}
+
+func OSDir(path string) FS {
+	return &filesystem{
+		root:       path,
+		underlying: os.DirFS(path).(OSFS),
+	}
+}
+
+func (f *filesystem) Open(name string) (fs.File, error) {
+	return f.underlying.Open(name)
+}
+
+func (f *filesystem) Stat(name string) (fs.FileInfo, error) {
+	return f.underlying.Stat(name)
+}
+
+func (f *filesystem) ResolveSymlink(name, dir string) (string, error) {
+	link, err := os.Readlink(filepath.Join(f.root, dir, name))
+	if err == nil {
+		return filepath.Join(dir, link), nil
+	}
+	return name, nil
+}

pkg/fanal/analyzer/config/terraform/terraform.go

@@ -3,9 +3,9 @@ package terraform
 import (
 	"os"
 
-	"github.com/aquasecurity/trivy-iac/pkg/detection"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 

pkg/fanal/analyzer/const.go

@@ -1,6 +1,8 @@
 package analyzer
 
-import "github.com/aquasecurity/trivy-iac/pkg/detection"
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
+)
 
 type Type string
 

pkg/iac/adapters/arm/adapt.go

@@ -0,0 +1,49 @@
+package arm
+
+import (
+	"context"
+
+	"github.com/aquasecurity/defsec/pkg/providers/azure"
+	"github.com/aquasecurity/defsec/pkg/state"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/appservice"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/authorization"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/compute"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/container"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/database"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/datafactory"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/datalake"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/keyvault"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/monitor"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/network"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/securitycenter"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/storage"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/synapse"
+	scanner "github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
+)
+
+// Adapt adapts an azure arm instance
+func Adapt(ctx context.Context, deployment scanner.Deployment) *state.State {
+	return &state.State{
+		Azure: adaptAzure(deployment),
+	}
+}
+
+func adaptAzure(deployment scanner.Deployment) azure.Azure {
+
+	return azure.Azure{
+		AppService:     appservice.Adapt(deployment),
+		Authorization:  authorization.Adapt(deployment),
+		Compute:        compute.Adapt(deployment),
+		Container:      container.Adapt(deployment),
+		Database:       database.Adapt(deployment),
+		DataFactory:    datafactory.Adapt(deployment),
+		DataLake:       datalake.Adapt(deployment),
+		KeyVault:       keyvault.Adapt(deployment),
+		Monitor:        monitor.Adapt(deployment),
+		Network:        network.Adapt(deployment),
+		SecurityCenter: securitycenter.Adapt(deployment),
+		Storage:        storage.Adapt(deployment),
+		Synapse:        synapse.Adapt(deployment),
+	}
+
+}

pkg/iac/adapters/arm/appservice/adapt.go

@@ -0,0 +1,58 @@
+package appservice
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/appservice"
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) appservice.AppService {
+	return appservice.AppService{
+		Services:     adaptServices(deployment),
+		FunctionApps: adaptFunctionApps(deployment),
+	}
+}
+
+func adaptFunctionApps(deployment azure.Deployment) []appservice.FunctionApp {
+	var functionApps []appservice.FunctionApp
+
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		functionApps = append(functionApps, adaptFunctionApp(resource))
+	}
+	return functionApps
+}
+
+func adaptServices(deployment azure.Deployment) []appservice.Service {
+	var services []appservice.Service
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		services = append(services, adaptService(resource))
+	}
+	return services
+}
+
+func adaptFunctionApp(resource azure.Resource) appservice.FunctionApp {
+	return appservice.FunctionApp{
+		Metadata:  resource.Metadata,
+		HTTPSOnly: resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+	}
+}
+
+func adaptService(resource azure.Resource) appservice.Service {
+	return appservice.Service{
+		Metadata:         resource.Metadata,
+		EnableClientCert: resource.Properties.GetMapValue("clientCertEnabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		Identity: struct{ Type defsecTypes.StringValue }{
+			Type: resource.Properties.GetMapValue("identity").GetMapValue("type").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+		Authentication: struct{ Enabled defsecTypes.BoolValue }{
+			Enabled: resource.Properties.GetMapValue("siteAuthSettings").GetMapValue("enabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		},
+		Site: struct {
+			EnableHTTP2       defsecTypes.BoolValue
+			MinimumTLSVersion defsecTypes.StringValue
+		}{
+			EnableHTTP2:       resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+			MinimumTLSVersion: resource.Properties.GetMapValue("minTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+	}
+}

pkg/iac/adapters/arm/authorization/adapt.go

@@ -0,0 +1,38 @@
+package authorization
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/authorization"
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) authorization.Authorization {
+	return authorization.Authorization{
+		RoleDefinitions: adaptRoleDefinitions(deployment),
+	}
+}
+
+func adaptRoleDefinitions(deployment azure.Deployment) (roleDefinitions []authorization.RoleDefinition) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Authorization/roleDefinitions") {
+		roleDefinitions = append(roleDefinitions, adaptRoleDefinition(resource))
+	}
+	return roleDefinitions
+}
+
+func adaptRoleDefinition(resource azure.Resource) authorization.RoleDefinition {
+
+	return authorization.RoleDefinition{
+		Metadata:         resource.Metadata,
+		Permissions:      adaptPermissions(resource),
+		AssignableScopes: resource.Properties.GetMapValue("assignableScopes").AsStringValuesList(""),
+	}
+}
+
+func adaptPermissions(resource azure.Resource) (permissions []authorization.Permission) {
+	for _, permission := range resource.Properties.GetMapValue("permissions").AsList() {
+		permissions = append(permissions, authorization.Permission{
+			Metadata: resource.Metadata,
+			Actions:  permission.GetMapValue("actions").AsStringValuesList(""),
+		})
+	}
+	return permissions
+}