feat(misconf): loading embedded checks as a fallback

[nikpivkin]

Description

This PR adds functionality to fallback to embedded checks if an error occurs compiling an built-in check from a bundle.

main.tf

resource "aws_s3_bucket" "test" {
  bucket = "test"
}

resource "aws_s3_bucket" "log_bucket" {
  bucket = "log_bucket"
}

resource "aws_s3_bucket_logging" "test" {
  bucket = aws_s3_bucket.test.id

  target_bucket = aws_s3_bucket.log_bucket.id
  target_prefix   = "log/"
}

1. rm -rf ~/Library/Caches/trivy/policy
2. go run ./cmd/trivy conf main.tf -d --policy-bundle-repository ghcr.io/nikpivkin/trivy-policies:test

2024-04-16T17:50:24+07:00       DEBUG   [misconf] 50:24.188902000 terraform.scanner.rego           Error occurred while parsing: Users/nikita/Library/Caches/trivy/policy/content/policies/cloud/policies/aws/s3/enable_logging.rego, Users/nikita/Library/Caches/trivy/policy/content/policies/cloud/policies/aws/s3/enable_logging.rego:33: rego_type_error: undefined ref: bucket.logging.is_enabled.value
        bucket.logging.is_enabled.value
                       ^
                       have: "is_enabled"
                       want (one of): ["enabled" "targetbucket"]. 
Try loading embedded policy.
2024-04-16T17:50:24+07:00       DEBUG   [misconf] 50:24.189063000 terraform.scanner.rego           Found embedded policy: checks/cloud/aws/s3/enable_logging.rego

Related issues

• Close feat(misconf): Fallback to embedded check if needed #6505

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

I just checked commands/artifact and scanner/local. They look good to me.

[simar7]

@nikpivkin one case I found was if we ever have a bad check, the fallback to embedded scenario will continue to take place until a new bundle is downloaded (which includes a fixed check). This would occur on each Trivy run.

Perhaps this is acceptable. I thought about re-downloading the bundle in this case (in addition to falling back for that particular run) but I think it's complicated and error prone in other ways.

Thoughts?

[nikpivkin]

@simar7 You mean re-download the previous version's bundle? Then all checks will be rolled back, including those with no errors.

[simar7]

@simar7 You mean re-download the previous version's bundle? Then all checks will be rolled back, including those with no errors.

No I meant download the latest bundle available. But I think it adds complexity so let's not do it.

[chen-keinan]

@nikpivkin @simar7 I have bump trivy-operator with latest trivy 0.51.1 and I'm getting nil pointer exception on L152 while running my policies tests
loc := e.Location.File anyway to protect it?

here is link for test failure

[nikpivkin]

Location can be nil. I'll add a check.

[nikpivkin]

@chen-keinan Opened the PR with a fix. #6638