Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(misconf): Deprecate EXCEPTIONS for misconfiguration scanning #7776

Merged
merged 6 commits into from
Oct 29, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion contrib/junit.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
</testsuite>

{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" time="">
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
{{- else }}
<testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- end }}
Expand Down
6 changes: 3 additions & 3 deletions docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ trivy config --severity HIGH,CRITICAL examples/misconf/mixed

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Tests: 17 (SUCCESSES: 16, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Last USER command in Dockerfile should not be 'root'
Expand All @@ -130,13 +130,13 @@ See https://avd.aquasec.com/misconfig/ds002

deployment.yaml (kubernetes)
============================
Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
Tests: 8 (SUCCESSES: 8, FAILURES: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)


main.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Classic resources should not be used.
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ trivy config [flags] DIR
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ trivy filesystem [flags] PATH
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ trivy image [flags] IMAGE_NAME
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--input string input file path instead of image name
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ trivy kubernetes [flags] [CONTEXT]
--include-deprecated-checks include deprecated checks
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ trivy rootfs [flags] ROOTDIR
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ trivy vm [flags] VM_IMAGE
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--include-non-failures include successes and failures, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
Expand Down
92 changes: 0 additions & 92 deletions docs/docs/scanner/misconfiguration/check/exceptions.md

This file was deleted.

2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/debug.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ $ trivy config --trace configs/

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
Tests: 23 (SUCCESSES: 21, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/scanner/misconfiguration/custom/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ Some fields are displayed in scan results.
k.yaml (kubernetes)
───────────────────

Tests: 32 (SUCCESSES: 31, FAILURES: 1, EXCEPTIONS: 0)
Tests: 32 (SUCCESSES: 31, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Found deployment 'my-deployment' but deployments are not allowed
Expand Down
22 changes: 11 additions & 11 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ $ trivy config [YOUR_IaC_DIRECTORY]

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Tests: 23 (SUCCESSES: 22, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
Expand Down Expand Up @@ -75,7 +75,7 @@ You can specify `--scanners vuln,misconfig,secret` to enable vulnerability and s

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Tests: 17 (SUCCESSES: 16, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Last USER command in Dockerfile should not be 'root'
Expand Down Expand Up @@ -112,7 +112,7 @@ $ trivy config --severity HIGH,CRITICAL ./iac

Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
Expand All @@ -126,7 +126,7 @@ See https://avd.aquasec.com/misconfig/ds002

deployment.yaml (kubernetes)

Tests: 20 (SUCCESSES: 15, FAILURES: 5, EXCEPTIONS: 0)
Tests: 20 (SUCCESSES: 15, FAILURES: 5)
Failures: 5 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)

MEDIUM: Container 'hello-kubernetes' of Deployment 'hello-kubernetes' should set 'securityContext.allowPrivilegeEscalation' to false
Expand Down Expand Up @@ -225,7 +225,7 @@ See https://avd.aquasec.com/misconfig/ksv026

mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Tests: 20 (SUCCESSES: 18, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

MEDIUM: Container 'mysql' of StatefulSet 'mysql' should set 'securityContext.allowPrivilegeEscalation' to false
Expand Down Expand Up @@ -279,35 +279,35 @@ You can see the config type next to each file name.
``` bash
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Tests: 23 (SUCCESSES: 22, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

...

deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Tests: 28 (SUCCESSES: 15, FAILURES: 13)
Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)

...

main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Tests: 23 (SUCCESSES: 14, FAILURES: 9)
Failures: 9 (HIGH: 6, CRITICAL: 1)

...

bucket.yaml (cloudformation)
============================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Tests: 9 (SUCCESSES: 3, FAILURES: 6)
Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)

...

mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
==========================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Tests: 20 (SUCCESSES: 18, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
```

Expand Down Expand Up @@ -381,7 +381,7 @@ deny[res] {
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)

Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Tests: 4 (SUCCESSES: 3, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/target/container_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ $ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]
```
alpine:3.17 (dockerfile)
========================
Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0)
Tests: 24 (SUCCESSES: 21, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
Expand Down
3 changes: 1 addition & 2 deletions docs/docs/target/kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -280,8 +280,7 @@ trivy k8s --format json -o results.json cluster
"Type": "kubernetes",
"MisconfSummary": {
"Successes": 20,
"Failures": 19,
"Exceptions": 0
"Failures": 19
},
"Misconfigurations": [
{
Expand Down
9 changes: 0 additions & 9 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -309,15 +309,6 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/dockerfile-rule-exception.json.golden",
},
{
name: "dockerfile with namespace exception",
args: args{
scanner: types.MisconfigScanner,
policyPaths: []string{"testdata/fixtures/repo/namespace-exception/policy"},
input: "testdata/fixtures/repo/namespace-exception",
},
golden: "testdata/dockerfile-namespace-exception.json.golden",
},
{
name: "dockerfile with custom policies",
args: args{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 27,
"Failures": 2,
"Exceptions": 0
"Failures": 2
},
"Misconfigurations": [
{
Expand Down
30 changes: 0 additions & 30 deletions integration/testdata/dockerfile-namespace-exception.json.golden

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 26,
"Failures": 1,
"Exceptions": 0
"Failures": 1
},
"Misconfigurations": [
{
Expand Down
3 changes: 1 addition & 2 deletions integration/testdata/dockerfile.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 26,
"Failures": 1,
"Exceptions": 0
"Failures": 1
},
"Misconfigurations": [
{
Expand Down
Loading