fix(checks): handle of unresolvable values #279
Conversation
nikpivkin
force-pushed
the
rego-unresolvable
branch
4 times, most recently
from
8e5c630
to
bcb07cf
Compare
| @REPO=localhost:${REGISTRY_PORT}/trivy-checks:latest ;\ | ||
| echo "Pushing to repository: $$REPO" ;\ | ||
| docker run --rm -it --net=host -v $$PWD/${BUNDLE_FILE}:/${BUNDLE_FILE} bitnami/oras:latest push \ |
There was a problem hiding this comment.
This will allow Oras to access the local registry.
There was a problem hiding this comment.
In my testing, I haven't had the need to allow --net=host.
Run registry:
docker run -it --rm -p 6000:5000 registry
Push image:
oras push localhost:6000/trivy-checks:1 --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
There was a problem hiding this comment.
in Makefile oras runs in a container
There was a problem hiding this comment.
Ah that's right - I missed that, makes sense.
| less_than(val, other) := false if { | ||
| is_unresolvable(val) | ||
| } else := val.value < other | ||
|
|
||
| greater_than(val, other) := false if { | ||
| is_unresolvable(val) | ||
| } else := val.value > other |
There was a problem hiding this comment.
Right, the good thing to do is to use epsilon, but I haven't encountered floating numbers in the checks.
| sg.description.value == "" | ||
| res := result.new("Security group rule allows egress to multiple public addresses.", sg.description) | ||
| without_description(sg) | ||
| res := result.new("Network security group does not have a description.", sg.description) |
There was a problem hiding this comment.
This change should have failed a test right? (since the resulting message has changed).
There was a problem hiding this comment.
In some tests, we only check the number of results, not the messages. We usually do this in tests for those checks that may return several different messages.
There was a problem hiding this comment.
OK - I think we should improve that, at least for those checks where there isn't any more than a single message that can be in the output. We can do it in a separate PR if you like.
| "Database server does not have public access enabled.", | ||
| metadata.obj_by_path(server, "enablepublicnetworkaccess"), | ||
| "Database server has public network access enabled.", | ||
| server.enablepublicnetworkaccess, |
Signed-off-by: Nikita Pivkin <[email protected]>
simar7
force-pushed
the
rego-unresolvable
branch
from
bcb07cf
to
7d8d96c
Compare
Related issues:
Before
After
./trivy conf main.tf --checks-bundle-repository localhost:5111/trivy-checks:latest --cache-dir cache 2024-10-22T17:03:40+06:00 INFO [misconfig] Misconfiguration scanning is enabled 2024-10-22T17:03:41+06:00 INFO [terraform scanner] Scanning root module file_path="." 2024-10-22T17:03:41+06:00 INFO Detected config files num=1