Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(misconf): Remove unused options #7896

Merged
merged 4 commits into from
Nov 29, 2024
Merged

refactor(misconf): Remove unused options #7896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b6cbaa2
refactor(misconf): remove combined option
simar7 Nov 9, 2024
5334657
remove warning
simar7 Nov 9, 2024
b5963ca
fix lint
simar7 Nov 16, 2024
73a7039
remove logic
simar7 Nov 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions pkg/iac/rego/metadata.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,6 @@ func NewEngineMetadata(schema string, meta map[string]any) (*scan.EngineMetadata
}

type InputOptions struct {
Combined bool
Selectors []Selector
}

Expand Down Expand Up @@ -352,7 +351,6 @@ func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Mo
func (m *MetadataRetriever) queryInputOptions(ctx context.Context, module *ast.Module) InputOptions {

options := InputOptions{
Combined: false,
Selectors: nil,
}

Expand Down Expand Up @@ -395,12 +393,6 @@ func (m *MetadataRetriever) queryInputOptions(ctx context.Context, module *ast.M
metadata = meta
}

if raw, ok := metadata["combine"]; ok {
if combine, ok := raw.(bool); ok {
options.Combined = combine
}
}

if raw, ok := metadata["selector"]; ok {
if each, ok := raw.([]any); ok {
for _, rawSelector := range each {
Expand Down
33 changes: 3 additions & 30 deletions pkg/iac/rego/scanner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
}
usedRules[ruleName] = struct{}{}
if isEnforcedRule(ruleName) {
ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs, staticMeta.InputOptions.Combined)
ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs)
if err != nil {
s.logger.Error(
"Error occurred while applying rule from check",
Expand Down Expand Up @@ -328,14 +328,7 @@ func parseRawInput(input any) (ast.Value, error) {
return ast.InterfaceToValue(input)
}

func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs []Input, combined bool) (scan.Results, error) {

// handle combined evaluations if possible
if combined {
s.trace("INPUT", inputs)
return s.applyRuleCombined(ctx, namespace, rule, inputs)
}

func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs []Input) (scan.Results, error) {
var results scan.Results
qualified := fmt.Sprintf("data.%s.%s", namespace, rule)
for _, input := range inputs {
Expand Down Expand Up @@ -366,30 +359,10 @@ func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs
return results, nil
}

func (s *Scanner) applyRuleCombined(ctx context.Context, namespace, rule string, inputs []Input) (scan.Results, error) {
if len(inputs) == 0 {
return nil, nil
}

parsed, err := parseRawInput(inputs)
if err != nil {
return nil, fmt.Errorf("failed to parse input: %w", err)
}

qualified := fmt.Sprintf("data.%s.%s", namespace, rule)
set, traces, err := s.runQuery(ctx, qualified, parsed, false)
if err != nil {
return nil, err
}
return s.convertResults(set, inputs[0], namespace, rule, traces), nil
}

// severity is now set with metadata, so deny/warn/violation now behave the same way
func isEnforcedRule(name string) bool {
switch {
case name == "deny", strings.HasPrefix(name, "deny_"),
name == "warn", strings.HasPrefix(name, "warn_"),
name == "violation", strings.HasPrefix(name, "violation_"):
case name == "deny", strings.HasPrefix(name, "deny_"):
return true
}
return false
Expand Down
35 changes: 0 additions & 35 deletions pkg/iac/rego/scanner_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ deny {
assert.Empty(t, results.GetIgnored())

assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename())
assert.False(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_AbsolutePolicyPath_Deny(t *testing.T) {
Expand Down Expand Up @@ -98,40 +97,6 @@ deny {
assert.Empty(t, results.GetIgnored())

assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename())
assert.False(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_Warn(t *testing.T) {

srcFS := CreateFS(t, map[string]string{
"policies/test.rego": `
package defsec.test

warn {
input.evil
}
`,
})

scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))

results, err := scanner.ScanInput(context.TODO(), rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
},
})
require.NoError(t, err)

require.Len(t, results.GetFailed(), 1)
require.Empty(t, results.GetPassed())
require.Empty(t, results.GetIgnored())

assert.True(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_Allow(t *testing.T) {
Expand Down
2 changes: 0 additions & 2 deletions pkg/iac/scan/flat.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ type FlatResult struct {
Description string `json:"description"`
RangeAnnotation string `json:"-"`
Severity severity.Severity `json:"severity"`
Warning bool `json:"warning"`
Status Status `json:"status"`
Resource string `json:"resource"`
Occurrences []Occurrence `json:"occurrences,omitempty"`
Expand Down Expand Up @@ -64,7 +63,6 @@ func (r *Result) Flatten() FlatResult {
Status: r.status,
Resource: resMetadata.Reference(),
Occurrences: r.Occurrences(),
Warning: r.IsWarning(),
Location: FlatRange{
Filename: rng.GetFilename(),
StartLine: rng.GetStartLine(),
Expand Down
6 changes: 0 additions & 6 deletions pkg/iac/scan/result.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ type Result struct {
severityOverride *severity.Severity
regoNamespace string
regoRule string
warning bool
traces []string
fsPath string
}
Expand All @@ -49,10 +48,6 @@ func (r Result) Severity() severity.Severity {
return r.Rule().Severity
}

func (r *Result) IsWarning() bool {
return r.warning
}

func (r *Result) OverrideSeverity(s severity.Severity) {
r.severityOverride = &s
}
Expand Down Expand Up @@ -195,7 +190,6 @@ func (r *Results) AddRego(description, namespace, rule string, traces []string,
description: description,
regoNamespace: namespace,
regoRule: rule,
warning: rule == "warn" || strings.HasPrefix(rule, "warn_"),
traces: traces,
}
result.metadata = getMetadataFromSource(source)
Expand Down
15 changes: 6 additions & 9 deletions pkg/misconf/scanner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -482,16 +482,13 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s
}
}

if flattened.Warning {
misconf.Warnings = append(misconf.Warnings, misconfResult)
} else {
switch flattened.Status {
case scan.StatusPassed:
misconf.Successes = append(misconf.Successes, misconfResult)
case scan.StatusFailed:
misconf.Failures = append(misconf.Failures, misconfResult)
}
switch flattened.Status {
case scan.StatusPassed:
misconf.Successes = append(misconf.Successes, misconfResult)
case scan.StatusFailed:
misconf.Failures = append(misconf.Failures, misconfResult)
}

misconfs[filePath] = misconf
}

Expand Down