Merge branch 'dev' of https://github.com/kubescape/kubescape into dev

2026-02-14 18:09:55 +00:00 · 2023-01-12 14:09:35 +02:00
parent 3cece6cf35 93b626bb1e
commit 1a011f4968
12 changed files with 7107 additions and 134 deletions
--- a/.github/workflows/01-golang-lint.yaml
+++ b/.github/workflows/01-golang-lint.yaml
@@ -20,7 +20,7 @@ jobs:
    steps:
      - uses: actions/setup-go@v3
        with:
-          go-version: 1.18
+          go-version: 1.19
      - uses: actions/checkout@v3
        with:
          submodules: recursive
--- a/core/cautils/getter/getpoliciesutils.go
+++ b/core/cautils/getter/getpoliciesutils.go
@@ -2,7 +2,6 @@ package getter

 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -41,13 +40,6 @@ func SaveInFile(policy interface{}, pathStr string) error {
 	return nil
 }

-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *json.Decoder {
-	dec := json.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-	return dec
-}
-
 func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {

 	req, err := http.NewRequest("DELETE", fullURL, nil)
@@ -66,6 +58,7 @@ func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]stri
 	}
 	return respStr, nil
 }
+
 func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {

 	req, err := http.NewRequest("GET", fullURL, nil)
--- a/core/cautils/getter/json.go
+++ b/core/cautils/getter/json.go
@@ -0,0 +1,26 @@
+package getter
+
+import (
+	"strings"
+
+	stdjson "encoding/json"
+
+	jsoniter "github.com/json-iterator/go"
+)
+
+var (
+	json jsoniter.API
+)
+
+func init() {
+	// NOTE(fredbi): attention, this configuration rounds floats down to 6 digits
+	// For finer-grained config, see: https://pkg.go.dev/github.com/json-iterator/go#section-readme
+	json = jsoniter.ConfigFastest
+}
+
+// JSONDecoder returns JSON decoder for given string
+func JSONDecoder(origin string) *stdjson.Decoder {
+	dec := stdjson.NewDecoder(strings.NewReader(origin))
+	dec.UseNumber()
+	return dec
+}
--- a/core/cautils/getter/json_test.go
+++ b/core/cautils/getter/json_test.go
@@ -0,0 +1,32 @@
+package getter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestJSONDecoder(t *testing.T) {
+	t.Run("should decode json string", func(t *testing.T) {
+		const input = `"xyz"`
+		d := JSONDecoder(input)
+		var receiver string
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, "xyz", receiver)
+	})
+
+	t.Run("should decode json number", func(t *testing.T) {
+		const input = `123.01`
+		d := JSONDecoder(input)
+		var receiver float64
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, 123.01, receiver)
+	})
+
+	t.Run("requires json quotes", func(t *testing.T) {
+		const input = `xyz`
+		d := JSONDecoder(input)
+		var receiver string
+		require.Error(t, d.Decode(&receiver))
+	})
+}
--- a/core/cautils/getter/kscloudapi.go
+++ b/core/cautils/getter/kscloudapi.go
@@ -2,7 +2,6 @@ package getter

 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
--- a/core/cautils/getter/kscloudapiutils.go
+++ b/core/cautils/getter/kscloudapiutils.go
@@ -2,7 +2,6 @@ package getter

 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
--- a/core/cautils/getter/loadpolicy.go
+++ b/core/cautils/getter/loadpolicy.go
@@ -1,7 +1,7 @@
 package getter

 import (
-	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -15,7 +15,19 @@ import (
 // =======================================================================================================================
 // ============================================== LoadPolicy =============================================================
 // =======================================================================================================================
-var DefaultLocalStore = getCacheDir()
+var (
+	DefaultLocalStore = getCacheDir()
+
+	ErrNotImplemented       = errors.New("feature is currently not supported")
+	ErrNotFound             = errors.New("name not found")
+	ErrNameRequired         = errors.New("missing required input framework name")
+	ErrIDRequired           = errors.New("missing required input control ID")
+	ErrFrameworkNotMatching = errors.New("framework from file not matching")
+	ErrControlNotMatching   = errors.New("framework from file not matching")
+
+	_ IPolicyGetter     = &LoadPolicy{}
+	_ IExceptionsGetter = &LoadPolicy{}
+)

 func getCacheDir() string {
 	defaultDirPath := ".kubescape"
@@ -25,11 +37,12 @@ func getCacheDir() string {
 	return defaultDirPath
 }

-// Load policies from a local repository
+// LoadPolicy loads policies from a local repository.
 type LoadPolicy struct {
 	filePaths []string
 }

+// NewLoadPolicy builds a LoadPolicy.
 func NewLoadPolicy(filePaths []string) *LoadPolicy {
 	return &LoadPolicy{
 		filePaths: filePaths,
@@ -38,122 +51,210 @@ func NewLoadPolicy(filePaths []string) *LoadPolicy {

 // GetControl returns a control from the policy file.
 func (lp *LoadPolicy) GetControl(controlID string) (*reporthandling.Control, error) {
-	control := &reporthandling.Control{}
-	filePath := lp.filePath()
+	if controlID == "" {
+		return nil, ErrIDRequired
+	}

-	f, err := os.ReadFile(filePath)
+	// NOTE: this assumes that only the first path contains either a valid control descriptor or a framework descriptor
+	filePath := lp.filePath()
+	buf, err := os.ReadFile(filePath)
 	if err != nil {
 		return nil, err
 	}

-	if err = json.Unmarshal(f, control); err != nil {
-		return control, err
+	// check if the file is a control descriptor: a ControlID field is populated.
+	var control reporthandling.Control
+	if err = json.Unmarshal(buf, &control); err == nil && control.ControlID != "" {
+		if strings.EqualFold(controlID, control.ControlID) {
+			return &control, nil
+		}
+
+		return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching)
 	}

-	if controlID == "" || strings.EqualFold(controlID, control.ControlID) {
-		return control, nil
-	}
-
-	framework, err := lp.GetFramework(control.Name)
-	if err != nil {
-		return nil, fmt.Errorf("control from file not matching")
+	// check if the file is a framework descriptor
+	var framework reporthandling.Framework
+	if err = json.Unmarshal(buf, &framework); err != nil {
+		return nil, err
 	}

 	for _, toPin := range framework.Controls {
 		ctrl := toPin
-		if strings.EqualFold(ctrl.ControlID, controlID) {
-			control = &ctrl

-			break
+		if strings.EqualFold(ctrl.ControlID, controlID) {
+			return &ctrl, nil
 		}
 	}

-	return control, nil
+	return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching)
 }

-// GetFramework retrieves a framework configuration from the policy.
+// GetFramework retrieves a framework configuration from the policy paths.
 func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
 	if frameworkName == "" {
-		return &reporthandling.Framework{}, nil
+		return nil, ErrNameRequired
 	}

 	for _, filePath := range lp.filePaths {
-		f, err := os.ReadFile(filePath)
+		buf, err := os.ReadFile(filePath)
 		if err != nil {
 			return nil, err
 		}

-		var fw reporthandling.Framework
-		if err = json.Unmarshal(f, &fw); err != nil {
+		var framework reporthandling.Framework
+		if err = json.Unmarshal(buf, &framework); err != nil {
 			return nil, err
 		}

-		if strings.EqualFold(frameworkName, fw.Name) {
-			return &fw, nil
+		if strings.EqualFold(frameworkName, framework.Name) {
+			return &framework, nil
 		}
 	}

-	return nil, fmt.Errorf("framework from file not matching")
+	return nil, fmt.Errorf("framework: %s: %w", frameworkName, ErrFrameworkNotMatching)
 }

+// GetFrameworks returns all configured framework descriptors.
 func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
-	frameworks := []reporthandling.Framework{}
-	var err error
-	return frameworks, err
-}
-
-func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
-	fwNames := []string{}
-	framework := &reporthandling.Framework{}
+	frameworks := make([]reporthandling.Framework, 0, 10)
+	seenFws := make(map[string]struct{})

 	for _, f := range lp.filePaths {
-		file, err := os.ReadFile(f)
-		if err == nil {
-			if err := json.Unmarshal(file, framework); err == nil {
-				if !contains(fwNames, framework.Name) {
-					fwNames = append(fwNames, framework.Name)
-				}
-			}
+		buf, err := os.ReadFile(f)
+		if err != nil {
+			return nil, err
 		}
+
+		var framework reporthandling.Framework
+		if err = json.Unmarshal(buf, &framework); err != nil {
+			// ignore invalid framework files
+			continue
+		}
+
+		// dedupe
+		_, alreadyLoaded := seenFws[framework.Name]
+		if alreadyLoaded {
+			continue
+		}
+
+		seenFws[framework.Name] = struct{}{}
+		frameworks = append(frameworks, framework)
 	}

-	return fwNames, nil
+	return frameworks, nil
 }

+// ListFrameworks lists the names of all configured frameworks in this policy.
+func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
+	frameworkNames := make([]string, 0, 10)
+
+	for _, f := range lp.filePaths {
+		buf, err := os.ReadFile(f)
+		if err != nil {
+			return nil, err
+		}
+
+		var framework reporthandling.Framework
+		if err := json.Unmarshal(buf, &framework); err != nil {
+			continue
+		}
+
+		if contains(frameworkNames, framework.Name) {
+			continue
+		}
+
+		frameworkNames = append(frameworkNames, framework.Name)
+	}
+
+	return frameworkNames, nil
+}
+
+// ListControls returns the list of controls for this framework.
+//
+// At this moment, controls are listed for one single configured framework.
 func (lp *LoadPolicy) ListControls() ([]string, error) {
-	// TODO - Support
-	return []string{}, fmt.Errorf("loading controls list from file is not supported")
-}
-
-func (lp *LoadPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	controlIDs := make([]string, 0, 100)
 	filePath := lp.filePath()
-	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := os.ReadFile(filePath)
+	buf, err := os.ReadFile(filePath)
 	if err != nil {
 		return nil, err
 	}

-	err = json.Unmarshal(f, &exception)
+	var framework reporthandling.Framework
+	if err = json.Unmarshal(buf, &framework); err != nil {
+		return nil, err
+	}
+
+	for _, ctrl := range framework.Controls {
+		controlIDs = append(controlIDs, ctrl.ControlID)
+	}
+
+	return controlIDs, nil
+}
+
+// GetExceptions retrieves configured exceptions.
+//
+// NOTE: the cluster parameter is not used at this moment.
+func (lp *LoadPolicy) GetExceptions(_ /* clusterName */ string) ([]armotypes.PostureExceptionPolicy, error) {
+	// NOTE: this assumes that the first path contains a valid exceptions descriptor
+	filePath := lp.filePath()
+
+	buf, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	exception := make([]armotypes.PostureExceptionPolicy, 0, 300)
+	err = json.Unmarshal(buf, &exception)
+
 	return exception, err
 }

-func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
+// GetControlsInputs retrieves the map of control configs.
+//
+// NOTE: the cluster parameter is not used at this moment.
+func (lp *LoadPolicy) GetControlsInputs(_ /* clusterName */ string) (map[string][]string, error) {
+	// NOTE: this assumes that only the first path contains a valid control inputs descriptor
 	filePath := lp.filePath()
-	accountConfig := &armotypes.CustomerConfig{}
-	f, err := os.ReadFile(filePath)
 	fileName := filepath.Base(filePath)
+
+	buf, err := os.ReadFile(filePath)
 	if err != nil {
-		formattedError := fmt.Errorf("Error opening %s file, \"controls-config\" will be downloaded from ARMO management portal", fileName)
+		formattedError := fmt.Errorf(
+			`Error opening %s file, "controls-config" will be downloaded from ARMO management portal`,
+			fileName,
+		)
+
 		return nil, formattedError
 	}

-	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
+	controlInputs := make(map[string][]string, 100) // from armotypes.Settings.PostureControlInputs
+	if err = json.Unmarshal(buf, &controlInputs); err != nil {
+		formattedError := fmt.Errorf(
+			`Error reading %s file, %v, "controls-config" will be downloaded from ARMO management portal`,
+			fileName, err,
+		)
+
+		return nil, formattedError
 	}

-	formattedError := fmt.Errorf("Error reading %s file, %s, \"controls-config\" will be downloaded from ARMO management portal", fileName, err.Error())
+	return controlInputs, nil
+}

-	return nil, formattedError
+// GetAttackTracks yields the attack tracks from a config file.
+func (lp *LoadPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	attackTracks := make([]v1alpha1.AttackTrack, 0, 20)
+
+	buf, err := os.ReadFile(lp.filePath())
+	if err != nil {
+		return nil, err
+	}
+
+	if err = json.Unmarshal(buf, &attackTracks); err != nil {
+		return nil, err
+	}
+
+	return attackTracks, nil
 }

 // temporary support for a list of files
@@ -163,18 +264,3 @@ func (lp *LoadPolicy) filePath() string {
 	}
 	return ""
 }
-
-func (lp *LoadPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
-	attackTracks := []v1alpha1.AttackTrack{}
-
-	f, err := os.ReadFile(lp.filePath())
-
-	if err != nil {
-		return nil, err
-	}
-
-	if err := json.Unmarshal(f, &attackTracks); err != nil {
-		return nil, err
-	}
-	return attackTracks, nil
-}
--- a/core/cautils/getter/loadpolicy_test.go
+++ b/core/cautils/getter/loadpolicy_test.go
@@ -2,6 +2,7 @@ package getter

 import (
 	"fmt"
+	"os"
 	"path/filepath"
 	"testing"

@@ -14,14 +15,13 @@ func MockNewLoadPolicy() *LoadPolicy {
 	}
 }

-func testFrameworkFile(framework string) string {
-	return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework))
-}
-
 func TestLoadPolicy(t *testing.T) {
 	t.Parallel()

-	const testFramework = "MITRE"
+	const (
+		testFramework = "MITRE"
+		testControl   = "C-0053"
+	)

 	t.Run("with GetFramework", func(t *testing.T) {
 		t.Run("should retrieve named framework", func(t *testing.T) {
@@ -44,16 +44,13 @@ func TestLoadPolicy(t *testing.T) {
 			require.Nil(t, fw)
 		})

-		t.Run("edge case: should return empty framework", func(t *testing.T) {
-			// NOTE(fredbi): this edge case corresponds to the original working of GetFramework.
-			// IMHO, this is a bad request call and it should return an error.
+		t.Run("edge case: should error on empty framework", func(t *testing.T) {
 			t.Parallel()

 			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
 			fw, err := p.GetFramework("")
-			require.NoError(t, err)
-			require.NotNil(t, fw)
-			require.Empty(t, *fw)
+			require.ErrorIs(t, err, ErrNameRequired)
+			require.Nil(t, fw)
 		})

 		t.Run("edge case: corrupted json", func(t *testing.T) {
@@ -77,11 +74,10 @@ func TestLoadPolicy(t *testing.T) {
 	})

 	t.Run("with GetControl", func(t *testing.T) {
-		t.Run("should retrieve named control", func(t *testing.T) {
+		t.Run("should retrieve named control from framework", func(t *testing.T) {
 			t.Parallel()

 			const (
-				testControl         = "C-0053"
 				expectedControlName = "Access container service account"
 			)
 			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
@@ -93,15 +89,44 @@ func TestLoadPolicy(t *testing.T) {
 			require.Equal(t, expectedControlName, ctrl.Name)
 		})

-		t.Run("should fail to retrieve named control", func(t *testing.T) {
-			// NOTE(fredbi): IMHO, this case should bubble up an error
-			t.Parallel()
+		t.Run("with single control descriptor", func(t *testing.T) {
+			const (
+				singleControl       = "C-0001"
+				expectedControlName = "Forbidden Container Registries"
+			)

-			const testControl = "wrong"
-			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
-			ctrl, err := p.GetControl(testControl)
-			require.NoError(t, err)
-			require.NotNil(t, ctrl) // no error, but still don't get the requested control...
+			t.Run("should retrieve named control from control descriptor", func(t *testing.T) {
+				t.Parallel()
+
+				p := NewLoadPolicy([]string{testFrameworkFile(singleControl)})
+				ctrl, err := p.GetControl(singleControl)
+				require.NoError(t, err)
+				require.NotNil(t, ctrl)
+
+				require.Equal(t, singleControl, ctrl.ControlID)
+				require.Equal(t, expectedControlName, ctrl.Name)
+			})
+
+			t.Run("should fail to retrieve named control from control descriptor", func(t *testing.T) {
+				t.Parallel()
+
+				p := NewLoadPolicy([]string{testFrameworkFile(singleControl)})
+				ctrl, err := p.GetControl("wrong")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+		})
+
+		t.Run("with framework descriptor", func(t *testing.T) {
+			t.Run("should fail to retrieve named control", func(t *testing.T) {
+				t.Parallel()
+
+				const testControl = "wrong"
+				p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+				ctrl, err := p.GetControl(testControl)
+				require.ErrorIs(t, err, ErrControlNotMatching)
+				require.Nil(t, ctrl)
+			})
 		})

 		t.Run("edge case: corrupted json", func(t *testing.T) {
@@ -122,32 +147,54 @@ func TestLoadPolicy(t *testing.T) {
 			require.Error(t, err)
 		})

-		t.Run("edge case: should return empty control", func(t *testing.T) {
-			// NOTE(fredbi): this edge case corresponds to the original working of GetFramework.
-			// IMHO, this is a bad request call and it should return an error.
+		t.Run("edge case: should error on empty control", func(t *testing.T) {
 			t.Parallel()

 			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
 			ctrl, err := p.GetControl("")
-			require.NoError(t, err)
-			require.NotNil(t, ctrl)
+			require.ErrorIs(t, err, ErrIDRequired)
+			require.Nil(t, ctrl)
 		})
 	})

-	t.Run("ListFrameworks should return all frameworks in the policy path", func(t *testing.T) {
-		t.Parallel()
+	t.Run("with ListFrameworks", func(t *testing.T) {
+		t.Run("should return all frameworks in the policy path", func(t *testing.T) {
+			t.Parallel()

-		const extraFramework = "NSA"
-		p := NewLoadPolicy([]string{
-			testFrameworkFile(testFramework),
-			testFrameworkFile(extraFramework),
+			const (
+				extraFramework = "NSA"
+				attackTracks   = "attack-tracks"
+			)
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(extraFramework), // should  be deduped
+				testFrameworkFile(attackTracks),   // should be ignored
+			})
+			fws, err := p.ListFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0])
+			require.Equal(t, extraFramework, fws[1])
 		})
-		fws, err := p.ListFrameworks()
-		require.NoError(t, err)
-		require.Len(t, fws, 2)

-		require.Equal(t, testFramework, fws[0])
-		require.Equal(t, extraFramework, fws[1])
+		t.Run("should fail on file error", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				extraFramework = "NSA"
+				nowhere        = "nowheretobeseen"
+			)
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(nowhere), // should raise an error
+			})
+			fws, err := p.ListFrameworks()
+			require.Error(t, err)
+			require.Nil(t, fws)
+		})
 	})

 	t.Run("edge case: policy without path", func(t *testing.T) {
@@ -157,20 +204,183 @@ func TestLoadPolicy(t *testing.T) {
 		require.Empty(t, p.filePath())
 	})

-	t.Run("GetFrameworks is currently stubbed", func(t *testing.T) {
-		t.Parallel()
+	t.Run("with GetFrameworks", func(t *testing.T) {
+		const extraFramework = "NSA"

-		p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
-		fws, err := p.GetFrameworks()
-		require.NoError(t, err)
-		require.Empty(t, fws)
+		t.Run("should return all configured frameworks", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+			})
+			fws, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0].Name)
+			require.Equal(t, extraFramework, fws[1].Name)
+		})
+
+		t.Run("should return dedupe configured frameworks", func(t *testing.T) {
+			t.Parallel()
+
+			const attackTracks = "attack-tracks"
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(attackTracks), // should be ignored
+			})
+			fws, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0].Name)
+			require.Equal(t, extraFramework, fws[1].Name)
+		})
 	})

-	t.Run("ListControls is currently unsupported", func(t *testing.T) {
-		t.Parallel()
+	t.Run("with ListControls", func(t *testing.T) {
+		t.Run("should return controls", func(t *testing.T) {
+			t.Parallel()

-		p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
-		_, err := p.ListControls()
-		require.Error(t, err)
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			controlIDs, err := p.ListControls()
+			require.NoError(t, err)
+			require.Greater(t, len(controlIDs), 0)
+			require.Equal(t, testControl, controlIDs[0])
+		})
+	})
+
+	t.Run("with GetAttackTracks", func(t *testing.T) {
+		t.Run("should return attack tracks", func(t *testing.T) {
+			t.Parallel()
+
+			const attackTracks = "attack-tracks"
+			p := NewLoadPolicy([]string{testFrameworkFile(attackTracks)})
+			tracks, err := p.GetAttackTracks()
+			require.NoError(t, err)
+			require.Greater(t, len(tracks), 0)
+
+			for _, track := range tracks {
+				require.Equal(t, "AttackTrack", track.Kind)
+			}
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidTracks = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)})
+			_, err := p.GetAttackTracks()
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidTracks = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)})
+			_, err := p.GetAttackTracks()
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetControlsInputs", func(t *testing.T) {
+		const cluster = "dummy" // unused parameter at the moment
+
+		t.Run("should return control inputs for a cluster", func(t *testing.T) {
+			t.Parallel()
+
+			fixture, expected := writeTempJSONControlInputs(t)
+			t.Cleanup(func() {
+				_ = os.Remove(fixture)
+			})
+
+			p := NewLoadPolicy([]string{fixture})
+			inputs, err := p.GetControlsInputs(cluster)
+			require.NoError(t, err)
+			require.EqualValues(t, expected, inputs)
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetControlsInputs(cluster)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetControlsInputs(cluster)
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetExceptions", func(t *testing.T) {
+		const cluster = "dummy" // unused parameter at the moment
+
+		t.Run("should return exceptions", func(t *testing.T) {
+			t.Parallel()
+
+			const exceptions = "exceptions"
+
+			p := NewLoadPolicy([]string{testFrameworkFile(exceptions)})
+			exceptionPolicies, err := p.GetExceptions(cluster)
+			require.NoError(t, err)
+
+			require.Greater(t, len(exceptionPolicies), 0)
+			t.Logf("len=%d", len(exceptionPolicies))
+			for _, policy := range exceptionPolicies {
+				require.NotEmpty(t, policy.Name)
+			}
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetExceptions(cluster)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetExceptions(cluster)
+			require.Error(t, err)
+		})
 	})
 }
+
+func testFrameworkFile(framework string) string {
+	return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework))
+}
+
+func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {
+	fileName := testFrameworkFile("control-inputs")
+	mock := map[string][]string{
+		"key1": {
+			"val1", "val2",
+		},
+		"key2": {
+			"val3", "val4",
+		},
+	}
+
+	buf, err := json.Marshal(mock)
+	require.NoError(t, err)
+
+	require.NoError(t, os.WriteFile(fileName, buf, 0600))
+
+	return fileName, mock
+}
--- a/core/cautils/getter/testdata/C-0001.json
+++ b/core/cautils/getter/testdata/C-0001.json
@@ -0,0 +1,85 @@
+{
+  "guid": "",
+  "name": "Forbidden Container Registries",
+  "attributes": {
+    "armoBuiltin": true,
+    "attackTracks": [
+      {
+        "attackTrack": "container",
+        "categories": [
+          "Initial access"
+        ]
+      }
+    ],
+    "controlTypeTags": [
+      "security",
+      "compliance"
+    ],
+    "microsoftMitreColumns": [
+      "Initial Access"
+    ]
+  },
+  "id": "C-0001",
+  "controlID": "C-0001",
+  "creationTime": "",
+  "description": "In cases where the Kubernetes cluster is provided by a CSP (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to the cluster takeover. Attackers may abuse cloud account credentials or IAM mechanism to the cluster’s management layer.",
+  "remediation": "Limit the registries from which you pull container images from",
+  "rules": [
+    {
+      "guid": "",
+      "name": "rule-identify-blocklisted-image-registries",
+      "attributes": {
+        "armoBuiltin": true,
+        "m$K8sThreatMatrix": "Initial Access::Compromised images in registry"
+      },
+      "creationTime": "",
+      "rule": "package armo_builtins\nimport data\n# Check for images from blocklisted repos\n\nuntrustedImageRepo[msga] {\n\tpod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tpath := sprintf(\"spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n         \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n    }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n         \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n    }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.jobTemplate.spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n        \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n    }\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tuntrusted_registries := data.postureControlInputs.untrustedRegistries\n\trepo_prefix := untrusted_registries[_]\n\tstartswith(image, repo_prefix)\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tpublic_registries := data.postureControlInputs.publicRegistries\n\trepo_prefix := public_registries[_]\n\tstartswith(image, repo_prefix)\n}",
+      "resourceEnumerator": "",
+      "ruleLanguage": "Rego",
+      "match": [
+        {
+          "apiGroups": [
+            "*"
+          ],
+          "apiVersions": [
+            "*"
+          ],
+          "resources": [
+            "Pod",
+            "Deployment",
+            "ReplicaSet",
+            "DaemonSet",
+            "StatefulSet",
+            "Job",
+            "CronJob"
+          ]
+        }
+      ],
+      "ruleDependencies": [],
+      "configInputs": [
+        "settings.postureControlInputs.publicRegistries",
+        "settings.postureControlInputs.untrustedRegistries"
+      ],
+      "controlConfigInputs": [
+        {
+          "path": "settings.postureControlInputs.publicRegistries",
+          "name": "Public registries",
+          "description": "Kubescape checks none of these public registries are in use."
+        },
+        {
+          "path": "settings.postureControlInputs.untrustedRegistries",
+          "name": "Registries block list",
+          "description": "Kubescape checks none of the following registries are in use."
+        }
+      ],
+      "description": "Identifying if pod container images are from unallowed registries",
+      "remediation": "Use images from safe registry",
+      "ruleQuery": "",
+      "relevantCloudProviders": null
+    }
+  ],
+  "rulesIDs": [
+    ""
+  ],
+  "baseScore": 7
+}
--- a/core/cautils/getter/testdata/attack-tracks.json
+++ b/core/cautils/getter/testdata/attack-tracks.json
@@ -0,0 +1,136 @@
+[
+  {
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+      "name": "node"
+    },
+    "spec": {
+      "data": {
+        "name": "Initial access",
+        "subSteps": [
+          {
+            "name": "Execution",
+            "subSteps": [
+              {
+                "name": "Persistence"
+              },
+              {
+                "name": "Credential access"
+              },
+              {
+                "name": "Defense evasion"
+              },
+              {
+                "name": "Discovery"
+              },
+              {
+                "name": "Lateral movement"
+              },
+              {
+                "name": "Impact - data theft"
+              },
+              {
+                "name": "Impact - data destruction"
+              },
+              {
+                "name": "Impact - service injection"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  },
+  {
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+      "name": "kubeapi"
+    },
+    "spec": {
+      "data": {
+        "name": "Initial access",
+        "subSteps": [
+          {
+            "name": "Persistence"
+          },
+          {
+            "name": "Privilege escalation"
+          },
+          {
+            "name": "Credential access"
+          },
+          {
+            "name": "Discovery"
+          },
+          {
+            "name": "Lateral movement"
+          },
+          {
+            "name": "Defense evasion"
+          },
+          {
+            "name": "Impact - data destruction"
+          },
+          {
+            "name": "Impact - service injection"
+          }
+        ]
+      }
+    }
+  },
+  {
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+      "name": "container"
+    },
+    "spec": {
+      "data": {
+        "name": "Initial access",
+        "subSteps": [
+          {
+            "name": "Execution",
+            "subSteps": [
+              {
+                "name": "Privilege escalation"
+              },
+              {
+                "name": "Credential access",
+                "subSteps": [
+                  {
+                    "name": "Impact - service access"
+                  },
+                  {
+                    "name": "Impact - K8s API access",
+                    "subSteps": [
+                      {
+                        "name": "Defense evasion - KubeAPI"
+                      }
+                    ]
+                  }
+                ]
+              },
+              {
+                "name": "Discovery"
+              },
+              {
+                "name": "Lateral movement"
+              },
+              {
+                "name": "Impact - Data access in container"
+              },
+              {
+                "name": "Persistence"
+              }
+            ]
+          },
+          {
+            "name": "Impact - service destruction"
+          }
+        ]
+      }
+    }
+  }
+]
--- a/core/cautils/getter/testdata/exceptions.json
+++ b/core/cautils/getter/testdata/exceptions.json
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/go-git/go-git/v5 v5.5.2
 	github.com/google/uuid v1.3.0
 	github.com/johnfercher/maroto v0.37.0
+	github.com/json-iterator/go v1.1.12
 	github.com/kubescape/go-git-url v0.0.21
 	github.com/kubescape/go-logger v0.0.6
 	github.com/kubescape/k8s-interface v0.0.94-0.20221228202834-4b64f2440950
@@ -127,7 +128,6 @@ require (
 	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jung-kurt/gofpdf v1.16.2 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect