From 298f8346e90355cb48c7e5bae054d766cc42a964 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 15 Dec 2022 17:13:14 +0200 Subject: [PATCH 1/5] validate downloaded framework --- core/pkg/policyhandler/handlepullpolicies.go | 4 +- .../policyhandler/handlepullpolicies_test.go | 23 --------- .../policyhandler/handlepullpoliciesutils.go | 14 ++++++ .../handlepullpoliciesutils_test.go | 48 +++++++++++++++++++ 4 files changed, 65 insertions(+), 24 deletions(-) delete mode 100644 core/pkg/policyhandler/handlepullpolicies_test.go create mode 100644 core/pkg/policyhandler/handlepullpoliciesutils_test.go diff --git a/core/pkg/policyhandler/handlepullpolicies.go b/core/pkg/policyhandler/handlepullpolicies.go index 9915e05f..bfaa7e72 100644 --- a/core/pkg/policyhandler/handlepullpolicies.go +++ b/core/pkg/policyhandler/handlepullpolicies.go @@ -60,9 +60,11 @@ func (policyHandler *PolicyHandler) getScanPolicies(policyIdentifier []cautils.P if err != nil { return frameworks, policyDownloadError(err) } + if err := validateFramework(receivedFramework); err != nil { + return frameworks, err + } if receivedFramework != nil { frameworks = append(frameworks, *receivedFramework) - cache := getter.GetDefaultPath(rule.Name + ".json") if err := getter.SaveInFile(receivedFramework, cache); err != nil { logger.L().Warning("failed to cache file", helpers.String("file", cache), helpers.Error(err)) diff --git a/core/pkg/policyhandler/handlepullpolicies_test.go b/core/pkg/policyhandler/handlepullpolicies_test.go deleted file mode 100644 index d1118182..00000000 --- a/core/pkg/policyhandler/handlepullpolicies_test.go +++ /dev/null @@ -1,23 +0,0 @@ -package policyhandler - -// func TestGetPoliciesFromBackend(t *testing.T) { -// notification := reporthandling.PolicyNotification{ -// Rules: []reporthandling.PolicyIdentifier{ -// { -// Kind: reporthandling.KindFramework, -// Name: "mitretest", -// }, -// }, -// } -// // os.Setenv(cacli., "") -// ph := PolicyHandler{ -// cacli: &cacli.Cacli{}, -// } -// f, err := ph.GetPoliciesFromBackend(¬ification) -// if err != nil { -// t.Error(err) -// } -// if len(f) == 0 { -// t.Errorf("empty") -// } -// } diff --git a/core/pkg/policyhandler/handlepullpoliciesutils.go b/core/pkg/policyhandler/handlepullpoliciesutils.go index 4e109e8a..551f19d5 100644 --- a/core/pkg/policyhandler/handlepullpoliciesutils.go +++ b/core/pkg/policyhandler/handlepullpoliciesutils.go @@ -5,6 +5,7 @@ import ( "strings" apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1" + "github.com/kubescape/opa-utils/reporthandling" "github.com/kubescape/kubescape/v2/core/cautils" ) @@ -21,3 +22,16 @@ func policyDownloadError(err error) error { } return err } + +// validate the framework +func validateFramework(framework *reporthandling.Framework) error { + if framework == nil { + return fmt.Errorf("received empty framework") + } + + // validate the controls are not empty + if len(framework.Controls) == 0 { + return fmt.Errorf("failed to load controls for framework: %s: empty list of controls", framework.Name) + } + return nil +} diff --git a/core/pkg/policyhandler/handlepullpoliciesutils_test.go b/core/pkg/policyhandler/handlepullpoliciesutils_test.go new file mode 100644 index 00000000..453ee5ac --- /dev/null +++ b/core/pkg/policyhandler/handlepullpoliciesutils_test.go @@ -0,0 +1,48 @@ +package policyhandler + +import ( + "testing" + + "github.com/kubescape/opa-utils/reporthandling" +) + +func Test_validateFramework(t *testing.T) { + type args struct { + framework *reporthandling.Framework + } + tests := []struct { + name string + args args + wantErr bool + }{ + { + name: "empty framework", + args: args{ + framework: &reporthandling.Framework{ + Controls: []reporthandling.Control{}, + }, + }, + wantErr: true, + }, + { + name: "none empty framework", + args: args{ + framework: &reporthandling.Framework{ + Controls: []reporthandling.Control{ + { + ControlID: "c-0001", + }, + }, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := validateFramework(tt.args.framework); (err != nil) != tt.wantErr { + t.Errorf("validateControls() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} From b1392361f86930524d8ae58000f2e3b7d003c3f3 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Dec 2022 13:42:58 +0200 Subject: [PATCH 2/5] remove emoji from display --- cmd/scan/framework.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/scan/framework.go b/cmd/scan/framework.go index edb3bb55..ba11a3ff 100644 --- a/cmd/scan/framework.go +++ b/cmd/scan/framework.go @@ -16,7 +16,6 @@ import ( "github.com/kubescape/kubescape/v2/core/cautils" "github.com/kubescape/kubescape/v2/core/meta" - "github.com/enescakir/emoji" "github.com/spf13/cobra" ) @@ -113,7 +112,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm logger.L().Fatal(err.Error()) } if !scanInfo.VerboseMode { - cautils.SimpleDisplay(os.Stderr, "%s Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective) + cautils.SimpleDisplay(os.Stderr, "Run with '--verbose'/'-v' flag for detailed resources view\n\n") } if results.GetRiskScore() > float32(scanInfo.FailThreshold) { logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold))) From a53375204e0109eb3801cf403a033329c3a025ec Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Dec 2022 13:44:12 +0200 Subject: [PATCH 3/5] remove --verbose flag from default --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 213860c9..9b180dd7 100755 --- a/install.sh +++ b/install.sh @@ -66,6 +66,6 @@ echo -e "\033[0m" $KUBESCAPE_EXEC version echo -echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan --verbose" +echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan" echo -e "\033[0m" From 896a0699ec5b4ddb35a0bae367e991b6c95f995a Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 18 Dec 2022 13:45:43 +0200 Subject: [PATCH 4/5] remove image vuln warning --- core/pkg/resourcehandler/k8sresources.go | 1 - 1 file changed, 1 deletion(-) diff --git a/core/pkg/resourcehandler/k8sresources.go b/core/pkg/resourcehandler/k8sresources.go index e1c42eab..72406c96 100644 --- a/core/pkg/resourcehandler/k8sresources.go +++ b/core/pkg/resourcehandler/k8sresources.go @@ -88,7 +88,6 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio logger.L().Info("Requesting images vulnerabilities results") cautils.StartSpinner() if err := k8sHandler.registryAdaptors.collectImagesVulnerabilities(k8sResourcesMap, allResources, ksResourceMap); err != nil { - logger.L().Warning("failed to collect image vulnerabilities", helpers.Error(err), helpers.String("Read more here", "https://hub.armosec.io/docs/configuration-of-image-vulnerabilities")) cautils.SetInfoMapForResources(fmt.Sprintf("failed to pull image scanning data: %s. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities", err.Error()), imgVulnResources, sessionObj.InfoMap) } else { if isEmptyImgVulns(*ksResourceMap) { From 967fc3fe816302c79aea1603a0c1360efe7b5cae Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 19 Dec 2022 19:00:21 +0200 Subject: [PATCH 5/5] ignore resource if it is not found --- core/pkg/resultshandling/reporter/v2/reporteventreceiver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go b/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go index fc807904..eb08980b 100644 --- a/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go +++ b/core/pkg/resultshandling/reporter/v2/reporteventreceiver.go @@ -142,7 +142,7 @@ func (report *ReportEventReceiver) setResults(reportObj *reporthandlingv2.Postur // set result.RawResource resourceID := v.GetResourceID() if _, ok := allResources[resourceID]; !ok { - return fmt.Errorf("expected to find raw resource object for '%s'", resourceID) + continue } resource := reporthandling.NewResourceIMetadata(allResources[resourceID]) if r, ok := resourcesSource[resourceID]; ok {