Merge pull request #106 from Juneezee/go1.17

build: upgrade to Go 1.17

.github/workflows/build.yaml

@@ -36,14 +36,15 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.17
       - name: Build
         env:
           RELEASE: v1.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
-        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=$ArmoBEServer -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=$ArmoERServer -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=$ArmoWebsite" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
+          CGO_ENABLED: 0
+        run: python build.py
       
       - name: Upload Release binaries
         id: upload-release-asset

.github/workflows/build_dev.yaml

@@ -1,4 +1,4 @@
-name: build
+name: build-dev
 
 on:
   push:
@@ -19,13 +19,14 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.17
       - name: Build
         env:
           RELEASE: v1.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
           ArmoERServer: report.euprod1.cyberarmorsoft.com
           ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
         run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=$ArmoBEServer -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=$ArmoERServer -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=$ArmoWebsite" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
       
       - name: Upload build artifacts 

CONTRIBUTING.md

@@ -0,0 +1,99 @@
+# Contributing
+
+First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+
+When contributing, we categorize contributions into two:
+* Small code changes or fixes, whose scope are limited to a single or two files
+* Complex features and improvements, whose are not limited
+
+If you have a small change, feel free to fire up a Pull Request.
+
+When planning a bigger change, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
+   build.
+2. Update the README.md with details of changes to the interface, this includes new environment 
+   variables, exposed ports, useful file locations and container parameters.
+3. We will merge the Pull Request in once you have the sign-off.
+
+## Code of Conduct
+
+### Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+### Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+We will distance those who are constantly adhere to unacceptable behavior.
+
+### Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+### Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+### Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+### Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -3,21 +3,23 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 
 Use Kubescape to test clusters or scan single YAML files and integrate it to your processes. 
 
 <img src="docs/demo.gif">
 
 # TL;DR
-## Install & Run
-
-### Install:
+## Install:
 ```
 curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
 ```
 
-### Run:
+[Install on windows](#install-on-windows)
+
+[Install on macOS](#install-on-macos)
+
+## Run:
 ```
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```
@@ -26,8 +28,42 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 
 <img src="docs/summary.png">
 
+### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀 
 
-### Flags
+# Being part of the team
+
+We invite you to our team! We are excited about this project and want to return the love we get. 
+
+Want to contribute? Want to discuss something? Have an issue?
+
+* Open a issue, we are trying to respond within 48 hours
+* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server! 
+
+[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
+
+# Options and examples
+
+## Install on Windows
+
+**Requires powershell v5.0+**
+
+``` powershell
+iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
+```
+
+Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
+
+``` powershell
+Set-ExecutionPolicy RemoteSigned -scope CurrentUser
+```
+
+## Install on macOS
+```
+brew tap armosec/kubescape
+brew install kubescape
+```
+
+## Flags
 
 | flag |  default | description | options |
 | --- | --- | --- | --- |
@@ -50,6 +86,12 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```
 
+
+* Scan a running Kubernetes cluster with [`mitre`](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/) framework
+```
+kubescape scan framework mitre --exclude-namespaces kube-system,kube-public
+```
+
 * Scan local `yaml`/`json` files before deploying
 ```
 kubescape scan framework nsa *.yaml
@@ -87,8 +129,7 @@ for example:
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
-
-### Offline Support <img src="docs/new-feature.svg">
+### Offline Support
 
 It is possible to run Kubescape offline!
 
@@ -104,14 +145,34 @@ kubescape download framework nsa --output nsa.json
 kubescape scan framework nsa --use-from nsa.json
 ```
 
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
 
 # How to build 
 
-Note: development (and the release process) is done with Go `1.16`
+## Build using python script
+
+Kubescpae can be built using:
+
+``` sh
+python build.py
+```
+
+Note: In order to built using the above script, one must set the environment
+variables in this script:
+
++ RELEASE
++ ArmoBEServer
++ ArmoERServer
++ ArmoWebsite
+
+
+## Build using go
+
+Note: development (and the release process) is done with Go `1.17`
 
 1. Clone Project
 ```
-git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 ```
 
 2. Build
@@ -126,11 +187,11 @@ go mod tidy && go build -o kubescape .
 
 4. Enjoy :zany_face:
 
-# How to build in Docker
+## How to build in Docker
 
 1. Clone Project
 ```
-git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 ```
 
 2. Build

build.py

@@ -0,0 +1,82 @@
+import os
+import sys
+import hashlib
+import platform
+import subprocess
+
+BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
+BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
+ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
+WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+
+def checkStatus(status, msg):
+    if status != 0:
+        sys.stderr.write(msg)
+        exit(status)
+
+
+def getBuildDir():
+    currentPlatform = platform.system()
+    buildDir = "build/"
+
+    if currentPlatform == "Windows": buildDir += "windows-latest"
+    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
+    elif currentPlatform == "Darwin": buildDir += "macos-latest"
+    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
+
+    return buildDir
+
+def getPackageName():
+    packageName = "kubescape"
+    # if platform.system() == "Windows": packageName += ".exe"
+
+    return packageName
+
+
+def main():
+    print("Building Kubescape")
+
+    # print environment variables
+    print(os.environ)
+
+    # Set some variables
+    packageName = getPackageName()
+    buildUrl = "github.com/armosec/kubescape/cmd.BuildNumber"
+    releaseVersion = os.getenv("RELEASE")
+    ArmoBEServer = os.getenv("ArmoBEServer")
+    ArmoERServer = os.getenv("ArmoERServer")
+    ArmoWebsite = os.getenv("ArmoWebsite")
+
+    # Create build directory
+    buildDir = getBuildDir()
+
+    if not os.path.isdir(buildDir):
+        os.makedirs(buildDir)
+
+    # Get dependencies
+    try:
+        status = subprocess.call(["go", "mod", "tidy"])
+        checkStatus(status, "Failed to get dependencies")
+
+    except OSError:
+        print("An error occured:  (Hint: check if go is installed)")
+        raise
+
+    # Build kubescape
+    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
+        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
+           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
+    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
+    checkStatus(status, "Failed to build kubescape")
+
+
+    sha1 = hashlib.sha1()
+    with open(buildDir + "/" + packageName, "rb") as kube:
+        sha1.update(kube.read())
+        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
+            kube_sha.write(sha1.hexdigest())
+
+    print("Build Done")
+
+if __name__ == "__main__":
+    main()

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.16-alpine as builder
+FROM golang:1.17-alpine as builder
 ENV GOPROXY=https://goproxy.io,direct
 ENV GO111MODULE=on
 
@@ -10,4 +10,7 @@ RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o k
 FROM alpine
 COPY --from=builder /work/kubescape /usr/bin/kubescape
 
+# # Download the frameworks. Use the "--use-default" flag when running kubescape 
+# RUN kubescape download framework nsa && kubescape download framework mitre
+
 CMD ["kubescape"]

cautils/apis/backendconnector.go

@@ -3,7 +3,7 @@ package apis
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 )
 
@@ -66,7 +66,7 @@ func BEHttpRequest(loginobj *LoginObject, beURL,
 		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

cautils/apis/backendconnectormethods.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 )
@@ -57,7 +57,7 @@ func (r *BackendConnector) Login() error {
 		return err
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return fmt.Errorf("unable to read login response")
 	}
@@ -120,7 +120,7 @@ func (r *BackendConnector) HTTPSend(httpverb string,
 		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

cautils/apis/login.go

@@ -2,11 +2,10 @@ package apis
 
 import (
 	"bytes"
+	"io"
 	"net/http"
 	"time"
 
-	"io/ioutil"
-
 	oidc "github.com/coreos/go-oidc"
 	uuid "github.com/satori/go.uuid"
 
@@ -231,7 +230,7 @@ func BELogin(loginDetails *CustomerLoginDetails, login string, cfg string) (*BEL
 		return nil, err
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

cautils/cautils/armometadata.go

@@ -3,7 +3,6 @@ package cautils
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -154,7 +153,7 @@ func LoadConfig(configPath string, loadToEnv bool) (*ClusterConfig, error) {
 		configPath = "/etc/config/clusterData.json"
 	}
 
-	dat, err := ioutil.ReadFile(configPath)
+	dat, err := os.ReadFile(configPath)
 	if err != nil || len(dat) == 0 {
 		return nil, fmt.Errorf("Config empty or not found. path: %s", configPath)
 	}

cautils/customerloader.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"strings"
@@ -73,12 +72,12 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, armoAPI *getter.ArmoAPI)
 	}
 }
 func createConfigJson() {
-	ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), nil, 0664)
+	os.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), nil, 0664)
 
 }
 
 func update(configObj *ConfigObj) {
-	ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), configObj.Json(), 0664)
+	os.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), configObj.Json(), 0664)
 }
 func (c *ClusterConfig) GenerateURL() {
 	u := url.URL{}
@@ -126,7 +125,7 @@ func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
 }
 
 func GetValueFromConfigJson(key string) (string, error) {
-	data, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	data, err := os.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
 	if err != nil {
 		return "", err
 	}
@@ -141,7 +140,7 @@ func GetValueFromConfigJson(key string) (string, error) {
 }
 
 func SetKeyValueInConfigJson(key string, value string) error {
-	data, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	data, err := os.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
 	if err != nil {
 		return err
 	}
@@ -157,7 +156,7 @@ func SetKeyValueInConfigJson(key string, value string) error {
 		return err
 	}
 
-	return ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), newData, 0664)
+	return os.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), newData, 0664)
 
 }
 
@@ -189,20 +188,20 @@ func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
 
 func (c *ClusterConfig) SetCustomerGUID() error {
 
-	// get from file
-	if existsConfigJson() {
-		c.configObj, _ = loadConfigFromFile()
-	} else if c.existsConfigMap() {
+	// get from configMap
+	if c.existsConfigMap() {
 		c.configObj, _ = c.loadConfigFromConfigMap()
+	} else if existsConfigJson() { // get from file
+		c.configObj, _ = loadConfigFromFile()
 	} else {
 		c.createConfigMap()
 		createConfigJson()
 	}
 
 	customerGUID := c.GetCustomerGUID()
+
 	// get from armoBE
 	tenantResponse, err := c.armoAPI.GetCustomerGUID(customerGUID)
-
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
 			if existsConfigJson() {
@@ -222,7 +221,7 @@ func (c *ClusterConfig) SetCustomerGUID() error {
 			}
 		}
 	} else {
-		if err != nil && strings.Contains(err.Error(), "Invitation for tenant already exists") {
+		if err != nil && strings.Contains(err.Error(), "already exists") {
 			return nil
 		}
 		return err
@@ -251,7 +250,7 @@ func (c *ClusterConfig) existsConfigMap() bool {
 }
 
 func existsConfigJson() bool {
-	_, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	_, err := os.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
 
 	return err == nil
 
@@ -300,7 +299,7 @@ func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
 	}
 }
 func loadConfigFromFile() (*ConfigObj, error) {
-	dat, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	dat, err := os.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
 	if err != nil {
 		return nil, err
 	}

cautils/getter/downloadreleasedpolicy.go

@@ -3,7 +3,7 @@ package getter
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	"github.com/armosec/kubescape/cautils/opapolicy"
@@ -56,7 +56,7 @@ func (drp *DownloadReleasedPolicy) setURL(frameworkName string) error {
 		return fmt.Errorf("failed to download file, status code: %s", resp.Status)
 	}
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return fmt.Errorf("failed to read response body from '%s', reason: %s", latestReleases, err.Error())
 	}

cautils/getter/loadpolicy.go

@@ -3,7 +3,7 @@ package getter
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	"github.com/armosec/kubescape/cautils/armotypes"
@@ -29,7 +29,7 @@ func NewLoadPolicy(filePath string) *LoadPolicy {
 func (lp *LoadPolicy) GetFramework(frameworkName string) (*opapolicy.Framework, error) {
 
 	framework := &opapolicy.Framework{}
-	f, err := ioutil.ReadFile(lp.filePath)
+	f, err := os.ReadFile(lp.filePath)
 	if err != nil {
 		return nil, err
 	}
@@ -44,7 +44,7 @@ func (lp *LoadPolicy) GetFramework(frameworkName string) (*opapolicy.Framework,
 func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 
 	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := ioutil.ReadFile(lp.filePath)
+	f, err := os.ReadFile(lp.filePath)
 	if err != nil {
 		return nil, err
 	}

cautils/k8sinterface/cloudvendorregistrycreds.go

@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -105,7 +105,7 @@ func getAzureAADAccessToken() (string, error) {
 	}
 
 	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
+	responseBytes, err := io.ReadAll(resp.Body)
 	defer resp.Body.Close()
 	if err != nil {
 		return "", fmt.Errorf("reading response body : %v", err)
@@ -173,7 +173,7 @@ func excahngeAzureAADAccessTokenForACRRefreshToken(registry, tenantID, azureAADA
 	}
 
 	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
+	responseBytes, err := io.ReadAll(resp.Body)
 	defer resp.Body.Close()
 	if err != nil {
 		return "", fmt.Errorf("reading response body : %v", err)

cautils/k8sinterface/k8sconfig.go

@@ -104,13 +104,18 @@ func GetClusterName() string {
 }
 
 func GetDefaultNamespace() string {
+	defaultNamespace := "default"
 	clientCfg, err := clientcmd.NewDefaultClientConfigLoadingRules().Load()
 	if err != nil {
-		return "default"
+		return defaultNamespace
 	}
-	namespace := clientCfg.Contexts[clientCfg.CurrentContext].Namespace
-	if namespace == "" {
-		namespace = "default"
+	apiContext, ok := clientCfg.Contexts[clientCfg.CurrentContext]
+	if !ok || apiContext == nil {
+		return defaultNamespace
+	}
+	namespace := apiContext.Namespace
+	if apiContext.Namespace == "" {
+		namespace = defaultNamespace
 	}
 	return namespace
 }

cautils/k8sinterface/k8sdynamic_test.go

@@ -37,7 +37,7 @@ func NewKubernetesApiMock() *KubernetesApi {
 // 	} else {
 // 		bla, _ := json.Marshal(clientResource)
 // 		// t.Errorf("BearerToken: %v", *K8SConfig)
-// 		// ioutil.WriteFile("bla.json", bla, 777)
+// 		// os.WriteFile("bla.json", bla, 777)
 // 		t.Errorf("clientResource: %s", string(bla))
 // 	}
 // }

cautils/opapolicy/resources/resourcesutils.go

@@ -3,7 +3,6 @@ package resources
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -94,7 +93,7 @@ func LoadRegoFiles(dir string) map[string]string {
 	// Compile the module. The keys are used as identifiers in error messages.
 	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if err == nil && strings.HasSuffix(path, ".rego") && !info.IsDir() {
-			content, err := ioutil.ReadFile(path)
+			content, err := os.ReadFile(path)
 			if err != nil {
 				glog.Errorf("LoadRegoFiles, Failed to load: %s: %v", path, err)
 			} else {

cmd/framework.go

@@ -4,7 +4,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -23,7 +22,7 @@ import (
 )
 
 var scanInfo cautils.ScanInfo
-var supportedFrameworks = []string{"nsa"}
+var supportedFrameworks = []string{"nsa", "mitre"}
 
 type CLIHandler struct {
 	policyHandler *policyhandler.PolicyHandler
@@ -39,7 +38,7 @@ var frameworkCmd = &cobra.Command{
 		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
 			return fmt.Errorf("requires at least one argument")
 		} else if len(args) > 0 {
-			if !isValidFramework(args[0]) {
+			if !isValidFramework(strings.ToLower(args[0])) {
 				return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(supportedFrameworks, ", ")))
 			}
 		}
@@ -50,13 +49,13 @@ var frameworkCmd = &cobra.Command{
 		scanInfo.PolicyIdentifier.Kind = opapolicy.KindFramework
 
 		if !(cmd.Flags().Lookup("use-from").Changed) {
-			scanInfo.PolicyIdentifier.Name = args[0]
+			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
 		}
 		if len(args) > 0 {
 			if len(args[1:]) == 0 || args[1] != "-" {
 				scanInfo.InputPatterns = args[1:]
 			} else { // store stout to file
-				tempFile, err := ioutil.TempFile(".", "tmp-kubescape*.yaml")
+				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
 				if err != nil {
 					return err
 				}

cmd/version.go

@@ -3,7 +3,7 @@ package cmd
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	"github.com/spf13/cobra"
@@ -32,7 +32,7 @@ func GetLatestVersion() (string, error) {
 		return "", fmt.Errorf("failed to download file, status code: %s", resp.Status)
 	}
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", fmt.Errorf("failed to read response body from '%s', reason: %s", latestVersion, err.Error())
 	}

docs/index.html

@@ -0,0 +1,24 @@
+<html>
+
+<head>
+    <title>
+        Kubscape Website
+    </title>
+    <link rel="icon" type="image/x-icon" href="favicon.ico">
+</head>
+<style>
+    img {
+        display: block;
+        margin-left: auto;
+        margin-right: auto;
+    }
+</style>
+
+<body style="text-align: center;">
+    <img src="kubescape.png" alt="Kubescap logo" style="width:20%">
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500"
+        allowtransparency="true" frameborder="0"
+        sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</body>
+
+</html>

docs/run-options.md

@@ -0,0 +1,89 @@
+<img src="kubescape.png" width="300" alt="logo" align="center">
+
+# More detailed look on command line arguments and options
+
+## Simple run:
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+## Flags
+
+| flag |  default | description | options |
+| --- | --- | --- | --- |
+| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
+| `-s`/`--silent` | Display progress messages | Silent progress messages |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` | 
+| `-o`/`--output` | print to stdout | Save scan result in file |
+| `--use-from` | | Load local framework object from specified path. If not used will download latest |
+| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--results-locally` | `false` | Kubescape sends scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features | `true`/`false`|
+
+## Usage & Examples
+ 
+### Examples
+
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+* Scan local `yaml`/`json` files before deploying
+```
+kubescape scan framework nsa *.yaml
+```
+
+
+* Scan `yaml`/`json` files from url 
+```
+kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
+```
+
+* Output in `json` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
+```
+
+* Output in `junit xml` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
+```
+
+* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
+```
+kubescape scan framework nsa --exceptions examples/exceptions.json
+```
+
+### Helm Support
+
+* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout 
+```
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+```
+
+for example:
+```
+helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+```
+
+### Offline Support <img src="docs/new-feature.svg">
+
+It is possible to run Kubescape offline!
+
+First download the framework and then scan with `--use-from` flag
+
+* Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+```
+kubescape download framework nsa --output nsa.json
+```
+
+* Scan using the downloaded framework 
+```
+kubescape scan framework nsa --use-from nsa.json
+```
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+

go.mod

@@ -1,6 +1,6 @@
 module github.com/armosec/kubescape
 
-go 1.16
+go 1.17
 
 require (
 	github.com/aws/aws-sdk-go v1.40.30
@@ -28,3 +28,57 @@ require (
 	k8s.io/client-go v0.22.1
 	sigs.k8s.io/controller-runtime v0.9.6
 )
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/bytecodealliance/wasmtime-go v0.28.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.11 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
+	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.2.2 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/klog/v2 v2.9.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
+	k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)

install.ps1

@@ -0,0 +1,26 @@
+Write-Host "Installing Kubescape..." -ForegroundColor Cyan
+
+$BASE_DIR=$env:USERPROFILE + "\.kubescape"
+$packageName = "/kubescape-windows-latest"
+
+# Get latest release url
+$config = Invoke-WebRequest "https://api.github.com/repos/armosec/kubescape/releases/latest" | ConvertFrom-Json
+$url = $config.html_url.Replace("/tag/","/download/")
+$fullUrl = $url + $packageName
+
+# Create a new directory if needed
+New-Item -Path $BASE_DIR -ItemType "directory" -ErrorAction SilentlyContinue
+
+# Download the binary
+Invoke-WebRequest -Uri $fullUrl -OutFile $BASE_DIR\kubescape.exe
+
+# Update user PATH if needed
+$currentPath = [Environment]::GetEnvironmentVariable("Path", "User")
+if (-not $currentPath.Contains($BASE_DIR)) {
+    $confirmation = Read-Host "Add kubescape to user path? (y/n)"
+    if ($confirmation -eq 'y') {
+        [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";$BASE_DIR;", "User")
+    }
+}
+
+Write-Host "Finished Installation" -ForegroundColor Green 

install.sh

@@ -28,12 +28,28 @@ OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC
 
 curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
 
-# Ping download counter
-curl --silent https://us-central1-elated-pottery-310110.cloudfunctions.net/kubescape-download-counter -o /dev/null
- 
-chmod +x $OUTPUT 2>/dev/null || sudo chmod +x $OUTPUT
-sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC 2>/dev/null || sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC
-sudo cp $OUTPUT /usr/local/bin 2>/dev/null || sudo cp $OUTPUT /usr/local/bin
+# Checking if SUDO needed/exists 
+SUDO=
+if [ "$(id -u)" -ne 0 ] && [ -n "$(which sudo)" ]; then
+    SUDO=sudo
+fi
+
+
+# Find install dir
+install_dir=/usr/local/bin #default
+for pdir in ${PATH//:/ }; do
+    edir="${pdir/#\~/$HOME}"
+    if [[ $edir == $HOME/* ]]; then
+        install_dir=$edir
+        mkdir -p $install_dir 2>/dev/null || true
+        SUDO=
+        break
+    fi
+done
+
+chmod +x $OUTPUT 2>/dev/null 
+$SUDO rm -f /usr/local/bin/$KUBESCAPE_EXEC 2>/dev/null || true # clearning up old install
+$SUDO cp $OUTPUT $install_dir/$KUBESCAPE_EXEC 
 rm -rf $OUTPUT
 
 echo

opaprocessor/processorhandler.go

@@ -112,7 +112,9 @@ func (opap *OPAProcessor) processFramework(framework *opapolicy.Framework) (*opa
 		if err != nil {
 			errs = fmt.Errorf("%v\n%s", errs, err.Error())
 		}
-		controlReports = append(controlReports, *controlReport)
+		if controlReport != nil {
+			controlReports = append(controlReports, *controlReport)
+		}
 	}
 	frameworkReport.ControlReports = controlReports
 	return &frameworkReport, errs
@@ -139,6 +141,9 @@ func (opap *OPAProcessor) processControl(control *opapolicy.Control) (*opapolicy
 			ruleReports = append(ruleReports, *ruleReport)
 		}
 	}
+	if len(ruleReports) == 0 {
+		return nil, nil
+	}
 	controlReport.RuleReports = ruleReports
 	return &controlReport, errs
 }

policyhandler/filesloader.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -131,7 +130,7 @@ func loadFiles(filePaths []string) ([]k8sinterface.IWorkload, []error) {
 }
 
 func loadFile(filePath string) ([]byte, error) {
-	return ioutil.ReadFile(filePath)
+	return os.ReadFile(filePath)
 }
 func readFile(fileContent []byte, fileFromat FileFormat) ([]k8sinterface.IWorkload, []error) {
 

policyhandler/handlepullpolicies.go

@@ -18,14 +18,13 @@ func (policyHandler *PolicyHandler) GetPoliciesFromBackend(notification *opapoli
 		switch rule.Kind {
 		case opapolicy.KindFramework:
 			receivedFramework, recExceptionPolicies, err := policyHandler.getFrameworkPolicies(rule.Name)
-			if err != nil {
-				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
-			}
 			if receivedFramework != nil {
 				frameworks = append(frameworks, *receivedFramework)
 				if recExceptionPolicies != nil {
 					exceptionPolicies = append(exceptionPolicies, recExceptionPolicies...)
 				}
+			} else if err != nil {
+				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
 			}
 
 		default:

policyhandler/k8sresources.go

@@ -65,11 +65,8 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 
 	// set labels
 	listOptions := metav1.ListOptions{}
-	if excludedNamespaces != "" && k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
-		excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
-		for _, excludedNamespace := range excludedNamespacesSlice {
-			listOptions.FieldSelector += "metadata.namespace!=" + excludedNamespace + ","
-		}
+	if excludedNamespaces != "" {
+		setFieldSelector(&listOptions, resource, excludedNamespaces)
 	}
 	if len(labels) > 0 {
 		set := k8slabels.Set(labels)
@@ -93,3 +90,18 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 	return result.Items, nil
 
 }
+
+func setFieldSelector(listOptions *metav1.ListOptions, resource *schema.GroupVersionResource, excludedNamespaces string) {
+	fieldSelector := "metadata."
+	if resource.Resource == "namespaces" {
+		fieldSelector += "name"
+	} else if k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
+		fieldSelector += "namespace"
+	} else {
+		return
+	}
+	excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
+	for _, excludedNamespace := range excludedNamespacesSlice {
+		listOptions.FieldSelector += fmt.Sprintf("%s!=%s,", fieldSelector, excludedNamespace)
+	}
+}

scapepkg/exceptions/exceptionprocessor.go

@@ -1,6 +1,8 @@
 package exceptions
 
 import (
+	"regexp"
+
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 
@@ -96,7 +98,7 @@ func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.
 		return false // if designators are empty
 	}
 
-	if cluster != "" && cautils.ClusterName != "" && cluster != cautils.ClusterName { // TODO - where do we receive cluster name from?
+	if cluster != "" && cautils.ClusterName != "" && !regexCompare(cluster, cautils.ClusterName) { // TODO - where do we receive cluster name from?
 		return false // cluster name does not match
 	}
 
@@ -120,17 +122,17 @@ func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.
 
 func compareNamespace(workload k8sinterface.IWorkload, namespace string) bool {
 	if workload.GetKind() == "Namespace" {
-		return namespace == workload.GetName()
+		return regexCompare(namespace, workload.GetName())
 	}
-	return namespace == workload.GetNamespace()
+	return regexCompare(namespace, workload.GetNamespace())
 }
 
 func compareKind(workload k8sinterface.IWorkload, kind string) bool {
-	return kind == workload.GetKind()
+	return regexCompare(kind, workload.GetKind())
 }
 
 func compareName(workload k8sinterface.IWorkload, name string) bool {
-	return name == workload.GetName()
+	return regexCompare(workload.GetName(), name)
 }
 
 func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string) bool {
@@ -139,3 +141,8 @@ func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string
 
 	return designators.Matches(workloadLabels)
 }
+
+func regexCompare(reg, name string) bool {
+	r, _ := regexp.MatchString(reg, name)
+	return r
+}

scapepkg/score/score.go

@@ -3,7 +3,7 @@ package score
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -157,7 +157,7 @@ func getPostureFrameworksScores(weightPath string) map[string]map[string]Control
 		weightPath = weightPath + "/"
 	}
 	frameworksScoreMap := make(map[string]map[string]ControlScoreWeights)
-	dat, err := ioutil.ReadFile(weightPath + "frameworkdict.json")
+	dat, err := os.ReadFile(weightPath + "frameworkdict.json")
 	if err != nil {
 		return nil
 	}
@@ -174,7 +174,7 @@ func getPostureResourceScores(weightPath string) map[string]float32 {
 		weightPath = weightPath + "/"
 	}
 	resourceScoreMap := make(map[string]float32)
-	dat, err := ioutil.ReadFile(weightPath + "resourcesdict.json")
+	dat, err := os.ReadFile(weightPath + "resourcesdict.json")
 	if err != nil {
 		return nil
 	}

scapepkg/score/score_mocks.go

@@ -2,7 +2,7 @@ package score
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	k8sinterface "github.com/armosec/kubescape/cautils/k8sinterface"
@@ -12,7 +12,7 @@ import (
 func loadResourcesMock() []map[string]interface{} {
 	resources := make([]map[string]interface{}, 0)
 
-	dat, err := ioutil.ReadFile("resourcemocks.json")
+	dat, err := os.ReadFile("resourcemocks.json")
 
 	if err != nil {
 		return resources
@@ -51,7 +51,7 @@ func getResouceByType(desiredType string) map[string]interface{} {
 func loadFrameworkMock() *opapolicy.FrameworkReport {
 	report := &opapolicy.FrameworkReport{}
 
-	dat, err := ioutil.ReadFile("frameworkmock.json")
+	dat, err := os.ReadFile("frameworkmock.json")
 
 	if err != nil {
 		return report

website/index.html

@@ -0,0 +1,14 @@
+<html>
+    <head>
+        <title>
+            Kubscape Website
+        </title>
+        <h1>Kubscape Website</h1>
+    </head>
+    <body>
+<h2>
+    Join us!!!
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</h2>
+    </body>
+</html>