mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
92449bf564
* adding corrections to cmd Signed-off-by: David Wertenteil <dwertent@armosec.io> * remove decorative line Signed-off-by: David Wertenteil <dwertent@armosec.io> * wip: changed results indicator Signed-off-by: David Wertenteil <dwertent@armosec.io> * replace status test with icons Signed-off-by: David Wertenteil <dwertent@armosec.io> * print workloads in a different line Signed-off-by: David Wertenteil <dwertent@armosec.io> * update display Signed-off-by: David Wertenteil <dwertent@armosec.io> * deprecate commands Signed-off-by: David Wertenteil <dwertent@armosec.io> * removed unused functions Signed-off-by: David Wertenteil <dwertent@armosec.io> * fixed tests Signed-off-by: David Wertenteil <dwertent@armosec.io> * update cloud provider detection Signed-off-by: David Wertenteil <dwertent@armosec.io> * rename column name Signed-off-by: David Wertenteil <dwertent@armosec.io> --------- Signed-off-by: David Wertenteil <dwertent@armosec.io>
168 lines
5.5 KiB
Go
168 lines
5.5 KiB
Go
package cautils
|
|
|
|
import (
|
|
"golang.org/x/mod/semver"
|
|
|
|
"github.com/armosec/utils-go/boolutils"
|
|
cloudsupport "github.com/kubescape/k8s-interface/cloudsupport/v1"
|
|
"github.com/kubescape/opa-utils/reporthandling"
|
|
"github.com/kubescape/opa-utils/reporthandling/apis"
|
|
)
|
|
|
|
func NewPolicies() *Policies {
|
|
return &Policies{
|
|
Frameworks: make([]string, 0),
|
|
Controls: make(map[string]reporthandling.Control),
|
|
}
|
|
}
|
|
|
|
func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
|
|
for i := range frameworks {
|
|
if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
|
|
continue
|
|
}
|
|
if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
|
|
policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
|
|
}
|
|
for j := range frameworks[i].Controls {
|
|
compatibleRules := []reporthandling.PolicyRule{}
|
|
for r := range frameworks[i].Controls[j].Rules {
|
|
if excludedRules != nil {
|
|
ruleName := frameworks[i].Controls[j].Rules[r].Name
|
|
if _, exclude := excludedRules[ruleName]; exclude {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
|
|
compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
|
|
}
|
|
}
|
|
if len(compatibleRules) > 0 {
|
|
frameworks[i].Controls[j].Rules = compatibleRules
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
} else { // if the control type is manual review, add it to the list of controls
|
|
actionRequiredStr := frameworks[i].Controls[j].GetActionRequiredAttribute()
|
|
if actionRequiredStr == "" {
|
|
continue
|
|
}
|
|
if actionRequiredStr == string(apis.SubStatusManualReview) {
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
|
|
if attributes == nil {
|
|
return false
|
|
}
|
|
if s, ok := attributes["armoOpa"]; ok { // TODO - make global
|
|
return boolutils.StringToBool(s.(string))
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Checks that kubescape version is in range of use for this rule
|
|
// In local build (BuildNumber = ""):
|
|
// returns true only if rule doesn't have the "until" attribute
|
|
func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
|
|
if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
|
|
if version != "" {
|
|
if semver.Compare(version, from.(string)) == -1 {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
|
|
if version == "" {
|
|
return false
|
|
}
|
|
if semver.Compare(version, until.(string)) >= 0 {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func getCloudProvider(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
|
|
if cloudsupport.IsAKS() {
|
|
return reporthandling.ScopeCloudAKS
|
|
}
|
|
if cloudsupport.IsEKS() {
|
|
return reporthandling.ScopeCloudEKS
|
|
}
|
|
if cloudsupport.IsGKE() {
|
|
return reporthandling.ScopeCloudGKE
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func GetScanningScope(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
|
|
|
|
switch scanInfo.GetScanningContext() {
|
|
case ContextCluster:
|
|
if cloudProvider := getCloudProvider(scanInfo); cloudProvider != "" {
|
|
return cloudProvider
|
|
}
|
|
return reporthandling.ScopeCluster
|
|
default:
|
|
return reporthandling.ScopeFile
|
|
}
|
|
}
|
|
|
|
func isScanningScopeMatchToControlScope(scanScope reporthandling.ScanningScopeType, controlScope reporthandling.ScanningScopeType) bool {
|
|
|
|
switch controlScope {
|
|
case reporthandling.ScopeFile:
|
|
return reporthandling.ScopeFile == scanScope
|
|
case reporthandling.ScopeCluster:
|
|
return reporthandling.ScopeCluster == scanScope || reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
|
|
case reporthandling.ScopeCloud:
|
|
return reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
|
|
case reporthandling.ScopeCloudAKS:
|
|
return reporthandling.ScopeCloudAKS == scanScope
|
|
case reporthandling.ScopeCloudEKS:
|
|
return reporthandling.ScopeCloudEKS == scanScope
|
|
case reporthandling.ScopeCloudGKE:
|
|
return reporthandling.ScopeCloudGKE == scanScope
|
|
default:
|
|
return true
|
|
}
|
|
}
|
|
|
|
func isControlFitToScanScope(control reporthandling.Control, scanScopeMatches reporthandling.ScanningScopeType) bool {
|
|
// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
|
|
if control.ScanningScope == nil {
|
|
return true
|
|
}
|
|
if len(control.ScanningScope.Matches) == 0 {
|
|
return true
|
|
}
|
|
for i := range control.ScanningScope.Matches {
|
|
if isScanningScopeMatchToControlScope(scanScopeMatches, control.ScanningScope.Matches[i]) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatches reporthandling.ScanningScopeType) bool {
|
|
// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
|
|
if framework.ScanningScope == nil {
|
|
return true
|
|
}
|
|
if len(framework.ScanningScope.Matches) == 0 {
|
|
return true
|
|
}
|
|
for i := range framework.ScanningScope.Matches {
|
|
if isScanningScopeMatchToControlScope(scanScopeMatches, framework.ScanningScope.Matches[i]) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|