mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
138 lines
4.7 KiB
Go
138 lines
4.7 KiB
Go
package cautils
|
|
|
|
import (
|
|
"golang.org/x/mod/semver"
|
|
|
|
"github.com/kubescape/opa-utils/reporthandling"
|
|
"github.com/kubescape/opa-utils/reporthandling/apis"
|
|
)
|
|
|
|
func NewPolicies() *Policies {
|
|
return &Policies{
|
|
Frameworks: make([]string, 0),
|
|
Controls: make(map[string]reporthandling.Control),
|
|
}
|
|
}
|
|
|
|
func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
|
|
for i := range frameworks {
|
|
if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
|
|
continue
|
|
}
|
|
if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
|
|
policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
|
|
}
|
|
for j := range frameworks[i].Controls {
|
|
compatibleRules := []reporthandling.PolicyRule{}
|
|
for r := range frameworks[i].Controls[j].Rules {
|
|
if excludedRules != nil {
|
|
ruleName := frameworks[i].Controls[j].Rules[r].Name
|
|
if _, exclude := excludedRules[ruleName]; exclude {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
|
|
compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
|
|
}
|
|
}
|
|
if len(compatibleRules) > 0 {
|
|
frameworks[i].Controls[j].Rules = compatibleRules
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
} else { // if the control type is manual review, add it to the list of controls
|
|
actionRequiredStr := frameworks[i].Controls[j].GetActionRequiredAttribute()
|
|
if actionRequiredStr == "" {
|
|
continue
|
|
}
|
|
if actionRequiredStr == string(apis.SubStatusManualReview) {
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
// Checks that kubescape version is in range of use for this rule
|
|
// In local build (BuildNumber = ""):
|
|
// returns true only if rule doesn't have the "until" attribute
|
|
func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
|
|
if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
|
|
switch sfrom := from.(type) {
|
|
case string:
|
|
if version != "" && semver.Compare(version, sfrom) == -1 {
|
|
return false
|
|
}
|
|
default:
|
|
// Handle case where useFromKubescapeVersion is not a string
|
|
return false
|
|
}
|
|
}
|
|
|
|
if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
|
|
switch suntil := until.(type) {
|
|
case string:
|
|
if version == "" || semver.Compare(version, suntil) >= 0 {
|
|
return false
|
|
}
|
|
default:
|
|
// Handle case where useUntilKubescapeVersion is not a string
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func isScanningScopeMatchToControlScope(scanScope reporthandling.ScanningScopeType, controlScope reporthandling.ScanningScopeType) bool {
|
|
|
|
switch controlScope {
|
|
case reporthandling.ScopeFile:
|
|
return reporthandling.ScopeFile == scanScope
|
|
case reporthandling.ScopeCluster:
|
|
return reporthandling.ScopeCluster == scanScope || reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
|
|
case reporthandling.ScopeCloud:
|
|
return reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
|
|
case reporthandling.ScopeCloudAKS:
|
|
return reporthandling.ScopeCloudAKS == scanScope
|
|
case reporthandling.ScopeCloudEKS:
|
|
return reporthandling.ScopeCloudEKS == scanScope
|
|
case reporthandling.ScopeCloudGKE:
|
|
return reporthandling.ScopeCloudGKE == scanScope
|
|
default:
|
|
return true
|
|
}
|
|
}
|
|
|
|
func isControlFitToScanScope(control reporthandling.Control, scanScopeMatches reporthandling.ScanningScopeType) bool {
|
|
// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
|
|
if control.ScanningScope == nil {
|
|
return true
|
|
}
|
|
if len(control.ScanningScope.Matches) == 0 {
|
|
return true
|
|
}
|
|
for i := range control.ScanningScope.Matches {
|
|
if isScanningScopeMatchToControlScope(scanScopeMatches, control.ScanningScope.Matches[i]) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatches reporthandling.ScanningScopeType) bool {
|
|
// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
|
|
if framework.ScanningScope == nil {
|
|
return true
|
|
}
|
|
if len(framework.ScanningScope.Matches) == 0 {
|
|
return true
|
|
}
|
|
for i := range framework.ScanningScope.Matches {
|
|
if isScanningScopeMatchToControlScope(scanScopeMatches, framework.ScanningScope.Matches[i]) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|