diff --git a/go.mod b/go.mod index 350472d7b4..45d8a8198a 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-checks v1.6.1 + github.com/aquasecurity/trivy-checks v1.7.1 github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.7.0 @@ -94,7 +94,7 @@ require ( github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 github.com/openvex/go-vex v0.2.5 github.com/owenrumney/go-sarif/v2 v2.3.3 - github.com/owenrumney/squealer v1.2.10 + github.com/owenrumney/squealer v1.2.11 github.com/package-url/packageurl-go v0.1.3 github.com/quasilyte/go-ruleguard/dsl v0.3.22 github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c diff --git a/go.sum b/go.sum index 3410274733..582eb5db57 100644 --- a/go.sum +++ b/go.sum @@ -805,8 +805,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-checks v1.6.1 h1:ANxKl+c9/k3Uk0YNQwpFBx++CG9Goi5T0YeN7Qimmf4= -github.com/aquasecurity/trivy-checks v1.6.1/go.mod h1:xjHg4ivIIIFD7FFNpGrqxi1pRgAW1EXeG4VlkGiymjI= +github.com/aquasecurity/trivy-checks v1.7.1 h1:Pn+Mk0SkqY7adfZT6ZsRjCuum3svr7n5z3w+HpGXmbY= +github.com/aquasecurity/trivy-checks v1.7.1/go.mod h1:YhmXAXgRdYIAYIr+/k/oEYUWoW7ZgGctmnJiV17ZcU8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.7.0 h1:0pRJFSslUYd9xzQIEw1c0mS7k1Vv489nH/LsxeU6yME= @@ -1676,8 +1676,8 @@ github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88 github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU= github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= -github.com/owenrumney/squealer v1.2.10 h1:Yxxy30sOhaK8/FeneHklV0sA6DP4UjUpky2opjdt4ZY= -github.com/owenrumney/squealer v1.2.10/go.mod h1:V72uafpqPERMaJ/pA1MwK/dI0QRzLHCLnh6MqYmjFzY= +github.com/owenrumney/squealer v1.2.11 h1:vMudrj70VeOzY+t7Phz9Yo0wAgm4kXes9DcTLBVDqGY= +github.com/owenrumney/squealer v1.2.11/go.mod h1:8KOuitfOfmS/OtzgxQbxnnrbngAGopfgKB/BiGGpqGA= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden index 5654b1a07f..ecfebabe6e 100644 --- a/integration/testdata/helm.json.golden +++ b/integration/testdata/helm.json.golden @@ -21,8 +21,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 79, - "Failures": 15 + "Successes": 78, + "Failures": 16 }, "Misconfigurations": [ { @@ -91,7 +91,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -160,7 +161,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -229,7 +231,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -298,7 +301,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -367,7 +371,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -436,7 +441,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -505,7 +511,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -574,7 +581,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -643,7 +651,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -712,7 +721,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -781,7 +791,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -850,7 +861,8 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} } }, { @@ -919,7 +931,68 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV110", + "AVDID": "AVD-KSV-0110", + "Title": "Workloads in the default namespace", + "Description": "Checks whether a workload is running in the default namespace.", + "Message": "deployment nginx-deployment in default namespace should set metadata.namespace to a non-default namespace", + "Namespace": "builtin.kubernetes.KSV110", + "Query": "data.builtin.kubernetes.KSV110.deny", + "Resolution": "Set 'metadata.namespace' to a non-default namespace.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110", + "References": [ + "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "https://avd.aquasec.com/misconfig/ksv110" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 5, + "EndLine": 7, + "Code": { + "Lines": [ + { + "Number": 5, + "Content": " name: nginx-deployment", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: nginx-deployment", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 6, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " app: nginx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} } }, { @@ -946,7 +1019,8 @@ "Service": "general", "Code": { "Lines": null - } + }, + "RenderedCause": {} } }, { @@ -972,7 +1046,8 @@ "Service": "general", "Code": { "Lines": null - } + }, + "RenderedCause": {} } } ] diff --git a/integration/testdata/helm_testchart.json.golden b/integration/testdata/helm_testchart.json.golden index c760d570cd..9d4e2aaef0 100644 --- a/integration/testdata/helm_testchart.json.golden +++ b/integration/testdata/helm_testchart.json.golden @@ -21,8 +21,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 90, - "Failures": 4 + "Successes": 89, + "Failures": 5 }, "Misconfigurations": [ { @@ -150,7 +150,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -278,7 +279,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -406,7 +408,108 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV110", + "AVDID": "AVD-KSV-0110", + "Title": "Workloads in the default namespace", + "Description": "Checks whether a workload is running in the default namespace.", + "Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace", + "Namespace": "builtin.kubernetes.KSV110", + "Query": "data.builtin.kubernetes.KSV110.deny", + "Resolution": "Set 'metadata.namespace' to a non-default namespace.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110", + "References": [ + "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "https://avd.aquasec.com/misconfig/ksv110" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 5, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 5, + "Content": " name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 6, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " helm.sh/chart: testchart-0.1.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 8, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 9, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": " app.kubernetes.io/version: \"1.16.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " app.kubernetes.io/managed-by: Helm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} } }, { @@ -433,7 +536,8 @@ "Service": "general", "Code": { "Lines": null - } + }, + "RenderedCause": {} } } ] diff --git a/integration/testdata/helm_testchart.overridden.json.golden b/integration/testdata/helm_testchart.overridden.json.golden index a813a887a8..1635d89c1a 100644 --- a/integration/testdata/helm_testchart.overridden.json.golden +++ b/integration/testdata/helm_testchart.overridden.json.golden @@ -21,8 +21,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 88, - "Failures": 6 + "Successes": 87, + "Failures": 7 }, "Misconfigurations": [ { @@ -150,7 +150,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -278,7 +279,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -406,7 +408,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -534,7 +537,8 @@ "LastCause": false } ] - } + }, + "RenderedCause": {} } }, { @@ -633,7 +637,108 @@ "LastCause": true } ] - } + }, + "RenderedCause": {} + } + }, + { + "Type": "Helm Security Check", + "ID": "KSV110", + "AVDID": "AVD-KSV-0110", + "Title": "Workloads in the default namespace", + "Description": "Checks whether a workload is running in the default namespace.", + "Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace", + "Namespace": "builtin.kubernetes.KSV110", + "Query": "data.builtin.kubernetes.KSV110.deny", + "Resolution": "Set 'metadata.namespace' to a non-default namespace.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110", + "References": [ + "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "https://avd.aquasec.com/misconfig/ksv110" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 5, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 5, + "Content": " name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 6, + "Content": " labels:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlabels\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 7, + "Content": " helm.sh/chart: testchart-0.1.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 8, + "Content": " app.kubernetes.io/name: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 9, + "Content": " app.kubernetes.io/instance: testchart", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": " app.kubernetes.io/version: \"1.16.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " app.kubernetes.io/managed-by: Helm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm", + "FirstCause": false, + "LastCause": true + } + ] + }, + "RenderedCause": {} } }, { @@ -660,7 +765,8 @@ "Service": "general", "Code": { "Lines": null - } + }, + "RenderedCause": {} } } ] diff --git a/pkg/iac/scanners/helm/test/scanner_test.go b/pkg/iac/scanners/helm/test/scanner_test.go index 8cb0c7e39e..52c0aa33c6 100644 --- a/pkg/iac/scanners/helm/test/scanner_test.go +++ b/pkg/iac/scanners/helm/test/scanner_test.go @@ -137,7 +137,7 @@ func Test_helm_scanner_with_dir(t *testing.T) { require.NotNil(t, results) failed := results.GetFailed() - assert.Len(t, failed, 13) + assert.Len(t, failed, 14) visited := make(map[string]bool) for _, result := range failed { @@ -151,7 +151,7 @@ func Test_helm_scanner_with_dir(t *testing.T) { "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0104", "AVD-KSV-0106", - "AVD-KSV-0117", + "AVD-KSV-0117", "AVD-KSV-0110", }, errorCodes) ignored := results.GetIgnored()