gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-20 22:33:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

refactor(misconf): use OPA v1 (#8518)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2025-03-11 06:36:13 +06:00
committed by GitHub
parent 41512f846e
commit 19e2c10e89
13 changed files with 37 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/iac/rego/build.go
View File

@@ -6,8 +6,8 @@ import (
"path/filepath"
"strings"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/util"
"github.com/aquasecurity/trivy/pkg/iac/rego/schemas"
"github.com/aquasecurity/trivy/pkg/iac/types"

6
pkg/iac/rego/custom.go
View File

@@ -1,9 +1,9 @@
package rego
import (
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/rego"
"github.com/open-policy-agent/opa/types"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/rego"
"github.com/open-policy-agent/opa/v1/types"
checksrego "github.com/aquasecurity/trivy-checks/pkg/rego"
)

6
pkg/iac/rego/embed.go
View File

@@ -8,7 +8,7 @@ import (
"strings"
"sync"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/v1/ast"
checks "github.com/aquasecurity/trivy-checks"
"github.com/aquasecurity/trivy/pkg/iac/rules"
@@ -104,9 +104,7 @@ func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module
if err != nil {
return err
}
module, err := ast.ParseModuleWithOpts(path, string(data), ast.ParserOptions{
ProcessAnnotation: true,
})
module, err := ParseRegoModule(path, string(data))
if err != nil {
return fmt.Errorf("failed to parse Rego module: %w", err)
}

10
pkg/iac/rego/embed_test.go
View File

@@ -3,7 +3,7 @@ package rego
import (
"testing"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -89,9 +89,7 @@ deny[res]{
t.Run(tc.name, func(t *testing.T) {
policies, err := LoadPoliciesFromDirs(checks.EmbeddedLibraryFileSystem, ".")
require.NoError(t, err)
newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{
ProcessAnnotation: true,
})
newRule, err := ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
require.NoError(t, err)
policies["/rules/newrule.rego"] = newRule
@@ -187,9 +185,7 @@ deny[res]{
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
policies := make(map[string]*ast.Module)
newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{
ProcessAnnotation: true,
})
newRule, err := ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
require.NoError(t, err)
policies["/rules/newrule.rego"] = newRule

15
pkg/iac/rego/load.go
View File

@@ -7,8 +7,8 @@ import (
"io/fs"
"strings"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/bundle"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/bundle"
"github.com/samber/lo"
"github.com/aquasecurity/trivy/pkg/log"
@@ -43,9 +43,7 @@ func (s *Scanner) loadPoliciesFromReaders(readers []io.Reader) (map[string]*ast.
if err != nil {
return nil, err
}
module, err := ast.ParseModuleWithOpts(moduleName, string(data), ast.ParserOptions{
ProcessAnnotation: true,
})
module, err := ParseRegoModule(moduleName, string(data))
if err != nil {
return nil, err
}
@@ -298,3 +296,10 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
s.policies = filtered
return nil
}
func ParseRegoModule(name, input string) (*ast.Module, error) {
return ast.ParseModuleWithOpts(name, input, ast.ParserOptions{
ProcessAnnotation: true,
RegoVersion: ast.RegoV0,
})
}

2
pkg/iac/rego/load_test.go
View File

@@ -9,7 +9,7 @@ import (
"testing"
"testing/fstest"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

4
pkg/iac/rego/metadata.go
View File

@@ -7,8 +7,8 @@ import (
"strings"
"github.com/mitchellh/mapstructure"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/rego"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/rego"
"github.com/samber/lo"
"github.com/aquasecurity/trivy/pkg/iac/framework"

2
pkg/iac/rego/result.go
View File

@@ -5,7 +5,7 @@ import (
"io/fs"
"strconv"
"github.com/open-policy-agent/opa/rego"
"github.com/open-policy-agent/opa/v1/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"

4
pkg/iac/rego/runtime.go
View File

@@ -4,8 +4,8 @@ import (
"os"
"strings"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/version"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/version"
)
func addRuntimeValues() *ast.Term {

10
pkg/iac/rego/scanner.go
View File

@@ -9,10 +9,10 @@ import (
"io/fs"
"strings"
"github.com/open-policy-agent/opa/ast"
"github.com/open-policy-agent/opa/rego"
"github.com/open-policy-agent/opa/storage"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/ast"
"github.com/open-policy-agent/opa/v1/rego"
"github.com/open-policy-agent/opa/v1/storage"
"github.com/open-policy-agent/opa/v1/util"
"github.com/samber/lo"
"github.com/aquasecurity/trivy/pkg/iac/framework"
@@ -24,7 +24,7 @@ import (
"github.com/aquasecurity/trivy/pkg/set"
)
var checkTypesWithSubtype = set.New[types.Source](types.SourceCloud, types.SourceDefsec, types.SourceKubernetes)
var checkTypesWithSubtype = set.New(types.SourceCloud, types.SourceDefsec, types.SourceKubernetes)
var supportedProviders = makeSupportedProviders()

4
pkg/iac/rego/store.go
View File

@@ -7,8 +7,8 @@ import (
"path/filepath"
"strings"
"github.com/open-policy-agent/opa/loader"
"github.com/open-policy-agent/opa/storage"
"github.com/open-policy-agent/opa/v1/loader"
"github.com/open-policy-agent/opa/v1/storage"
)
// initialize a store populated with OPA data files found in dataPaths