From 7e9ed57eb4e9bb7301c20e324d322fff52e41906 Mon Sep 17 00:00:00 2001 From: Simar Date: Fri, 5 Jul 2024 22:08:28 -0600 Subject: [PATCH 1/2] test(bundle): Verify bundle usage --- scripts/testdata/main.tf | 6 ++++++ scripts/verify-bundle.go | 29 +++++++++++++++++++++++++---- 2 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 scripts/testdata/main.tf diff --git a/scripts/testdata/main.tf b/scripts/testdata/main.tf new file mode 100644 index 00000000..05eaf0a7 --- /dev/null +++ b/scripts/testdata/main.tf @@ -0,0 +1,6 @@ +resource "aws_vpc" "example" { + cidr_block = "10.1.0.0/16" + tags = { + Name = "my-vpc-resource" + } +} \ No newline at end of file diff --git a/scripts/verify-bundle.go b/scripts/verify-bundle.go index eda79970..1049da69 100644 --- a/scripts/verify-bundle.go +++ b/scripts/verify-bundle.go @@ -5,6 +5,7 @@ import ( "fmt" "io" "path/filepath" + "strings" "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/mount" @@ -63,13 +64,25 @@ func createOrasContainer(ctx context.Context, regIP string, bundlePath string) t } func createTrivyContainer(ctx context.Context, regIP string) testcontainers.Container { + testDataPath, err := filepath.Abs("scripts/testdata") + if err != nil { + panic(err) + } + reqTrivy := testcontainers.ContainerRequest{ Image: "aquasec/trivy:latest", - Cmd: []string{"--debug", "config", fmt.Sprintf("--policy-bundle-repository=%s:5111/defsec-test:latest", regIP), "."}, + Cmd: []string{"--debug", "config", fmt.Sprintf("--policy-bundle-repository=%s:5111/defsec-test:latest", regIP), "/testdata"}, HostConfigModifier: func(config *container.HostConfig) { config.NetworkMode = "host" + config.Mounts = []mount.Mount{ + { + Type: mount.TypeBind, + Source: testDataPath, + Target: "/testdata", + }, + } }, - WaitingFor: wait.ForLog("Policies successfully loaded from disk"), + WaitingFor: wait.ForLog("OS is not detected."), } trivyC, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{ ContainerRequest: reqTrivy, @@ -92,7 +105,7 @@ func debugLogsForContainer(ctx context.Context, c testcontainers.Container) stri return string(b) } -func LoadBundle() { +func LoadAndVerifyBundle() { ctx := context.Background() bundlePath, err := filepath.Abs("bundle.tar.gz") @@ -125,9 +138,17 @@ func LoadBundle() { fmt.Println(debugLogsForContainer(ctx, regC)) fmt.Println(debugLogsForContainer(ctx, orasC)) fmt.Println(debugLogsForContainer(ctx, trivyC)) + + if !assertInLogs(debugLogsForContainer(ctx, trivyC), `Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)`) { + panic("asserting Trivy logs for misconfigurations failed, check Trivy log output") + } +} + +func assertInLogs(containerLogs, assertion string) bool { + return strings.Contains(containerLogs, assertion) } // TODO: Verify by using bundle to scan func main() { - LoadBundle() + LoadAndVerifyBundle() } From db0462e15543c95a214f57d158697b857efeb438 Mon Sep 17 00:00:00 2001 From: Simar Date: Fri, 5 Jul 2024 22:58:30 -0600 Subject: [PATCH 2/2] add a list of versions to test against --- scripts/verify-bundle.go | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/scripts/verify-bundle.go b/scripts/verify-bundle.go index 1049da69..87122f6a 100644 --- a/scripts/verify-bundle.go +++ b/scripts/verify-bundle.go @@ -15,6 +15,7 @@ import ( var bundlePath = "bundle.tar.gz" var OrasPush = []string{"--config", "/dev/null:application/vnd.cncf.openpolicyagent.config.v1+json", fmt.Sprintf("%s:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip", bundlePath)} +var supportedTrivyVersions = []string{"latest", "canary"} // TODO: add more versions func createRegistryContainer(ctx context.Context) (testcontainers.Container, string) { reqReg := testcontainers.ContainerRequest{ @@ -63,14 +64,14 @@ func createOrasContainer(ctx context.Context, regIP string, bundlePath string) t return orasC } -func createTrivyContainer(ctx context.Context, regIP string) testcontainers.Container { +func createTrivyContainer(ctx context.Context, trivyVersion string, regIP string) testcontainers.Container { testDataPath, err := filepath.Abs("scripts/testdata") if err != nil { panic(err) } reqTrivy := testcontainers.ContainerRequest{ - Image: "aquasec/trivy:latest", + Image: fmt.Sprintf("aquasec/trivy:%s", trivyVersion), Cmd: []string{"--debug", "config", fmt.Sprintf("--policy-bundle-repository=%s:5111/defsec-test:latest", regIP), "/testdata"}, HostConfigModifier: func(config *container.HostConfig) { config.NetworkMode = "host" @@ -127,28 +128,29 @@ func LoadAndVerifyBundle() { } }() - trivyC := createTrivyContainer(ctx, regIP) - defer func() { - if err = trivyC.Terminate(ctx); err != nil { - panic(err) - } - }() - - // for debugging fmt.Println(debugLogsForContainer(ctx, regC)) fmt.Println(debugLogsForContainer(ctx, orasC)) - fmt.Println(debugLogsForContainer(ctx, trivyC)) - if !assertInLogs(debugLogsForContainer(ctx, trivyC), `Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)`) { - panic("asserting Trivy logs for misconfigurations failed, check Trivy log output") + for _, trivyVersion := range supportedTrivyVersions { + fmt.Println("=======Testing version: ", trivyVersion, "==========") + trivyC := createTrivyContainer(ctx, trivyVersion, regIP) + fmt.Println(debugLogsForContainer(ctx, trivyC)) + + if !assertInLogs(debugLogsForContainer(ctx, trivyC), `Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)`) { + panic("asserting Trivy logs for misconfigurations failed, check Trivy log output") + } + + if err = trivyC.Terminate(ctx); err != nil { + panic(err) + } } + } func assertInLogs(containerLogs, assertion string) bool { return strings.Contains(containerLogs, assertion) } -// TODO: Verify by using bundle to scan func main() { LoadAndVerifyBundle() }