Skip to content

Commit

Permalink
refactor(misconf): Remove unused options (aquasecurity#7896)
Browse files Browse the repository at this point in the history
Signed-off-by: Simar <[email protected]>
  • Loading branch information
simar7 authored Nov 29, 2024
1 parent eaf8d41 commit 511b7d3
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 90 deletions.
8 changes: 0 additions & 8 deletions pkg/iac/rego/metadata.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,6 @@ func NewEngineMetadata(schema string, meta map[string]any) (*scan.EngineMetadata
}

type InputOptions struct {
Combined bool
Selectors []Selector
}

Expand Down Expand Up @@ -352,7 +351,6 @@ func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Mo
func (m *MetadataRetriever) queryInputOptions(ctx context.Context, module *ast.Module) InputOptions {

options := InputOptions{
Combined: false,
Selectors: nil,
}

Expand Down Expand Up @@ -395,12 +393,6 @@ func (m *MetadataRetriever) queryInputOptions(ctx context.Context, module *ast.M
metadata = meta
}

if raw, ok := metadata["combine"]; ok {
if combine, ok := raw.(bool); ok {
options.Combined = combine
}
}

if raw, ok := metadata["selector"]; ok {
if each, ok := raw.([]any); ok {
for _, rawSelector := range each {
Expand Down
33 changes: 3 additions & 30 deletions pkg/iac/rego/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
}
usedRules[ruleName] = struct{}{}
if isEnforcedRule(ruleName) {
ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs, staticMeta.InputOptions.Combined)
ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs)
if err != nil {
s.logger.Error(
"Error occurred while applying rule from check",
Expand Down Expand Up @@ -318,14 +318,7 @@ func parseRawInput(input any) (ast.Value, error) {
return ast.InterfaceToValue(input)
}

func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs []Input, combined bool) (scan.Results, error) {

// handle combined evaluations if possible
if combined {
s.trace("INPUT", inputs)
return s.applyRuleCombined(ctx, namespace, rule, inputs)
}

func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs []Input) (scan.Results, error) {
var results scan.Results
qualified := fmt.Sprintf("data.%s.%s", namespace, rule)
for _, input := range inputs {
Expand Down Expand Up @@ -356,30 +349,10 @@ func (s *Scanner) applyRule(ctx context.Context, namespace, rule string, inputs
return results, nil
}

func (s *Scanner) applyRuleCombined(ctx context.Context, namespace, rule string, inputs []Input) (scan.Results, error) {
if len(inputs) == 0 {
return nil, nil
}

parsed, err := parseRawInput(inputs)
if err != nil {
return nil, fmt.Errorf("failed to parse input: %w", err)
}

qualified := fmt.Sprintf("data.%s.%s", namespace, rule)
set, traces, err := s.runQuery(ctx, qualified, parsed, false)
if err != nil {
return nil, err
}
return s.convertResults(set, inputs[0], namespace, rule, traces), nil
}

// severity is now set with metadata, so deny/warn/violation now behave the same way
func isEnforcedRule(name string) bool {
switch {
case name == "deny", strings.HasPrefix(name, "deny_"),
name == "warn", strings.HasPrefix(name, "warn_"),
name == "violation", strings.HasPrefix(name, "violation_"):
case name == "deny", strings.HasPrefix(name, "deny_"):
return true
}
return false
Expand Down
35 changes: 0 additions & 35 deletions pkg/iac/rego/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ deny {
assert.Empty(t, results.GetIgnored())

assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename())
assert.False(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_AbsolutePolicyPath_Deny(t *testing.T) {
Expand Down Expand Up @@ -98,40 +97,6 @@ deny {
assert.Empty(t, results.GetIgnored())

assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename())
assert.False(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_Warn(t *testing.T) {

srcFS := CreateFS(t, map[string]string{
"policies/test.rego": `
package defsec.test
warn {
input.evil
}
`,
})

scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))

results, err := scanner.ScanInput(context.TODO(), rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
},
})
require.NoError(t, err)

require.Len(t, results.GetFailed(), 1)
require.Empty(t, results.GetPassed())
require.Empty(t, results.GetIgnored())

assert.True(t, results.GetFailed()[0].IsWarning())
}

func Test_RegoScanning_Allow(t *testing.T) {
Expand Down
2 changes: 0 additions & 2 deletions pkg/iac/scan/flat.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ type FlatResult struct {
Description string `json:"description"`
RangeAnnotation string `json:"-"`
Severity severity.Severity `json:"severity"`
Warning bool `json:"warning"`
Status Status `json:"status"`
Resource string `json:"resource"`
Occurrences []Occurrence `json:"occurrences,omitempty"`
Expand Down Expand Up @@ -64,7 +63,6 @@ func (r *Result) Flatten() FlatResult {
Status: r.status,
Resource: resMetadata.Reference(),
Occurrences: r.Occurrences(),
Warning: r.IsWarning(),
Location: FlatRange{
Filename: rng.GetFilename(),
StartLine: rng.GetStartLine(),
Expand Down
6 changes: 0 additions & 6 deletions pkg/iac/scan/result.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ type Result struct {
severityOverride *severity.Severity
regoNamespace string
regoRule string
warning bool
traces []string
fsPath string
}
Expand All @@ -49,10 +48,6 @@ func (r Result) Severity() severity.Severity {
return r.Rule().Severity
}

func (r *Result) IsWarning() bool {
return r.warning
}

func (r *Result) OverrideSeverity(s severity.Severity) {
r.severityOverride = &s
}
Expand Down Expand Up @@ -195,7 +190,6 @@ func (r *Results) AddRego(description, namespace, rule string, traces []string,
description: description,
regoNamespace: namespace,
regoRule: rule,
warning: rule == "warn" || strings.HasPrefix(rule, "warn_"),
traces: traces,
}
result.metadata = getMetadataFromSource(source)
Expand Down
15 changes: 6 additions & 9 deletions pkg/misconf/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -477,16 +477,13 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s
}
}

if flattened.Warning {
misconf.Warnings = append(misconf.Warnings, misconfResult)
} else {
switch flattened.Status {
case scan.StatusPassed:
misconf.Successes = append(misconf.Successes, misconfResult)
case scan.StatusFailed:
misconf.Failures = append(misconf.Failures, misconfResult)
}
switch flattened.Status {
case scan.StatusPassed:
misconf.Successes = append(misconf.Successes, misconfResult)
case scan.StatusFailed:
misconf.Failures = append(misconf.Failures, misconfResult)
}

misconfs[filePath] = misconf
}

Expand Down

0 comments on commit 511b7d3

Please sign in to comment.