fix: add policies download err msg and fallback to embeded (#2000)

Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Apr 11, 2024 · b56e499 · b56e499
1 parent a324c2d
commit b56e499
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/pkg/policy/loader.go b/pkg/policy/loader.go
@@ -12,7 +12,9 @@ import (
 
 	mp "github.com/aquasecurity/trivy/pkg/policy"
 	"github.com/bluele/gcache"
+	"github.com/go-logr/logr"
 	"golang.org/x/xerrors"
+	ctrl "sigs.k8s.io/controller-runtime"
 )
 
 const (
@@ -29,6 +31,7 @@ type policyLoader struct {
 	cache      gcache.Cache
 	expiration *time.Duration
 	options    []mp.Option
+	logger     logr.Logger
 }
 
 func NewPolicyLoader(pr string, cache gcache.Cache, opts ...mp.Option) Loader {
@@ -38,10 +41,12 @@ func NewPolicyLoader(pr string, cache gcache.Cache, opts ...mp.Option) Loader {
 		cache:      cache,
 		options:    opts,
 		expiration: &expiration,
+		logger:     ctrl.Log.WithName("policyLoader"),
 	}
 }
 
 func (pl *policyLoader) GetPolicies() ([]string, error) {
+	log := pl.logger.WithValues("Get misconfig bundle policies")
 	var policies []string
 	var ok bool
 	val, err := pl.getPoliciesFromCache()
@@ -51,6 +56,7 @@ func (pl *policyLoader) GetPolicies() ([]string, error) {
 		}
 		policies, err = pl.LoadPolicies()
 		if err != nil {
+			log.V(1).Error(err, "failed to load policies")
 			return []string{}, nil
 		}
 		return policies, nil

diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go
@@ -200,14 +200,15 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[
 	if err != nil {
 		return nil, fmt.Errorf("failed listing externalPolicies by kind: %s: %w", resourceKind, err)
 	}
-	if len(policies) == 0 {
-		return nil, fmt.Errorf("no policies found for kind: %s", resourceKind)
-	}
+
 	memfs := memoryfs.New()
-	// add add policies to in-memory filesystem
-	err = createPolicyInputFS(memfs, policiesFolder, policies, regoExt)
-	if err != nil {
-		return nil, err
+	hasPolicies := len(policies) > 0
+	if hasPolicies {
+		// add add policies to in-memory filesystem
+		err = createPolicyInputFS(memfs, policiesFolder, policies, regoExt)
+		if err != nil {
+			return nil, err
+		}
 	}
 	inputResource, err := resourceBytes(resource, inputs)
 	if err != nil {
@@ -223,7 +224,7 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[
 	if err != nil {
 		return nil, err
 	}
-	so := scannerOptions(policiesFolder, dataPaths, dataFS)
+	so := scannerOptions(policiesFolder, dataPaths, dataFS, hasPolicies)
 	scanner := kubernetes.NewScanner(so...)
 	scanResult, err := scanner.ScanFS(ctx, memfs, inputFolder)
 	if err != nil {
@@ -271,14 +272,16 @@ func (r *Policies) HasSeverity(resultSeverity severity.Severity) bool {
 	return strings.Contains(defaultSeverity, string(resultSeverity))
 }
 
-func scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS) []options.ScannerOption {
+func scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption {
 	optionsArray := []options.ScannerOption{
-		options.ScannerWithEmbeddedPolicies(false),
-		options.ScannerWithEmbeddedLibraries(false),
 		options.ScannerWithPolicyDirs(policiesFolder),
 		options.ScannerWithDataDirs(dataPaths...),
 		options.ScannerWithDataFilesystem(dataFS),
 	}
+	if !hasPolicies {
+		optionsArray = append(optionsArray, options.ScannerWithEmbeddedPolicies(true))
+		optionsArray = append(optionsArray, options.ScannerWithEmbeddedLibraries(true))
+	}
 	return optionsArray
 }