diff --git a/go.mod b/go.mod index 7c16f2f9afd2..e0b7e2ade7f0 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/alicebob/miniredis/v2 v2.30.4 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 - github.com/aquasecurity/defsec v0.91.1 + github.com/aquasecurity/defsec v0.92.0 github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 @@ -266,7 +266,7 @@ require ( github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/hcl/v2 v2.14.1 // indirect + github.com/hashicorp/hcl/v2 v2.17.0 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/imdario/mergo v0.3.15 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -348,8 +348,8 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/yuin/gopher-lua v1.1.0 // indirect - github.com/zclconf/go-cty v1.10.0 // indirect - github.com/zclconf/go-cty-yaml v1.0.2 // indirect + github.com/zclconf/go-cty v1.13.0 // indirect + github.com/zclconf/go-cty-yaml v1.0.3 // indirect go.mongodb.org/mongo-driver v1.11.3 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/otel v1.14.0 // indirect @@ -373,10 +373,10 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - helm.sh/helm/v3 v3.12.1 // indirect - k8s.io/apiextensions-apiserver v0.27.2 // indirect + helm.sh/helm/v3 v3.12.3 // indirect + k8s.io/apiextensions-apiserver v0.27.3 // indirect k8s.io/apimachinery v0.28.0 // indirect - k8s.io/apiserver v0.27.2 // indirect + k8s.io/apiserver v0.27.3 // indirect k8s.io/cli-runtime v0.28.0 // indirect k8s.io/client-go v0.28.0 // indirect k8s.io/component-base v0.28.0 // indirect @@ -392,7 +392,7 @@ require ( modernc.org/opt v0.1.3 // indirect modernc.org/strutil v1.1.3 // indirect modernc.org/token v1.0.1 // indirect - oras.land/oras-go v1.2.2 // indirect + oras.land/oras-go v1.2.3 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect diff --git a/go.sum b/go.sum index d317a34ec7f1..1da481574136 100644 --- a/go.sum +++ b/go.sum @@ -318,18 +318,17 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= -github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= -github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A= -github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8= +github.com/aquasecurity/defsec v0.92.0 h1:cls2JJSQ+vb06Qh2XjnODIRfZbrTGBkBQnjgC6R5+vA= +github.com/aquasecurity/defsec v0.92.0/go.mod h1:uZIC1NjU5R49619WvZOlhWRpCEf/7KD3Lm8nDKRjq+o= github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43 h1:/F4aNnwyFNyAemjKtHznfRdeWUEENOZYOnx+smPPpAE= github.com/aquasecurity/go-dep-parser v0.0.0-20230828120518-ef5e9409fc43/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= -github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg= +github.com/aquasecurity/go-mock-aws v0.0.0-20230810212901-d6feebd39060 h1:V7nC90NpRDEubNpNEgRDtTfLH3RKQlZeY9/HSqxEze8= github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc= github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0= github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 h1:vmXNl+HDfqqXgr0uY1UgK1GAhps8nbAAtqHNBcgyf+4= @@ -969,7 +968,6 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= -github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -1138,8 +1136,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.2 h1:Dwmkdr5Nc/oBiXgJS3CDHNhJtIHkuZ3DZF5 github.com/hashicorp/golang-lru/v2 v2.0.2/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/hcl/v2 v2.14.1 h1:x0BpjfZ+CYdbiz+8yZTQ+gdLO7IXvOut7Da+XJayx34= -github.com/hashicorp/hcl/v2 v2.14.1/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0= +github.com/hashicorp/hcl/v2 v2.17.0 h1:z1XvSUyXd1HP10U4lrLg5e0JMVz6CPaJvAgxM0KNZVY= +github.com/hashicorp/hcl/v2 v2.17.0/go.mod h1:gJyW2PTShkJqQBKpAmPO3yxMxIuoXkOF2TpqXzrQyx4= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= @@ -1236,7 +1234,6 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= @@ -1691,7 +1688,6 @@ github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:tw github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= -github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= @@ -1733,11 +1729,11 @@ github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMzt github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= -github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= -github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0= github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0= -github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0= +github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= +github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +github.com/zclconf/go-cty-yaml v1.0.3 h1:og/eOQ7lvA/WWhHGFETVWNduJM7Rjsv2RRpx1sdFMLc= +github.com/zclconf/go-cty-yaml v1.0.3/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= @@ -1857,7 +1853,6 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2509,8 +2504,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= -helm.sh/helm/v3 v3.12.1 h1:lzU7etZX24A6BTMXYQF3bFq0ECfD8s+fKlNBBL8AbEc= -helm.sh/helm/v3 v3.12.1/go.mod h1:qhmSY9kcX7yH1xebe+FDMZa7E5NAeZ+LvK5j1gSln48= +helm.sh/helm/v3 v3.12.3 h1:5y1+Sbty12t48T/t/CGNYUIME5BJ0WKfmW/sobYqkFg= +helm.sh/helm/v3 v3.12.3/go.mod h1:KPKQiX9IP5HX7o5YnnhViMnNuKiL/lJBVQ47GHe1R0k= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -2523,8 +2518,8 @@ k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= +k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= +k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= @@ -2533,8 +2528,8 @@ k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEv k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= -k8s.io/apiserver v0.27.2 h1:p+tjwrcQEZDrEorCZV2/qE8osGTINPuS5ZNqWAvKm5E= -k8s.io/apiserver v0.27.2/go.mod h1:EsOf39d75rMivgvvwjJ3OW/u9n1/BmUMK5otEOJrb1Y= +k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4= +k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA= k8s.io/cli-runtime v0.28.0 h1:Tcz1nnccXZDNIzoH6EwjCs+7ezkUGhorzCweEvlVOFg= k8s.io/cli-runtime v0.28.0/go.mod h1:U+ySmOKBm/JUCmebhmecXeTwNN1RzI7DW4+OM8Oryas= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= diff --git a/integration/testdata/helm.json.golden b/integration/testdata/helm.json.golden index 3adc156ddad1..1ac2f8a5b349 100644 --- a/integration/testdata/helm.json.golden +++ b/integration/testdata/helm.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 146, - "Failures": 4, + "Successes": 151, + "Failures": 5, "Exceptions": 0 }, "Misconfigurations": [ @@ -149,7 +149,7 @@ "ID": "KSV030", "AVDID": "AVD-KSV-0030", "Title": "Runtime/Default Seccomp profile not set", - "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", "Query": "data.builtin.kubernetes.KSV030.deny", @@ -268,11 +268,11 @@ "ID": "KSV104", "AVDID": "AVD-KSV-0104", "Title": "Seccomp policies disabled", - "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Description": "A program inside the container can bypass Seccomp protection policies.", "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", "Namespace": "builtin.kubernetes.KSV104", "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", "Severity": "MEDIUM", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", "References": [ @@ -314,6 +314,32 @@ "Lines": null } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -322,7 +348,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, @@ -360,7 +386,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, diff --git a/integration/testdata/helm_testchart.json.golden b/integration/testdata/helm_testchart.json.golden index 8f3c0ebdc678..21c933af825d 100644 --- a/integration/testdata/helm_testchart.json.golden +++ b/integration/testdata/helm_testchart.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 146, - "Failures": 4, + "Successes": 151, + "Failures": 5, "Exceptions": 0 }, "Misconfigurations": [ @@ -149,7 +149,7 @@ "ID": "KSV030", "AVDID": "AVD-KSV-0030", "Title": "Runtime/Default Seccomp profile not set", - "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", "Query": "data.builtin.kubernetes.KSV030.deny", @@ -268,11 +268,11 @@ "ID": "KSV104", "AVDID": "AVD-KSV-0104", "Title": "Seccomp policies disabled", - "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Description": "A program inside the container can bypass Seccomp protection policies.", "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", "Namespace": "builtin.kubernetes.KSV104", "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", "Severity": "MEDIUM", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", "References": [ @@ -314,6 +314,32 @@ "Lines": null } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -322,7 +348,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, @@ -360,7 +386,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, diff --git a/integration/testdata/helm_testchart.overridden.json.golden b/integration/testdata/helm_testchart.overridden.json.golden index 0d5e28dc638e..0899ed583382 100644 --- a/integration/testdata/helm_testchart.overridden.json.golden +++ b/integration/testdata/helm_testchart.overridden.json.golden @@ -20,8 +20,8 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 144, - "Failures": 6, + "Successes": 149, + "Failures": 7, "Exceptions": 0 }, "Misconfigurations": [ @@ -268,7 +268,7 @@ "ID": "KSV030", "AVDID": "AVD-KSV-0030", "Title": "Runtime/Default Seccomp profile not set", - "Description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", "Namespace": "builtin.kubernetes.KSV030", "Query": "data.builtin.kubernetes.KSV030.deny", @@ -387,11 +387,11 @@ "ID": "KSV104", "AVDID": "AVD-KSV-0104", "Title": "Seccomp policies disabled", - "Description": "Seccomp profile must not be explicitly set to 'Unconfined'.", + "Description": "A program inside the container can bypass Seccomp protection policies.", "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile", "Namespace": "builtin.kubernetes.KSV104", "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Do not set seccomp profile to 'Unconfined'", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", "Severity": "MEDIUM", "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", "References": [ @@ -525,6 +525,32 @@ "Lines": null } } + }, + { + "Type": "Helm Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment testchart in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } } ] }, @@ -533,7 +559,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, @@ -571,7 +597,7 @@ "Class": "config", "Type": "helm", "MisconfSummary": { - "Successes": 149, + "Successes": 155, "Failures": 1, "Exceptions": 0 }, diff --git a/pkg/cloud/aws/commands/run_test.go b/pkg/cloud/aws/commands/run_test.go index dab865b6cb01..eb7780ba28bb 100644 --- a/pkg/cloud/aws/commands/run_test.go +++ b/pkg/cloud/aws/commands/run_test.go @@ -38,7 +38,7 @@ const expectedS3ScanResult = `{ "Type": "cloud", "MisconfSummary": { "Successes": 1, - "Failures": 9, + "Failures": 8, "Exceptions": 0 }, "Misconfigurations": [ @@ -114,30 +114,6 @@ const expectedS3ScanResult = `{ } } }, - { - "Type": "AWS", - "ID": "AVD-AWS-0089", - "AVDID": "AVD-AWS-0089", - "Title": "S3 Bucket does not have logging enabled.", - "Description": "Buckets should have logging enabled so that access can be audited.", - "Message": "Bucket does not have logging enabled", - "Resolution": "Add a logging block to the resource to enable access logging", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "References": [ - "https://avd.aquasec.com/misconfig/avd-aws-0089" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "arn:aws:s3:::examplebucket", - "Provider": "aws", - "Service": "s3", - "Code": { - "Lines": null - } - } - }, { "Type": "AWS", "ID": "AVD-AWS-0090", @@ -342,7 +318,7 @@ const expectedCustomScanResult = `{ "Type": "cloud", "MisconfSummary": { "Successes": 1, - "Failures": 9, + "Failures": 8, "Exceptions": 0 }, "Misconfigurations": [ @@ -418,30 +394,6 @@ const expectedCustomScanResult = `{ } } }, - { - "Type": "AWS", - "ID": "AVD-AWS-0089", - "AVDID": "AVD-AWS-0089", - "Title": "S3 Bucket does not have logging enabled.", - "Description": "Buckets should have logging enabled so that access can be audited.", - "Message": "Bucket does not have logging enabled", - "Resolution": "Add a logging block to the resource to enable access logging", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "References": [ - "https://avd.aquasec.com/misconfig/avd-aws-0089" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "arn:aws:s3:::examplebucket", - "Provider": "aws", - "Service": "s3", - "Code": { - "Lines": null - } - } - }, { "Type": "AWS", "ID": "AVD-AWS-0090", @@ -720,7 +672,7 @@ const expectedS3AndCloudTrailResult = `{ "Type": "cloud", "MisconfSummary": { "Successes": 1, - "Failures": 9, + "Failures": 8, "Exceptions": 0 }, "Misconfigurations": [ @@ -796,30 +748,6 @@ const expectedS3AndCloudTrailResult = `{ } } }, - { - "Type": "AWS", - "ID": "AVD-AWS-0089", - "AVDID": "AVD-AWS-0089", - "Title": "S3 Bucket does not have logging enabled.", - "Description": "Buckets should have logging enabled so that access can be audited.", - "Message": "Bucket does not have logging enabled", - "Resolution": "Add a logging block to the resource to enable access logging", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "References": [ - "https://avd.aquasec.com/misconfig/avd-aws-0089" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "arn:aws:s3:::examplebucket", - "Provider": "aws", - "Service": "s3", - "Code": { - "Lines": null - } - } - }, { "Type": "AWS", "ID": "AVD-AWS-0090",