use policyfs

Signed-off-by: Simar <simar@linux.com>
aquasecurity · Jul 5, 2023 · 20a8964 · 20a8964
1 parent ed04503
commit 20a8964
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 30 deletions.
diff --git a/pkg/cloud/aws/commands/run_test.go b/pkg/cloud/aws/commands/run_test.go
@@ -9,9 +9,9 @@ import (
 	"time"
 
 	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/compliance/spec"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/compliance/spec"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -287,6 +287,7 @@ const expectedS3ScanResult = `{
   ]
 }
 `
+
 const expectedCustomScanResult = `{
   "ArtifactName": "12345678",
   "ArtifactType": "aws_account",
@@ -303,13 +304,45 @@ const expectedCustomScanResult = `{
     }
   },
   "Results": [
+    {
+      "Target": "",
+      "Class": "config",
+      "Type": "cloud",
+      "MisconfSummary": {
+        "Successes": 1,
+        "Failures": 0,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "AWS",
+          "Title": "No example buckets",
+          "Description": "Buckets should not be named with \"example\" in the name",
+          "Namespace": "user.whatever",
+          "Query": "deny",
+          "Severity": "LOW",
+          "References": [
+            ""
+          ],
+          "Status": "PASS",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "cloud",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        }
+      ]
+    },
     {
       "Target": "arn:aws:s3:::examplebucket",
       "Class": "config",
       "Type": "cloud",
       "MisconfSummary": {
         "Successes": 1,
-        "Failures": 10,
+        "Failures": 9,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -551,34 +584,13 @@ const expectedCustomScanResult = `{
               "Lines": null
             }
           }
-        },
-        {
-          "Type": "AWS",
-          "Title": "No example buckets",
-          "Description": "Buckets should not be named with \"example\" in the name",
-          "Message": "example bucket detected",
-          "Namespace": "user.whatever",
-          "Query": "deny",
-          "Severity": "LOW",
-          "References": [
-            ""
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Resource": "arn:aws:s3:::examplebucket",
-            "Provider": "cloud",
-            "Service": "s3",
-            "Code": {
-              "Lines": null
-            }
-          }
         }
       ]
     }
   ]
 }
 `
+
 const expectedS3AndCloudTrailResult = `{
   "ArtifactName": "123456789",
   "ArtifactType": "aws_account",
@@ -969,6 +981,7 @@ func Test_Run(t *testing.T) {
 		cacheContent string
 		regoPolicy   string
 		allServices  []string
+		inputData    string
 	}{
 		{
 			name: "fail without region",
@@ -1040,7 +1053,7 @@ func Test_Run(t *testing.T) {
 						filepath.Join(regoDir, "policies"),
 					},
 					DataPaths: []string{
-						filepath.Join(regoDir, "policies"),
+						filepath.Join(regoDir, "data"),
 					},
 					PolicyNamespaces: []string{
 						"user",
@@ -1062,12 +1075,22 @@ func Test_Run(t *testing.T) {
 #     selector:
 #     - type: cloud
 package user.whatever
+import data.settings.DS123.ignore_deletion_protection
 
 deny[res] {
 	bucket := input.aws.s3.buckets[_]
+	ignore_deletion_protection == true
 	contains(bucket.name.value, "example")
 	res := result.new("example bucket detected", bucket.name)
 }
+`,
+			inputData: `{
+    "settings": {
+		"DS123": {
+			"ignore_deletion_protection": false
+		}
+    }
+}
 `,
 			cacheContent: "testdata/s3onlycache.json",
 			allServices:  []string{"s3"},
@@ -1244,6 +1267,11 @@ Summary Report for compliance: my-custom-spec
 				require.NoError(t, os.WriteFile(filepath.Join(regoDir, "policies", "user.rego"), []byte(test.regoPolicy), 0644))
 			}
 
+			if test.inputData != "" {
+				require.NoError(t, os.MkdirAll(filepath.Join(regoDir, "data"), 0755))
+				require.NoError(t, os.WriteFile(filepath.Join(regoDir, "data", "data.json"), []byte(test.inputData), 0644))
+			}
+
 			if test.cacheContent != "" {
 				cacheRoot := t.TempDir()
 				test.options.CacheDir = cacheRoot
@@ -1253,7 +1281,7 @@ Summary Report for compliance: my-custom-spec
 				cacheData, err := os.ReadFile(test.cacheContent)
 				require.NoError(t, err, test.name)
 
-				require.NoError(t, os.WriteFile(cacheFile, []byte(cacheData), 0600))
+				require.NoError(t, os.WriteFile(cacheFile, cacheData, 0600))
 			}
 
 			err := Run(context.Background(), test.options)

diff --git a/pkg/cloud/aws/scanner/scanner.go b/pkg/cloud/aws/scanner/scanner.go
@@ -3,6 +3,7 @@ package scanner
 import (
 	"context"
 	"fmt"
+	"io/fs"
 	"strings"
 
 	"github.com/aquasecurity/defsec/pkg/framework"
@@ -76,8 +77,12 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
 		scannerOpts = append(scannerOpts,
 			options.ScannerWithEmbeddedPolicies(false))
 	}
-	policyPaths = append(policyPaths, option.RegoOptions.PolicyPaths...)
+
+	var policyFS fs.FS
+	policyFS, policyPaths, err = misconf.CreatePolicyFS(append(policyPaths, option.RegoOptions.PolicyPaths...))
+	scannerOpts = append(scannerOpts, options.ScannerWithPolicyFilesystem(policyFS))
 	scannerOpts = append(scannerOpts, options.ScannerWithPolicyDirs(policyPaths...))
+
 	dataFS, dataPaths, err := misconf.CreateDataFS(option.RegoOptions.DataPaths)
 	if err != nil {
 		log.Logger.Errorf("Could not load config data: %s", err)

diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -200,7 +200,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
 		options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
 	}
 
-	policyFS, policyPaths, err := createPolicyFS(opt.PolicyPaths)
+	policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
 	if err != nil {
 		return nil, err
 	}
@@ -284,7 +284,7 @@ func addHelmOpts(opts []options.ScannerOption, scannerOption ScannerOption) []op
 	return opts
 }
 
-func createPolicyFS(policyPaths []string) (fs.FS, []string, error) {
+func CreatePolicyFS(policyPaths []string) (fs.FS, []string, error) {
 	if len(policyPaths) == 0 {
 		return nil, nil, nil
 	}

diff --git a/pkg/misconf/scanner_test.go b/pkg/misconf/scanner_test.go
@@ -157,7 +157,7 @@ func Test_createPolicyFS(t *testing.T) {
 	t.Run("outside pwd", func(t *testing.T) {
 		tmpDir := t.TempDir()
 		require.NoError(t, os.MkdirAll(filepath.Join(tmpDir, "subdir/testdir"), 0750))
-		f, got, err := createPolicyFS([]string{filepath.Join(tmpDir, "subdir/testdir")})
+		f, got, err := CreatePolicyFS([]string{filepath.Join(tmpDir, "subdir/testdir")})
 		assertFS(t, tmpDir, f, got, err)
 	})
 }