feat(misconf): Add support to show policy bundle version (#3743)

Fixes: #3696 Signed-off-by: Simar <simar@linux.com>
aquasecurity · Mar 2, 2023 · 497c955 · 497c955
1 parent 5d54310
commit 497c955
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 12 deletions.
diff --git a/pkg/commands/app.go b/pkg/commands/app.go
@@ -9,12 +9,11 @@ import (
 	"strings"
 	"time"
 
-	awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
-
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/xerrors"
 
+	awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
 	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
@@ -25,13 +24,15 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/module"
 	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/policy"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 // VersionInfo holds the trivy DB version Info
 type VersionInfo struct {
 	Version         string             `json:",omitempty"`
 	VulnerabilityDB *metadata.Metadata `json:",omitempty"`
+	PolicyBundle    *policy.Metadata   `json:",omitempty"`
 }
 
 const (
@@ -1084,11 +1085,18 @@ func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer)
 		}
 	}
 
+	var pbMeta *policy.Metadata
+	pc, err := policy.NewClient(cacheDir, false)
+	if pc != nil && err == nil {
+		pbMeta, _ = pc.GetMetadata()
+	}
+
 	switch outputFormat {
 	case "json":
 		b, _ := json.Marshal(VersionInfo{
 			Version:         version,
 			VulnerabilityDB: dbMeta,
+			PolicyBundle:    pbMeta,
 		})
 		fmt.Fprintln(outputWriter, string(b))
 	default:
@@ -1101,6 +1109,13 @@ func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer)
   DownloadedAt: %s
 `, dbMeta.Version, dbMeta.UpdatedAt.UTC(), dbMeta.NextUpdate.UTC(), dbMeta.DownloadedAt.UTC())
 		}
+
+		if pbMeta != nil {
+			output += fmt.Sprintf(`Policy Bundle:
+  Digest: %s
+  DownloadedAt: %s
+`, pbMeta.Digest, pbMeta.DownloadedAt.UTC())
+		}
 		fmt.Fprintf(outputWriter, output)
 	}
 }

diff --git a/pkg/commands/app_test.go b/pkg/commands/app_test.go
@@ -32,6 +32,9 @@ Vulnerability DB:
   UpdatedAt: 2022-03-02 06:07:07.99504083 +0000 UTC
   NextUpdate: 2022-03-02 12:07:07.99504023 +0000 UTC
   DownloadedAt: 2022-03-02 10:03:38.383312 +0000 UTC
+Policy Bundle:
+  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
+  DownloadedAt: 2023-03-02 01:06:08.191725 +0000 UTC
 `,
 		},
 		{
@@ -62,8 +65,11 @@ Vulnerability DB:
   UpdatedAt: 2022-03-02 06:07:07.99504083 +0000 UTC
   NextUpdate: 2022-03-02 12:07:07.99504023 +0000 UTC
   DownloadedAt: 2022-03-02 10:03:38.383312 +0000 UTC
+Policy Bundle:
+  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
+  DownloadedAt: 2023-03-02 01:06:08.191725 +0000 UTC
 `
-	jsonOutput := `{"Version":"test","VulnerabilityDB":{"Version":2,"NextUpdate":"2022-03-02T12:07:07.99504023Z","UpdatedAt":"2022-03-02T06:07:07.99504083Z","DownloadedAt":"2022-03-02T10:03:38.383312Z"}}
+	jsonOutput := `{"Version":"test","VulnerabilityDB":{"Version":2,"NextUpdate":"2022-03-02T12:07:07.99504023Z","UpdatedAt":"2022-03-02T06:07:07.99504083Z","DownloadedAt":"2022-03-02T10:03:38.383312Z"},"PolicyBundle":{"Digest":"sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd","DownloadedAt":"2023-03-01T17:06:08.191725-08:00"}}
 `
 
 	tests := []struct {

diff --git a/pkg/commands/testdata/policy/metadata.json b/pkg/commands/testdata/policy/metadata.json
@@ -0,0 +1 @@
+{"Digest":"sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd","DownloadedAt":"2023-03-01T17:06:08.191725-08:00"}
diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go
@@ -143,16 +143,8 @@ func (c *Client) LoadBuiltinPolicies() ([]string, error) {
 
 // NeedsUpdate returns if the default policy should be updated
 func (c *Client) NeedsUpdate() (bool, error) {
-	f, err := os.Open(c.metadataPath())
+	meta, err := c.GetMetadata()
 	if err != nil {
-		log.Logger.Debugf("Failed to open the policy metadata: %s", err)
-		return true, nil
-	}
-	defer f.Close()
-
-	var meta Metadata
-	if err = json.NewDecoder(f).Decode(&meta); err != nil {
-		log.Logger.Warnf("Policy metadata decode error: %s", err)
 		return true, nil
 	}
 
@@ -214,3 +206,20 @@ func (c *Client) updateMetadata(digest string, now time.Time) error {
 
 	return nil
 }
+
+func (c *Client) GetMetadata() (*Metadata, error) {
+	f, err := os.Open(c.metadataPath())
+	if err != nil {
+		log.Logger.Debugf("Failed to open the policy metadata: %s", err)
+		return nil, err
+	}
+	defer f.Close()
+
+	var meta Metadata
+	if err = json.NewDecoder(f).Decode(&meta); err != nil {
+		log.Logger.Warnf("Policy metadata decode error: %s", err)
+		return nil, err
+	}
+
+	return &meta, nil
+}