fix: compliance change id and title naming (#3349)

Signed-off-by: chenk <hen.keinan@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Dec 29, 2022 · 4d59a1e · 4d59a1e
1 parent eaa5bcf
commit 4d59a1e
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 37 deletions.
diff --git a/docs/docs/cloud/aws/compliance.md b/docs/docs/cloud/aws/compliance.md
@@ -269,7 +269,7 @@ The Trivy AWS CLI allows you to scan your AWS account resources and generate the
 Scan for misconfigurations in an AWS account based on AWS CIS 1.2 benchmark:
 
 ```shell
-$ trivy aws --compliance=awscis1.2
+$ trivy aws --compliance=aws-cis-1.2
 
 arn:aws:iam::123456789:user/DummyRoleManager (cloud)
 
@@ -289,11 +289,11 @@ See https://avd.aquasec.com/misconfig/avd-aws-0143
 
 You can also summarize the report to get a full compliance report with all the included checks.
 ```shell
-$ trivy aws --compliance=awscis1.2 --report=summary
+$ trivy aws --compliance=aws-cis-1.2 --report=summary
 ```
 
 ```shell
-Summary Report for compliance: awscis1.2
+Summary Report for compliance: AWS CIS Foundations v1.2
 ┌──────┬──────────┬────────────────────────────────────────────┬────────┬────────┐
 │  ID  │ Severity │                Control Name                │ Status │ Issues │
 ├──────┼──────────┼────────────────────────────────────────────┼────────┼────────┤
@@ -336,26 +336,27 @@ Summary Report for compliance: awscis1.2
 
 Furthermore, you can also get the report in a JSON format.
 ```shell
-$ trivy aws --compliance=awscis1.2 --report=summary --format=json
+$ trivy aws --compliance=aws-cis-1.2 --report=summary --format=json
 ```
 
 ```json
 {
-	"ID": "0001",
-	"Title": "awscis1.2",
-	"SummaryControls": [{
-			"ID": "1.1",
-			"Name": "limit-root-account-usage",
-			"Severity": "LOW",
-			"TotalFail": 5
-		},
-		{
-			"ID": "1.10",
-			"Name": "no-password-reuse",
-			"Severity": "MEDIUM",
-			"TotalFail": 1
-		}
-	]
+  "ID": "aws-cis-1.2",
+  "Title": "AWS CIS Foundations",
+  "SummaryControls": [
+    {
+      "ID": "1.1",
+      "Name": "limit-root-account-usage",
+      "Severity": "LOW",
+      "TotalFail": 5
+    },
+    {
+      "ID": "1.10",
+      "Name": "no-password-reuse",
+      "Severity": "MEDIUM",
+      "TotalFail": 1
+    }
+  ]
 }
 ```
 
@@ -375,8 +376,8 @@ The compliance spec file format should be as follows:
 ```yaml
 ---
 spec:
-  id: "0001"
-  title: awscis1.2
+  id: aws-cis-1.2
+  title: AWS CIS Foundations
   description: AWS CIS Foundations
   version: "1.2"
   relatedResources:

diff --git a/docs/docs/kubernetes/cli/compliance.md b/docs/docs/kubernetes/cli/compliance.md
@@ -6,27 +6,27 @@
 </details>
 ## CLI Commands
 Scan a full cluster and generate a complliance NSA / CIS Kubernetes Benchmark summary report:
-
+Supported spec IDs: `k8s-nsa` , `k8s-cis`
 ```
-trivy k8s cluster --compliance=nsa --report summary
+trivy k8s cluster --compliance=k8s-nsa --report summary
 ```
 
 ***Note*** : The `Issues` column represent the total number of failed checks for this control.
 
 An additional report is supported to get all of the detail the output contains, use `--report all`
 
 ```
-trivy k8s cluster --compliance=cis --report all
+trivy k8s cluster --compliance=k8s-cis --report all
 ```
 
 Report also supported in json format examples :
 
 ```
-trivy k8s cluster --compliance=nsa --report summary --format json
+trivy k8s cluster --compliance=k8s-nsa --report summary --format json
 ```
 
 ```
-trivy k8s cluster --compliance=cis --report all --format json
+trivy k8s cluster --compliance=k8s-cis --report all --format json
 ```
 
 ## Custom compliance report

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460
+	github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c
 	github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

diff --git a/go.sum b/go.sum
@@ -193,8 +193,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460 h1:XHYo9HDWlrn3l+GH1ZTVUQAeP//r/iyEVUoP4Rmhuuw=
-github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
+github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c h1:Z7Uj3+zo6NJa9SFtMgGItZSqDMT3F7fPfCfXTdS3hKI=
+github.com/aquasecurity/defsec v0.82.7-0.20221229120130-2bc18528da1c/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
 github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51 h1:1mbTWnP/NzDrbyYaDzS2xIxuoAuhY3N62qZCTuSqfSo=
 github.com/aquasecurity/go-dep-parser v0.0.0-20221227140654-09a64a5d9b51/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

diff --git a/pkg/commands/app.go b/pkg/commands/app.go
@@ -755,7 +755,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 
 	reportFlagGroup := flag.NewReportFlagGroup()
 	compliance := flag.ComplianceFlag
-	compliance.Usage += fmt.Sprintf(" (%s,%s)", types.ComplianceNsa, types.ComplianceCIS)
+	compliance.Usage += fmt.Sprintf(" (%s,%s)", types.ComplianceK8sNsa, types.ComplianceK8sCIS)
 	reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
 
 	k8sFlags := &flag.Flags{

diff --git a/pkg/flag/report_flags_test.go b/pkg/flag/report_flags_test.go
@@ -174,12 +174,12 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 		{
 			name: "happy path with compliance",
 			fields: fields{
-				compliane:  "nsa",
+				compliane:  "k8s-nsa",
 				severities: "low",
 			},
 			want: flag.ReportOptions{
 				Output:     os.Stdout,
-				Compliance: "nsa",
+				Compliance: "k8s-nsa",
 				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
 			},
 		},

diff --git a/pkg/types/report.go b/pkg/types/report.go
@@ -8,7 +8,7 @@ import (
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
-var Compliances = []string{ComplianceNsa, ComplianceCIS, ComplianceAWSCIS12, ComplianceAWSCIS14}
+var Compliances = []string{ComplianceK8sNsa, ComplianceK8sCIS, ComplianceAWSCIS12, ComplianceAWSCIS14}
 
 // Report represents a scan result
 type Report struct {
@@ -51,10 +51,10 @@ const (
 	ClassCustom      = "custom"
 
 	// ComplianceNsa is the compliance checks for nsa
-	ComplianceNsa      = Compliance("nsa")
-	ComplianceCIS      = Compliance("cis")
-	ComplianceAWSCIS12 = Compliance("awscis1.2")
-	ComplianceAWSCIS14 = Compliance("awscis1.4")
+	ComplianceK8sNsa   = Compliance("k8s-nsa")
+	ComplianceK8sCIS   = Compliance("k8s-cis")
+	ComplianceAWSCIS12 = Compliance("aws-cis-1.2")
+	ComplianceAWSCIS14 = Compliance("aws-cis-1.4")
 )
 
 // Result holds a target and detected vulnerabilities