[updatecli] Update hermit and pre-commit dependencies (#2177)

Made with ❤️️ by updatecli --------- Co-authored-by: apmmachine <apmmachine@users.noreply.github.com> Co-authored-by: Orestis Floros <orestis.floros@elastic.co>
elastic · May 6, 2024 · a42049d · a42049d
1 parent 4e70bcf
commit a42049d
Show file tree

Hide file tree

Showing 23 changed files with 58 additions and 29 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -4,25 +4,27 @@ run:
 
 linters:
   enable:
+    - canonicalheader
     - containedctx
     - contextcheck
     - exhaustruct
     - exportloopref
+    - fatcontext
     - gci
     - gocritic
     - gocyclo
     - gofmt
     - gomodguard
     - misspell
     - nolintlint
+    - prealloc
     - reassign
     - revive
     - testifylint
     - unconvert
     - unparam
     - unused
     - whitespace
-    - prealloc
 
 issues:
   exclude-rules:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@ exclude: (bin/(activate-)?hermit)|(scripts/make/gimme/.*)
 repos:
   ## General
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
       - id: check-added-large-files
@@ -53,7 +53,7 @@ repos:
         exclude: security-policies.*
 
   - repo: https://github.com/psf/black
-    rev: 24.3.0
+    rev: 24.4.2
     hooks:
       - id: black
 
@@ -70,7 +70,7 @@ repos:
         files: deploy/cloudformation/.*yml
 
   - repo: https://github.com/awslabs/cfn-python-lint
-    rev: v0.86.2
+    rev: 1.2.5.a8
     hooks:
       - id: cfn-python-lint
         files: deploy/cloudformation/.*.yml
@@ -163,7 +163,7 @@ repos:
         files: (\.rego)$
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.40.0
     hooks:
       - id: markdownlint
         args: [ '--disable',
@@ -176,7 +176,7 @@ repos:
         files: security-policies/.*\.(md|markdown)$
 
   - repo: https://github.com/StyraInc/regal
-    rev: v0.15.0
+    rev: v0.21.3
     hooks:
       - id: regal-lint
         args: [security-policies/bundle]

diff --git a/bin/.gcloud-471.0.0.pkg → bin/.gcloud-474.0.0.pkg b/bin/.gcloud-471.0.0.pkg → bin/.gcloud-474.0.0.pkg
diff --git a/bin/.gh-2.47.0.pkg → bin/.gh-2.49.0.pkg b/bin/.gh-2.47.0.pkg → bin/.gh-2.49.0.pkg
diff --git a/bin/.golangci-lint-1.57.2.pkg → bin/.golangci-lint-1.58.0.pkg b/bin/.golangci-lint-1.57.2.pkg → bin/.golangci-lint-1.58.0.pkg
diff --git a/bin/.opa-0.63.0.pkg → bin/.opa-0.64.1.pkg b/bin/.opa-0.63.0.pkg → bin/.opa-0.64.1.pkg
diff --git a/bin/.regal-0.15.0.pkg → bin/.regal-0.21.3.pkg b/bin/.regal-0.15.0.pkg → bin/.regal-0.21.3.pkg
diff --git a/bin/bq b/bin/bq
@@ -1 +1 @@
-.gcloud-471.0.0.pkg
+.gcloud-474.0.0.pkg
diff --git a/bin/docker-credential-gcloud b/bin/docker-credential-gcloud
@@ -1 +1 @@
-.gcloud-471.0.0.pkg
+.gcloud-474.0.0.pkg
diff --git a/bin/gcloud b/bin/gcloud
@@ -1 +1 @@
-.gcloud-471.0.0.pkg
+.gcloud-474.0.0.pkg
diff --git a/bin/gh b/bin/gh
@@ -1 +1 @@
-.gh-2.47.0.pkg
+.gh-2.49.0.pkg
diff --git a/bin/git-credential-gcloud.sh b/bin/git-credential-gcloud.sh
@@ -1 +1 @@
-.gcloud-471.0.0.pkg
+.gcloud-474.0.0.pkg
diff --git a/bin/golangci-lint b/bin/golangci-lint
@@ -1 +1 @@
-.golangci-lint-1.57.2.pkg
+.golangci-lint-1.58.0.pkg
diff --git a/bin/gsutil b/bin/gsutil
@@ -1 +1 @@
-.gcloud-471.0.0.pkg
+.gcloud-474.0.0.pkg
diff --git a/bin/opa b/bin/opa
@@ -1 +1 @@
-.opa-0.63.0.pkg
+.opa-0.64.1.pkg
diff --git a/bin/regal b/bin/regal
@@ -1 +1 @@
-.regal-0.15.0.pkg
+.regal-0.21.3.pkg
diff --git a/security-policies/.regal/config.yaml b/security-policies/.regal/config.yaml
@@ -7,11 +7,25 @@ rules:
   imports:
     prefer-package-imports:
       level: ignore
+    use-rego-v1:
+      level: ignore
+    unresolved-import:
+      level: error
+      # list of paths that should be ignored
+      # these may be paths to data, or rules that may
+      # not be present at the time of linting
+      except-imports:
+        - data.benchmark_data_adapter
+  performance:
+    with-outside-test-context:
+      level: ignore
   style:
     avoid-get-and-list-prefix:
       level: ignore
     default-over-else:
       level: ignore
+    rule-name-repeats-package:
+      level: ignore
     external-reference:
       level: ignore
     line-length:

diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego
@@ -2,22 +2,21 @@ package compliance.cis_gcp.rules.cis_1_8
 
 import data.compliance.lib.common
 import data.compliance.policy.gcp.data_adapter
-import future.keywords.contains
-import future.keywords.if
+import rego.v1
 
 # a user should not have both admin and user role
 # this creates a set of such members, and
 # if the set is empty, the policy is valid
 members_with_both_roles contains m if {
 	# get all members with admin role
-	admin = data_adapter.iam_policy.bindings[_]
+	some admin in data_adapter.iam_policy.bindings
 	admin.role == "roles/iam.serviceAccountAdmin"
-	m = admin.members[_]
+	some m in admin.members
 
 	# get all members with user role
-	user = data_adapter.iam_policy.bindings[_]
+	some user in data_adapter.iam_policy.bindings
 	user.role == "roles/iam.serviceAccountUser"
-	m = user.members[_]
+	m in user.members
 }
 
 finding = result if {

diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/test.rego
@@ -45,6 +45,24 @@ test_pass if {
 			},
 		]},
 	)
+	eval_pass with input as test_data.generate_gcp_asset(
+		type,
+		subtype,
+		{},
+		{"bindings": [{
+			"role": "roles/iam.serviceAccountAdmin",
+			"members": ["user:a", "user:b"],
+		}]},
+	)
+	eval_pass with input as test_data.generate_gcp_asset(
+		type,
+		subtype,
+		{},
+		{"bindings": [{
+			"role": "roles/iam.serviceAccountUser",
+			"members": ["user:c", "user:d"],
+		}]},
+	)
 }
 
 test_not_evaluated if {

diff --git a/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego
@@ -58,7 +58,7 @@ used_active_access_keys contains access_key if {
 }
 
 unused_active_access_keys contains access_key if {
-	access_key = iam_user.access_keys[_]
+	access_key := iam_user.access_keys[_]
 	access_key.active
 	not access_key.has_used
 }

diff --git a/security-policies/bundle/compliance/policy/gcp/data_adapter.rego b/security-policies/bundle/compliance/policy/gcp/data_adapter.rego
@@ -37,10 +37,6 @@ is_iam_service_account if {
 	input.subType == "gcp-iam-service-account"
 }
 
-is_api_key if {
-	input.subType == "gcp-apikeys-key"
-}
-
 is_iam_service_account_key if {
 	input.subType == "gcp-iam-service-account-key"
 }

diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_admin_without_multiple_roles.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_admin_without_multiple_roles.rego
@@ -2,6 +2,7 @@ package compliance.policy.gcp.iam.ensure_admin_without_multiple_roles
 
 import data.compliance.policy.gcp.data_adapter
 import future.keywords.if
+import future.keywords.in
 
 admin_has_multiple_roles(admin_role, other_role) if {
 	admin := data_adapter.iam_policy.bindings[_]
@@ -11,5 +12,5 @@ admin_has_multiple_roles(admin_role, other_role) if {
 	other.role == other_role
 
 	m := admin.members[_]
-	m = other.members[_]
+	m in other.members
 }
diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego
@@ -7,8 +7,7 @@ default is_user_owner_or_editor = false
 
 is_user_owner_or_editor if {
 	# at least one member that starts with "user:"
-	some member
-	member = data_adapter.iam_policy.bindings[i].members[_]
+	member := data_adapter.iam_policy.bindings[i].members[_]
 	startswith(member, "user:")
 
 	# Ensure the role is not a service account managed by Google (iam.gserviceaccount.com suffix).