/
package.gen.rego
executable file
·154 lines (144 loc) · 5.06 KB
/
package.gen.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# - This code was generated by Shisho Cloud's internal system (protoc-gen-regolib).
# - When you find something to improve, you can create an GitHub issue, instead of creating pull requests.
package shisho.decision.dependency
import data.shisho
# @title Update packages with known vulnerabilities
# You can emit this decision as follows:
#
# ```
# import data.shisho
#
# decisions[d] {
# # the target of the decision (e.g. a GitHub repository, etc.)
# subject := "test"
#
# # whether the target is allowed by this policy or not
# allowed := true
#
# # See the following for further information:
# # ja: https:/shisho.dev/docs/g/api/graphql-schema
# # en: https:/shisho.dev/docs/ja/g/api/graphql-schema
# policyReportId := "..."
#
# # evidence for the decision
# entries := [
# shisho.decision.dependency.package_known_vulnerability_entry_v2(policyReportId, {
# "advisories": advisories,
# "description": description,
# "found_at": found_at,
# "name": name,
# "version": version,
# "vuln_constraint": vuln_constraint,
# "vuln_id": vuln_id,
# "vuln_namespace": vuln_namespace,
# }),
# ]
#
# d := shisho.decision.dependency.package_known_vulnerability({
# "allowed": allowed
# "subject": subject,
# "entries": entries,
# })
# }
# ```
# METADATA
# title: "decision.api.shisho.dev/v1beta:package_known_vulnerability"
# scope: "rule"
# description: |
# Emits a decision whose type is decision.api.shisho.dev/v1beta:package_known_vulnerability".
package_known_vulnerability(d) = x {
x := {
"header": package_known_vulnerability_header({
"allowed": d.allowed,
"subject": d.subject,
}),
"entries": d.entries,
}
}
package_known_vulnerability_kind = "package_known_vulnerability"
package_known_vulnerability_header(h) = x {
x := {
"api_version": "decision.api.shisho.dev/v1beta",
"kind": package_known_vulnerability_kind,
"subject": h.subject,
"labels": {},
"annotations": {
"decision.api.shisho.dev:ssc/category": "dependency",
"decision.api.shisho.dev:ssc/cis-benchmark/v1.0": "3.2.2",
},
"type": shisho.decision.as_decision_type(h.allowed),
}
}
# METADATA
# title: "Entry of decision.api.shisho.dev/v1beta:package_known_vulnerability"
# scope: "rule"
# description: "Emits a decision entry describing the detail of a decision decision.api.shisho.dev/v1beta:package_known_vulnerability"
package_known_vulnerability_entry(report_id, advisories, description, found_at, name, version, vuln_constraint, vuln_id, vuln_namespace) = x {
x := {
"severity": 0,
"resource_id": shisho.decision.as_resource_id(report_id),
"data": json.marshal({"advisories": advisories, "description": description, "found_at": found_at, "name": name, "version": version, "vuln_constraint": vuln_constraint, "vuln_id": vuln_id, "vuln_namespace": vuln_namespace}),
}
}
# METADATA
# title: "Entry of decision.api.shisho.dev/v1beta:package_known_vulnerability"
# scope: "rule"
# description: |
# Emits a decision entry describing the detail of a decision decision.api.shisho.dev/v1beta:package_known_vulnerability
#
# The parameter `data` is an object with the following fields:
# - advisories: string
# - description: string
# - found_at: string
# - name: string
# - version: string
# - vuln_constraint: string
# - vuln_id: string
# - vuln_namespace: string
#
# For instance:
# ```rego
# {
# advisories: "dummy",
# description: "dummy",
# found_at: "dummy",
# name: "dummy",
# version: "dummy",
# vuln_constraint: "dummy",
# vuln_id: "dummy",
# vuln_namespace: "dummy",
# }
# ```
package_known_vulnerability_entry_v2(report_id, edata) = x {
x := {
"severity": 0,
"resource_id": shisho.decision.as_resource_id(report_id),
"data": json.marshal(edata),
}
}
# METADATA
# title: "decision.api.shisho.dev/v1beta:package_known_vulnerability"
# scope: "rule"
# description: |
# Emits a decision entry describing the detail of a decision decision.api.shisho.dev/v1beta:package_known_vulnerability with a specified severity.
# Visit decision/decision.rego to see all the severities.
package_known_vulnerability_entry_with_severity(report_id, severity, advisories, description, found_at, name, version, vuln_constraint, vuln_id, vuln_namespace) = x {
x := {
"severity": severity,
"resource_id": shisho.decision.as_resource_id(report_id),
"data": json.marshal({"advisories": advisories, "description": description, "found_at": found_at, "name": name, "version": version, "vuln_constraint": vuln_constraint, "vuln_id": vuln_id, "vuln_namespace": vuln_namespace}),
}
}
# METADATA
# title: "decision.api.shisho.dev/v1beta:package_known_vulnerability"
# scope: "rule"
# description: |
# Emits a decision entry describing the detail of a decision decision.api.shisho.dev/v1beta:package_known_vulnerability with a specified severity.
# Visit decision/decision.rego to see all the severities.
package_known_vulnerability_entry_v2_with_severity(report_id, severity, edata) = x {
x := {
"severity": severity,
"resource_id": shisho.decision.as_resource_id(report_id),
"data": json.marshal(edata),
}
}