BREAKING(misconf): Deprecate EXCEPTIONS for misconfiguration scanning

aquasecurity · Oct 22, 2024 · 812c84a · 812c84a
1 parent 9514148
commit 812c84a
Show file tree

Hide file tree

Showing 13 changed files with 44 additions and 93 deletions.
diff --git a/pkg/cache/mock_artifact_cache.go b/pkg/cache/mock_artifact_cache.go
diff --git a/pkg/compliance/spec/mapper.go b/pkg/compliance/spec/mapper.go
@@ -49,8 +49,6 @@ func misconfigSummary(misconfig types.DetectedMisconfiguration) *types.MisconfSu
 		rms.Successes = 1
 	case types.MisconfStatusFailure:
 		rms.Failures = 1
-	case types.MisconfStatusException:
-		rms.Exceptions = 1
 	}
 	return &rms
 }

diff --git a/pkg/compliance/spec/mapper_test.go b/pkg/compliance/spec/mapper_test.go
@@ -61,9 +61,8 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 						Class:  types.ClassConfig,
 						Type:   ftypes.Kubernetes,
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  0,
-							Failures:   1,
-							Exceptions: 0,
+							Successes: 0,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							{
@@ -79,9 +78,8 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 						Class:  types.ClassConfig,
 						Type:   ftypes.Kubernetes,
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  0,
-							Failures:   1,
-							Exceptions: 0,
+							Successes: 0,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							{

diff --git a/pkg/fanal/types/misconf.go b/pkg/fanal/types/misconf.go
@@ -8,13 +8,12 @@ import (
 )
 
 type Misconfiguration struct {
-	FileType   ConfigType     `json:",omitempty"`
-	FilePath   string         `json:",omitempty"`
-	Successes  MisconfResults `json:",omitempty"`
-	Warnings   MisconfResults `json:",omitempty"`
-	Failures   MisconfResults `json:",omitempty"`
-	Exceptions MisconfResults `json:",omitempty"`
-	Layer      Layer          `json:",omitempty"`
+	FileType  ConfigType     `json:",omitempty"`
+	FilePath  string         `json:",omitempty"`
+	Successes MisconfResults `json:",omitempty"`
+	Warnings  MisconfResults `json:",omitempty"`
+	Failures  MisconfResults `json:",omitempty"`
+	Layer     Layer          `json:",omitempty"`
 }
 
 type MisconfResult struct {
@@ -117,7 +116,6 @@ func ToMisconfigurations(misconfs map[string]Misconfiguration) []Misconfiguratio
 		sort.Sort(misconf.Successes)
 		sort.Sort(misconf.Warnings)
 		sort.Sort(misconf.Failures)
-		sort.Sort(misconf.Exceptions)
 
 		results = append(results, misconf)
 	}

diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -488,8 +488,6 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s
 			switch flattened.Status {
 			case scan.StatusPassed:
 				misconf.Successes = append(misconf.Successes, misconfResult)
-			case scan.StatusIgnored:
-				misconf.Exceptions = append(misconf.Exceptions, misconfResult)
 			case scan.StatusFailed:
 				misconf.Failures = append(misconf.Failures, misconfResult)
 			}

diff --git a/pkg/report/table/misconfig.go b/pkg/report/table/misconfig.go
@@ -61,8 +61,8 @@ func (r *misconfigRenderer) Render() string {
 	total, summaries := summarize(r.severities, r.countSeverities())
 
 	summary := r.result.MisconfSummary
-	r.printf("Tests: %d (SUCCESSES: %d, FAILURES: %d, EXCEPTIONS: %d)\n",
-		summary.Successes+summary.Failures+summary.Exceptions, summary.Successes, summary.Failures, summary.Exceptions)
+	r.printf("Tests: %d (SUCCESSES: %d, FAILURES: %d)\n",
+		summary.Successes+summary.Failures, summary.Successes, summary.Failures)
 	r.printf("Failures: %d (%s)\n\n", total, strings.Join(summaries, ", "))
 
 	for _, m := range r.result.Misconfigurations {

diff --git a/pkg/report/table/misconfig_test.go b/pkg/report/table/misconfig_test.go
@@ -24,7 +24,7 @@ func TestMisconfigRenderer(t *testing.T) {
 			name: "single result",
 			input: types.Result{
 				Target:         "my-file",
-				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1, Exceptions: 0},
+				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
 						ID:          "AVD-XYZ-0123",
@@ -41,7 +41,7 @@ func TestMisconfigRenderer(t *testing.T) {
 			want: `
 my-file ()
 ==========
-Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 HIGH: Oh no, a bad config.
@@ -58,7 +58,7 @@ See https://google.com/search?q=bad%20config
 			name: "single result with code",
 			input: types.Result{
 				Target:         "my-file",
-				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1, Exceptions: 0},
+				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
 						ID:          "AVD-XYZ-0123",
@@ -100,7 +100,7 @@ See https://google.com/search?q=bad%20config
 			want: `
 my-file ()
 ==========
-Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 HIGH: Oh no, a bad config.
@@ -123,7 +123,7 @@ See https://google.com/search?q=bad%20config
 			name: "multiple results",
 			input: types.Result{
 				Target:         "my-file",
-				MisconfSummary: &types.MisconfSummary{Successes: 1, Failures: 1, Exceptions: 0},
+				MisconfSummary: &types.MisconfSummary{Successes: 1, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
 						ID:          "AVD-XYZ-0123",
@@ -171,7 +171,7 @@ See https://google.com/search?q=bad%20config
 			want: `
 my-file ()
 ==========
-Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 2 (SUCCESSES: 1, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 FAIL: HIGH: Oh no, a bad config.
@@ -205,9 +205,8 @@ See https://google.com/search?q=bad%20config
 				Class:  types.ClassConfig,
 				Type:   "terraform",
 				MisconfSummary: &types.MisconfSummary{
-					Successes:  5,
-					Failures:   1,
-					Exceptions: 0,
+					Successes: 5,
+					Failures:  1,
 				},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
@@ -309,7 +308,7 @@ See https://google.com/search?q=bad%20config
 			want: `
 terraform-aws-modules/security-group/aws/main.tf (terraform)
 ============================================================
-Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
+Tests: 6 (SUCCESSES: 5, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
 
 CRITICAL: Security group rule allows ingress from public internet.

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
@@ -130,13 +130,12 @@ func filterMisconfigurations(result *types.Result, severities []string, includeN
 
 		// Filter by ignore file
 		if f := ignoreConfig.MatchMisconfiguration(misconf.ID, misconf.AVDID, result.Target); f != nil {
-			result.MisconfSummary.Exceptions++
 			result.ModifiedFindings = append(result.ModifiedFindings,
 				types.NewModifiedFinding(misconf, types.FindingStatusIgnored, f.Statement, ignoreConfig.FilePath))
 			continue
 		}
 
-		// Count successes, failures, and exceptions
+		// Count successes and failures
 		summarize(misconf.Status, result.MisconfSummary)
 
 		if misconf.Status != types.MisconfStatusFailure && !includeNonFailures {
@@ -210,8 +209,6 @@ func summarize(status types.MisconfStatus, summary *types.MisconfSummary) {
 		summary.Failures++
 	case types.MisconfStatusPassed:
 		summary.Successes++
-	case types.MisconfStatusException:
-		summary.Exceptions++
 	}
 }
 
@@ -256,7 +253,6 @@ func applyPolicy(ctx context.Context, result *types.Result, policyFile string) e
 			return err
 		}
 		if ignored {
-			result.MisconfSummary.Exceptions++
 			switch misconf.Status {
 			case types.MisconfStatusFailure:
 				result.MisconfSummary.Failures--

diff --git a/pkg/result/filter_test.go b/pkg/result/filter_test.go
@@ -233,9 +233,8 @@ func TestFilter(t *testing.T) {
 							vuln2,
 						},
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  0,
-							Failures:   1,
-							Exceptions: 0,
+							Successes: 0,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							misconf1,
@@ -403,9 +402,8 @@ func TestFilter(t *testing.T) {
 						Target: "deployment.yaml",
 						Class:  types.ClassConfig,
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  1,
-							Failures:   1,
-							Exceptions: 1,
+							Successes: 1,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							misconf1,
@@ -522,9 +520,8 @@ func TestFilter(t *testing.T) {
 					{
 						Target: "app/Dockerfile",
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  0,
-							Failures:   1,
-							Exceptions: 2,
+							Successes: 0,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							misconf3,
@@ -641,9 +638,8 @@ func TestFilter(t *testing.T) {
 				Results: types.Results{
 					{
 						MisconfSummary: &types.MisconfSummary{
-							Successes:  1,
-							Failures:   1,
-							Exceptions: 1,
+							Successes: 1,
+							Failures:  1,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							misconf1,

diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go
@@ -754,13 +754,12 @@ func ConvertFromRPCMisconfigurations(rpcMisconfs []*common.Misconfiguration) []f
 	var misconfs []ftypes.Misconfiguration
 	for _, rpcMisconf := range rpcMisconfs {
 		misconfs = append(misconfs, ftypes.Misconfiguration{
-			FileType:   ftypes.ConfigType(rpcMisconf.FileType),
-			FilePath:   rpcMisconf.FilePath,
-			Successes:  ConvertFromRPCMisconfResults(rpcMisconf.Successes),
-			Warnings:   ConvertFromRPCMisconfResults(rpcMisconf.Warnings),
-			Failures:   ConvertFromRPCMisconfResults(rpcMisconf.Failures),
-			Exceptions: ConvertFromRPCMisconfResults(rpcMisconf.Exceptions),
-			Layer:      ftypes.Layer{},
+			FileType:  ftypes.ConfigType(rpcMisconf.FileType),
+			FilePath:  rpcMisconf.FilePath,
+			Successes: ConvertFromRPCMisconfResults(rpcMisconf.Successes),
+			Warnings:  ConvertFromRPCMisconfResults(rpcMisconf.Warnings),
+			Failures:  ConvertFromRPCMisconfResults(rpcMisconf.Failures),
+			Layer:     ftypes.Layer{},
 		})
 	}
 	return misconfs
@@ -875,12 +874,11 @@ func ConvertToRPCPutBlobRequest(diffID string, blobInfo ftypes.BlobInfo) *cache.
 	var misconfigurations []*common.Misconfiguration
 	for _, m := range blobInfo.Misconfigurations {
 		misconfigurations = append(misconfigurations, &common.Misconfiguration{
-			FileType:   string(m.FileType),
-			FilePath:   m.FilePath,
-			Successes:  ConvertToMisconfResults(m.Successes),
-			Warnings:   ConvertToMisconfResults(m.Warnings),
-			Failures:   ConvertToMisconfResults(m.Failures),
-			Exceptions: ConvertToMisconfResults(m.Exceptions),
+			FileType:  string(m.FileType),
+			FilePath:  m.FilePath,
+			Successes: ConvertToMisconfResults(m.Successes),
+			Warnings:  ConvertToMisconfResults(m.Warnings),
+			Failures:  ConvertToMisconfResults(m.Failures),
 		})
 
 	}

diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -210,9 +210,6 @@ func (s Scanner) MisconfsToResults(misconfs []ftypes.Misconfiguration) types.Res
 		for _, w := range misconf.Successes {
 			detected = append(detected, toDetectedMisconfiguration(w, dbTypes.SeverityUnknown, types.MisconfStatusPassed, misconf.Layer))
 		}
-		for _, w := range misconf.Exceptions {
-			detected = append(detected, toDetectedMisconfiguration(w, dbTypes.SeverityUnknown, types.MisconfStatusException, misconf.Layer))
-		}
 
 		results = append(results, types.Result{
 			Target:            misconf.FilePath,

diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go
@@ -820,17 +820,6 @@ func TestScanner_Scan(t *testing.T) {
 										},
 									},
 								},
-								Exceptions: ftypes.MisconfResults{
-									{
-										Namespace: "main.kubernetes.id100",
-										PolicyMetadata: ftypes.PolicyMetadata{
-											ID:       "ID100",
-											Type:     "Kubernetes Security Check",
-											Title:    "Bad Deployment",
-											Severity: "HIGH",
-										},
-									},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
 								},
@@ -922,18 +911,6 @@ func TestScanner_Scan(t *testing.T) {
 								DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
 							},
 						},
-						{
-							Type:      "Kubernetes Security Check",
-							ID:        "ID100",
-							Title:     "Bad Deployment",
-							Message:   "No issues found",
-							Namespace: "main.kubernetes.id100",
-							Severity:  "HIGH",
-							Status:    types.MisconfStatusException,
-							Layer: ftypes.Layer{
-								DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
-							},
-						},
 					},
 				},
 			},

diff --git a/pkg/types/report.go b/pkg/types/report.go
@@ -130,13 +130,12 @@ func (r *Result) IsEmpty() bool {
 }
 
 type MisconfSummary struct {
-	Successes  int
-	Failures   int
-	Exceptions int
+	Successes int
+	Failures  int
 }
 
 func (s MisconfSummary) Empty() bool {
-	return s.Successes == 0 && s.Failures == 0 && s.Exceptions == 0
+	return s.Successes == 0 && s.Failures == 0
 }
 
 // Failed returns whether the result includes any vulnerabilities, misconfigurations or secrets