From 812c84a08c519b0a078cd4e6e2b871c7dfb660e9 Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 21 Oct 2024 22:40:12 -0600 Subject: [PATCH] BREAKING(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning --- pkg/cache/mock_artifact_cache.go | 3 --- pkg/compliance/spec/mapper.go | 2 -- pkg/compliance/spec/mapper_test.go | 10 ++++------ pkg/fanal/types/misconf.go | 14 ++++++-------- pkg/misconf/scanner.go | 2 -- pkg/report/table/misconfig.go | 4 ++-- pkg/report/table/misconfig_test.go | 19 +++++++++---------- pkg/result/filter.go | 6 +----- pkg/result/filter_test.go | 20 ++++++++------------ pkg/rpc/convert.go | 24 +++++++++++------------- pkg/scanner/local/scan.go | 3 --- pkg/scanner/local/scan_test.go | 23 ----------------------- pkg/types/report.go | 7 +++---- 13 files changed, 44 insertions(+), 93 deletions(-) diff --git a/pkg/cache/mock_artifact_cache.go b/pkg/cache/mock_artifact_cache.go index e0b1430337e4..ef9503203a7f 100644 --- a/pkg/cache/mock_artifact_cache.go +++ b/pkg/cache/mock_artifact_cache.go @@ -229,9 +229,6 @@ func (_m *MockArtifactCache) PutBlob(blobID string, blobInfo types.BlobInfo) err for j := range blobInfo.Misconfigurations[i].Warnings { blobInfo.Misconfigurations[i].Warnings[j].Code = types.Code{} } - for j := range blobInfo.Misconfigurations[i].Exceptions { - blobInfo.Misconfigurations[i].Exceptions[j].Code = types.Code{} - } } ret := _m.Called(blobID, blobInfo) diff --git a/pkg/compliance/spec/mapper.go b/pkg/compliance/spec/mapper.go index 6fa5d2bbd45a..8c683753ad90 100644 --- a/pkg/compliance/spec/mapper.go +++ b/pkg/compliance/spec/mapper.go @@ -49,8 +49,6 @@ func misconfigSummary(misconfig types.DetectedMisconfiguration) *types.MisconfSu rms.Successes = 1 case types.MisconfStatusFailure: rms.Failures = 1 - case types.MisconfStatusException: - rms.Exceptions = 1 } return &rms } diff --git a/pkg/compliance/spec/mapper_test.go b/pkg/compliance/spec/mapper_test.go index 62050d27ec47..070c06a8ce96 100644 --- a/pkg/compliance/spec/mapper_test.go +++ b/pkg/compliance/spec/mapper_test.go @@ -61,9 +61,8 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) { Class: types.ClassConfig, Type: ftypes.Kubernetes, MisconfSummary: &types.MisconfSummary{ - Successes: 0, - Failures: 1, - Exceptions: 0, + Successes: 0, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ { @@ -79,9 +78,8 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) { Class: types.ClassConfig, Type: ftypes.Kubernetes, MisconfSummary: &types.MisconfSummary{ - Successes: 0, - Failures: 1, - Exceptions: 0, + Successes: 0, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ { diff --git a/pkg/fanal/types/misconf.go b/pkg/fanal/types/misconf.go index 3b4e9b447895..706220f0a1c7 100644 --- a/pkg/fanal/types/misconf.go +++ b/pkg/fanal/types/misconf.go @@ -8,13 +8,12 @@ import ( ) type Misconfiguration struct { - FileType ConfigType `json:",omitempty"` - FilePath string `json:",omitempty"` - Successes MisconfResults `json:",omitempty"` - Warnings MisconfResults `json:",omitempty"` - Failures MisconfResults `json:",omitempty"` - Exceptions MisconfResults `json:",omitempty"` - Layer Layer `json:",omitempty"` + FileType ConfigType `json:",omitempty"` + FilePath string `json:",omitempty"` + Successes MisconfResults `json:",omitempty"` + Warnings MisconfResults `json:",omitempty"` + Failures MisconfResults `json:",omitempty"` + Layer Layer `json:",omitempty"` } type MisconfResult struct { @@ -117,7 +116,6 @@ func ToMisconfigurations(misconfs map[string]Misconfiguration) []Misconfiguratio sort.Sort(misconf.Successes) sort.Sort(misconf.Warnings) sort.Sort(misconf.Failures) - sort.Sort(misconf.Exceptions) results = append(results, misconf) } diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 7a3642dfe895..1aa2a5cd5c16 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -488,8 +488,6 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s switch flattened.Status { case scan.StatusPassed: misconf.Successes = append(misconf.Successes, misconfResult) - case scan.StatusIgnored: - misconf.Exceptions = append(misconf.Exceptions, misconfResult) case scan.StatusFailed: misconf.Failures = append(misconf.Failures, misconfResult) } diff --git a/pkg/report/table/misconfig.go b/pkg/report/table/misconfig.go index 112d783d0875..47a2ca487b8f 100644 --- a/pkg/report/table/misconfig.go +++ b/pkg/report/table/misconfig.go @@ -61,8 +61,8 @@ func (r *misconfigRenderer) Render() string { total, summaries := summarize(r.severities, r.countSeverities()) summary := r.result.MisconfSummary - r.printf("Tests: %d (SUCCESSES: %d, FAILURES: %d, EXCEPTIONS: %d)\n", - summary.Successes+summary.Failures+summary.Exceptions, summary.Successes, summary.Failures, summary.Exceptions) + r.printf("Tests: %d (SUCCESSES: %d, FAILURES: %d)\n", + summary.Successes+summary.Failures, summary.Successes, summary.Failures) r.printf("Failures: %d (%s)\n\n", total, strings.Join(summaries, ", ")) for _, m := range r.result.Misconfigurations { diff --git a/pkg/report/table/misconfig_test.go b/pkg/report/table/misconfig_test.go index a57399f0e253..a4d0df8c31f9 100644 --- a/pkg/report/table/misconfig_test.go +++ b/pkg/report/table/misconfig_test.go @@ -24,7 +24,7 @@ func TestMisconfigRenderer(t *testing.T) { name: "single result", input: types.Result{ Target: "my-file", - MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1, Exceptions: 0}, + MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1}, Misconfigurations: []types.DetectedMisconfiguration{ { ID: "AVD-XYZ-0123", @@ -41,7 +41,7 @@ func TestMisconfigRenderer(t *testing.T) { want: ` my-file () ========== -Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) +Tests: 1 (SUCCESSES: 0, FAILURES: 1) Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) HIGH: Oh no, a bad config. @@ -58,7 +58,7 @@ See https://google.com/search?q=bad%20config name: "single result with code", input: types.Result{ Target: "my-file", - MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1, Exceptions: 0}, + MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1}, Misconfigurations: []types.DetectedMisconfiguration{ { ID: "AVD-XYZ-0123", @@ -100,7 +100,7 @@ See https://google.com/search?q=bad%20config want: ` my-file () ========== -Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) +Tests: 1 (SUCCESSES: 0, FAILURES: 1) Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) HIGH: Oh no, a bad config. @@ -123,7 +123,7 @@ See https://google.com/search?q=bad%20config name: "multiple results", input: types.Result{ Target: "my-file", - MisconfSummary: &types.MisconfSummary{Successes: 1, Failures: 1, Exceptions: 0}, + MisconfSummary: &types.MisconfSummary{Successes: 1, Failures: 1}, Misconfigurations: []types.DetectedMisconfiguration{ { ID: "AVD-XYZ-0123", @@ -171,7 +171,7 @@ See https://google.com/search?q=bad%20config want: ` my-file () ========== -Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0) +Tests: 2 (SUCCESSES: 1, FAILURES: 1) Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) FAIL: HIGH: Oh no, a bad config. @@ -205,9 +205,8 @@ See https://google.com/search?q=bad%20config Class: types.ClassConfig, Type: "terraform", MisconfSummary: &types.MisconfSummary{ - Successes: 5, - Failures: 1, - Exceptions: 0, + Successes: 5, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ { @@ -309,7 +308,7 @@ See https://google.com/search?q=bad%20config want: ` terraform-aws-modules/security-group/aws/main.tf (terraform) ============================================================ -Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0) +Tests: 6 (SUCCESSES: 5, FAILURES: 1) Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1) CRITICAL: Security group rule allows ingress from public internet. diff --git a/pkg/result/filter.go b/pkg/result/filter.go index e1f0e632197e..83e0c0a7170e 100644 --- a/pkg/result/filter.go +++ b/pkg/result/filter.go @@ -130,13 +130,12 @@ func filterMisconfigurations(result *types.Result, severities []string, includeN // Filter by ignore file if f := ignoreConfig.MatchMisconfiguration(misconf.ID, misconf.AVDID, result.Target); f != nil { - result.MisconfSummary.Exceptions++ result.ModifiedFindings = append(result.ModifiedFindings, types.NewModifiedFinding(misconf, types.FindingStatusIgnored, f.Statement, ignoreConfig.FilePath)) continue } - // Count successes, failures, and exceptions + // Count successes and failures summarize(misconf.Status, result.MisconfSummary) if misconf.Status != types.MisconfStatusFailure && !includeNonFailures { @@ -210,8 +209,6 @@ func summarize(status types.MisconfStatus, summary *types.MisconfSummary) { summary.Failures++ case types.MisconfStatusPassed: summary.Successes++ - case types.MisconfStatusException: - summary.Exceptions++ } } @@ -256,7 +253,6 @@ func applyPolicy(ctx context.Context, result *types.Result, policyFile string) e return err } if ignored { - result.MisconfSummary.Exceptions++ switch misconf.Status { case types.MisconfStatusFailure: result.MisconfSummary.Failures-- diff --git a/pkg/result/filter_test.go b/pkg/result/filter_test.go index 0298cd0d9582..289ec2ee0c63 100644 --- a/pkg/result/filter_test.go +++ b/pkg/result/filter_test.go @@ -233,9 +233,8 @@ func TestFilter(t *testing.T) { vuln2, }, MisconfSummary: &types.MisconfSummary{ - Successes: 0, - Failures: 1, - Exceptions: 0, + Successes: 0, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ misconf1, @@ -403,9 +402,8 @@ func TestFilter(t *testing.T) { Target: "deployment.yaml", Class: types.ClassConfig, MisconfSummary: &types.MisconfSummary{ - Successes: 1, - Failures: 1, - Exceptions: 1, + Successes: 1, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ misconf1, @@ -522,9 +520,8 @@ func TestFilter(t *testing.T) { { Target: "app/Dockerfile", MisconfSummary: &types.MisconfSummary{ - Successes: 0, - Failures: 1, - Exceptions: 2, + Successes: 0, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ misconf3, @@ -641,9 +638,8 @@ func TestFilter(t *testing.T) { Results: types.Results{ { MisconfSummary: &types.MisconfSummary{ - Successes: 1, - Failures: 1, - Exceptions: 1, + Successes: 1, + Failures: 1, }, Misconfigurations: []types.DetectedMisconfiguration{ misconf1, diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 1662877bd597..89097730111b 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -754,13 +754,12 @@ func ConvertFromRPCMisconfigurations(rpcMisconfs []*common.Misconfiguration) []f var misconfs []ftypes.Misconfiguration for _, rpcMisconf := range rpcMisconfs { misconfs = append(misconfs, ftypes.Misconfiguration{ - FileType: ftypes.ConfigType(rpcMisconf.FileType), - FilePath: rpcMisconf.FilePath, - Successes: ConvertFromRPCMisconfResults(rpcMisconf.Successes), - Warnings: ConvertFromRPCMisconfResults(rpcMisconf.Warnings), - Failures: ConvertFromRPCMisconfResults(rpcMisconf.Failures), - Exceptions: ConvertFromRPCMisconfResults(rpcMisconf.Exceptions), - Layer: ftypes.Layer{}, + FileType: ftypes.ConfigType(rpcMisconf.FileType), + FilePath: rpcMisconf.FilePath, + Successes: ConvertFromRPCMisconfResults(rpcMisconf.Successes), + Warnings: ConvertFromRPCMisconfResults(rpcMisconf.Warnings), + Failures: ConvertFromRPCMisconfResults(rpcMisconf.Failures), + Layer: ftypes.Layer{}, }) } return misconfs @@ -875,12 +874,11 @@ func ConvertToRPCPutBlobRequest(diffID string, blobInfo ftypes.BlobInfo) *cache. var misconfigurations []*common.Misconfiguration for _, m := range blobInfo.Misconfigurations { misconfigurations = append(misconfigurations, &common.Misconfiguration{ - FileType: string(m.FileType), - FilePath: m.FilePath, - Successes: ConvertToMisconfResults(m.Successes), - Warnings: ConvertToMisconfResults(m.Warnings), - Failures: ConvertToMisconfResults(m.Failures), - Exceptions: ConvertToMisconfResults(m.Exceptions), + FileType: string(m.FileType), + FilePath: m.FilePath, + Successes: ConvertToMisconfResults(m.Successes), + Warnings: ConvertToMisconfResults(m.Warnings), + Failures: ConvertToMisconfResults(m.Failures), }) } diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go index f34723058e06..58cd4cc00167 100644 --- a/pkg/scanner/local/scan.go +++ b/pkg/scanner/local/scan.go @@ -210,9 +210,6 @@ func (s Scanner) MisconfsToResults(misconfs []ftypes.Misconfiguration) types.Res for _, w := range misconf.Successes { detected = append(detected, toDetectedMisconfiguration(w, dbTypes.SeverityUnknown, types.MisconfStatusPassed, misconf.Layer)) } - for _, w := range misconf.Exceptions { - detected = append(detected, toDetectedMisconfiguration(w, dbTypes.SeverityUnknown, types.MisconfStatusException, misconf.Layer)) - } results = append(results, types.Result{ Target: misconf.FilePath, diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go index f3e6cac5d3fa..bdeb5166a2fa 100644 --- a/pkg/scanner/local/scan_test.go +++ b/pkg/scanner/local/scan_test.go @@ -820,17 +820,6 @@ func TestScanner_Scan(t *testing.T) { }, }, }, - Exceptions: ftypes.MisconfResults{ - { - Namespace: "main.kubernetes.id100", - PolicyMetadata: ftypes.PolicyMetadata{ - ID: "ID100", - Type: "Kubernetes Security Check", - Title: "Bad Deployment", - Severity: "HIGH", - }, - }, - }, Layer: ftypes.Layer{ DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", }, @@ -922,18 +911,6 @@ func TestScanner_Scan(t *testing.T) { DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", }, }, - { - Type: "Kubernetes Security Check", - ID: "ID100", - Title: "Bad Deployment", - Message: "No issues found", - Namespace: "main.kubernetes.id100", - Severity: "HIGH", - Status: types.MisconfStatusException, - Layer: ftypes.Layer{ - DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", - }, - }, }, }, }, diff --git a/pkg/types/report.go b/pkg/types/report.go index af364c95a11d..3ada68a942d8 100644 --- a/pkg/types/report.go +++ b/pkg/types/report.go @@ -130,13 +130,12 @@ func (r *Result) IsEmpty() bool { } type MisconfSummary struct { - Successes int - Failures int - Exceptions int + Successes int + Failures int } func (s MisconfSummary) Empty() bool { - return s.Successes == 0 && s.Failures == 0 && s.Exceptions == 0 + return s.Successes == 0 && s.Failures == 0 } // Failed returns whether the result includes any vulnerabilities, misconfigurations or secrets