Skip to content

Commit

Permalink
chore(deps): Bump trivy-checks (#7417)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
  • Loading branch information
simar7 and nikpivkin authored Aug 30, 2024
1 parent a5aa63e commit 39c8024
Show file tree
Hide file tree
Showing 13 changed files with 112 additions and 140 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807
github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -348,8 +348,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807 h1:yw2INXrbfekt1yHDQAlNZlHIUZQXMcSS+mWI9XWJUN0=
github.com/aquasecurity/trivy-checks v0.13.1-0.20240809030752-558fcff75807/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd h1:/6sPLCU4JICPPYAmY2iUsLGpgYBXUH6M/0fy57AhNWY=
github.com/aquasecurity/trivy-checks v0.13.1-0.20240830035934-7761a83288cd/go.mod h1:zLBeXaTJkAvPZqKiRACAsP49ZywCEXFEjXMLa8kmc8Q=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
Expand Down
112 changes: 23 additions & 89 deletions pkg/fanal/artifact/local/fs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -299,15 +299,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/single-failure",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand Down Expand Up @@ -352,15 +343,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/multiple-failures",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand Down Expand Up @@ -437,13 +419,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/no-results",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand All @@ -467,15 +442,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/passed",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand Down Expand Up @@ -516,15 +482,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/busted-relative-paths/child/main.tf",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand Down Expand Up @@ -584,12 +541,7 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
TerraformTFVars: []string{"./testdata/misconfig/terraform/tfvar-outside/main.tfvars"},
TfExcludeDownloaded: true,
DisableEmbeddedPolicies: true,
TerraformTFVars: []string{"./testdata/misconfig/terraform/tfvar-outside/main.tfvars"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -632,14 +584,6 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
fields: fields{
dir: "./testdata/misconfig/terraform/relative-paths/child",
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/terraform/rego"},
DisableEmbeddedPolicies: true,
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
Expand Down Expand Up @@ -726,6 +670,8 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
types.SystemFileFilteringPostHandler,
}
tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
tt.artifactOpt.MisconfScannerOption.Namespaces = []string{"user"}
tt.artifactOpt.MisconfScannerOption.PolicyPaths = []string{"./testdata/misconfig/terraform/rego"}
a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt)
require.NoError(t, err)

Expand Down Expand Up @@ -972,9 +918,8 @@ func TestTerraformPlanSnapshotMisconfScan(t *testing.T) {
types.SystemFileFilteringPostHandler,
},
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
DisableEmbeddedPolicies: true,

RegoOnly: true,
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: false,
Namespaces: []string{"user"},
PolicyPaths: []string{tmpDir},
Expand All @@ -983,7 +928,6 @@ func TestTerraformPlanSnapshotMisconfScan(t *testing.T) {
SkipFiles: []string{"*.tf"},
},
}

a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), opt)
require.NoError(t, err)

Expand Down Expand Up @@ -1015,7 +959,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1077,7 +1020,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1161,7 +1103,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1194,7 +1135,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/params/code/rego"},
CloudFormationParamVars: []string{"./testdata/misconfig/cloudformation/params/cfparams.json"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1251,7 +1191,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1339,7 +1278,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1397,7 +1335,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1485,7 +1422,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1543,6 +1479,7 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
tt.artifactOpt.DisabledHandlers = []types.HandlerType{
types.SystemFileFilteringPostHandler,
}
tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt)
require.NoError(t, err)

Expand Down Expand Up @@ -1574,7 +1511,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1637,7 +1573,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1753,7 +1688,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -1811,6 +1745,7 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
tt.artifactOpt.DisabledHandlers = []types.HandlerType{
types.SystemFileFilteringPostHandler,
}
tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt)
require.NoError(t, err)

Expand Down Expand Up @@ -2068,6 +2003,7 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
tt.artifactOpt.DisabledHandlers = []types.HandlerType{
types.SystemFileFilteringPostHandler,
}
tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt)
require.NoError(t, err)

Expand Down Expand Up @@ -2099,7 +2035,6 @@ func TestMixedConfigurationScan(t *testing.T) {
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/mixed/rego"},
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: true,
},
},
Expand Down Expand Up @@ -2184,6 +2119,7 @@ func TestMixedConfigurationScan(t *testing.T) {
tt.artifactOpt.DisabledHandlers = []types.HandlerType{
types.SystemFileFilteringPostHandler,
}
tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
a, err := NewArtifact(tt.fields.dir, c, walker.NewFS(), tt.artifactOpt)
require.NoError(t, err)

Expand Down Expand Up @@ -2217,10 +2153,9 @@ func TestJSONConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/passed/checks"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/passed/checks"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -2291,10 +2226,9 @@ func TestJSONConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/with-schema/checks"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/with-schema/checks"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -2342,6 +2276,7 @@ func TestJSONConfigScan(t *testing.T) {
c := new(cache.MockArtifactCache)
c.ApplyPutBlobExpectation(tt.putBlobExpectation)

tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
if len(tt.fields.schemas) > 0 {
schemas, err := misconf.LoadConfigSchemas(tt.fields.schemas)
require.NoError(t, err)
Expand Down Expand Up @@ -2381,10 +2316,9 @@ func TestYAMLConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/passed/checks"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/passed/checks"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -2455,10 +2389,9 @@ func TestYAMLConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/with-schema/checks"},
DisableEmbeddedPolicies: true,
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/with-schema/checks"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Expand Down Expand Up @@ -2506,6 +2439,7 @@ func TestYAMLConfigScan(t *testing.T) {
c := new(cache.MockArtifactCache)
c.ApplyPutBlobExpectation(tt.putBlobExpectation)

tt.artifactOpt.MisconfScannerOption.DisableEmbeddedPolicies = true
if len(tt.fields.schemas) > 0 {
schemas, err := misconf.LoadConfigSchemas(tt.fields.schemas)
require.NoError(t, err)
Expand Down
5 changes: 5 additions & 0 deletions pkg/iac/rego/load.go
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,11 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
if err != nil {
return err
}

if !meta.hasAnyFramework(s.frameworks) {
continue
}

if len(meta.InputOptions.Selectors) == 0 {
s.logger.Warn(
"Module has no input selectors - it will be loaded for all inputs!",
Expand Down
Loading

0 comments on commit 39c8024

Please sign in to comment.