validator-labs · mattwelke · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024
@@ -26,6 +26,7 @@ linters:
     - misspell
     - nakedret
     - prealloc
+    - revive
     - staticcheck
     - typecheck
     - unconvert

@@ -1,12 +1,12 @@
-
-# -include will silently skip missing files, which allows us
-# to load those files with a target in the Makefile. If only
-# "include" was used, the make command would fail and refuse
-# to run a target until the include commands succeeded.
--include build/makelib/common.mk
+include build/makelib/common.mk
+include build/makelib/plugin.mk
 
 # Image URL to use all building/pushing image targets
 IMG ?= quay.io/validator-labs/validator-plugin-kubescape:latest
 
 # Helm vars
 CHART_NAME=validator-plugin-kubescape
+
+.PHONY: dev
+dev:
+	devspace dev -n validator
@@ -113,7 +113,7 @@ pre-commit install --hook-type pre-commit
 ```
 
 ## License
-Copyright 2023.
+Copyright 2024.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v1 contains API Schema definitions for the validation v1 API group
+// Package v1alpha1 contains API Schema definitions for the validation v1alpha1 API group
 // +kubebuilder:object:generate=true
 // +groupName=validation.spectrocloud.labs
 package v1alpha1

@@ -31,30 +31,31 @@ type KubescapeValidatorSpec struct {
 	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	// Global Severity Limit Rule
 	SeverityLimitRule SeverityLimitRule `json:"severityLimitRule,omitempty" yaml:"severityLimitRule,omitempty"`
-	// Global Ignore CVEs
-	IgnoredCVERule []string `json:"ignoredCVERule,omitempty" yaml:"ignoredCVERule,omitempty"`
 	// Rule for Flagged CVEs
 	FlaggedCVERule []FlaggedCVE `json:"flaggedCVERule,omitempty" yaml:"flaggedCVERule,omitempty"`
 }
 
+// FlaggedCVE is a flagged CVE rule.
 type FlaggedCVE string
 
+// Name returns the formatted name of the flagged CVE.
 func (r FlaggedCVE) Name() string {
 	return fmt.Sprintf("FLAG-%s", string(r))
 }
 
-// Increase for every rule
+// ResultCount returns the number of validation results expected for an KubescapeValidatorSpec.
 func (s KubescapeValidatorSpec) ResultCount() int {
 	count := 0
 	if s.SeverityLimitRule != (SeverityLimitRule{}) {
 		count++
 	}
-	count += len(s.IgnoredCVERule)
 	count += len(s.FlaggedCVERule)
 
 	return count
 }
 
+// SeverityLimitRule verifies that the number of vulnerabilities of each severity level does not
+// exceed the specified limit.
 type SeverityLimitRule struct {
 	Critical   *int `json:"critical,omitempty"`
 	High       *int `json:"high,omitempty"`
@@ -64,6 +65,7 @@ type SeverityLimitRule struct {
 	Unknown    *int `json:"unknown,omitempty"`
 }
 
+// Name is the name of all severity limit rules.
 func (r SeverityLimitRule) Name() string {
 	return "SeverityLimitRule"
 }

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: kubescapevalidators.validation.spectrocloud.labs
 spec:
   group: validation.spectrocloud.labs
@@ -21,14 +21,19 @@ spec:
           API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -38,11 +43,7 @@ spec:
               flaggedCVERule:
                 description: Rule for Flagged CVEs
                 items:
-                  type: string
-                type: array
-              ignoredCVERule:
-                description: Global Ignore CVEs
-                items:
+                  description: FlaggedCVE is a flagged CVE rule.
                   type: string
                 type: array
               namespace:

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package main initializes a KubescapeValidator controller.
 package main
 
 import (

@@ -43,11 +43,7 @@ spec:
               flaggedCVERule:
                 description: Rule for Flagged CVEs
                 items:
-                  type: string
-                type: array
-              ignoredCVERule:
-                description: Global Ignore CVEs
-                items:
+                  description: FlaggedCVE is a flagged CVE rule.
                   type: string
                 type: array
               namespace:

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: controller
+  newName: quay.io/validator-labs/validator-plugin-kubescape
   newTag: latest
@@ -16,7 +16,3 @@ spec:
   # Rule to flag CVEs
   flaggedCVERule:
     - "CVE-2022-21698"
-
-  # Global rule to ignore specified CVEs
-  ignoredCVERule:
-    - "CVE-xxxx-xxxx"
@@ -1,6 +1,10 @@
+// Package constants contains Kubescape plugin constants.
 package constants
 
 const (
-	PluginCode             = "KUBESCAPE"
+	// PluginCode is the code for the plugin.
+	PluginCode = "KUBESCAPE"
+
+	// ValidationTypeSeverity is the validation type for severity limit rules.
 	ValidationTypeSeverity = "kubescape-severity"
 )
@@ -14,6 +14,7 @@
 limitations under the License.
 */
 
+// Package controller defines a controller for reconciling KubescapeValidator objects.
 package controller
 
 import (
@@ -63,6 +64,8 @@
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile
 
+// Reconcile reconciles each rule found in each KubescapeValidator in the cluster and creates
+// ValidationResults accordingly.
 func (r *KubescapeValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	l := r.Log.V(0).WithValues("name", req.Name, "namespace", req.Namespace)
 	l.Info("Reconciling Kubescape Validator")
@@ -120,7 +123,7 @@
 	}
 
 	// Reconcile Severity Rule
-	vrr, err := kubescapeService.ReconcileSeverityRule(nn, validator.Spec.SeverityLimitRule, validator.Spec.IgnoredCVERule, manifests)
+	vrr, err := kubescapeService.ReconcileSeverityRule(validator.Spec.SeverityLimitRule, manifests)
 	if err != nil {
 		l.Error(err, "failed to reconcile Severity rule")
 	}
@@ -129,7 +132,7 @@
 	// Reconcile Flagged CVE Rule
 	for _, rule := range validator.Spec.FlaggedCVERule {
 		fmt.Println("ahash")
-		vrr, err := kubescapeService.ReconcileFlaggedCVERule(nn, rule, manifests)
+		vrr, err := kubescapeService.ReconcileFlaggedCVERule(rule, manifests)
 		if err != nil {
 			l.Error(err, "failed to reconcile Severity rule")
 		}

@@ -1,3 +1,4 @@
+// Package validators handles Kubescape validation rule reconciliation.
 package validators
 
 import (
@@ -13,25 +14,27 @@
 	"github.com/validator-labs/validator/pkg/types"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	ktypes "k8s.io/apimachinery/pkg/types"
 )
 
 type kubescapeRule interface {
 	Name() string
 }
 
+// KubescapeService retrieves vulnerability data and uses it to reconcile Kubescape rules.
 type KubescapeService struct {
 	Log logr.Logger
 	API *kubevuln.APIServerStore
 }
 
-func NewKubescapeService(log logr.Logger, kvApi *kubevuln.APIServerStore) *KubescapeService {
+// NewKubescapeService creates a KubescapeService.
+func NewKubescapeService(log logr.Logger, kvAPI *kubevuln.APIServerStore) *KubescapeService {
 	return &KubescapeService{
 		Log: log,
-		API: kvApi,
+		API: kvAPI,
 	}
 }
 
+// Manifests retrieves vulnerability data.
 func (n *KubescapeService) Manifests() ([]kubescapev1.VulnerabilityManifest, error) {
 	manifestList, err := n.API.StorageClient.VulnerabilityManifests("kubescape").List(context.Background(), metav1.ListOptions{})
 	if err != nil {
@@ -51,7 +54,8 @@
 	return manifests, nil
 }
 
-func (n *KubescapeService) ReconcileSeverityRule(nn ktypes.NamespacedName, rule validationv1.SeverityLimitRule, ignoredCVEs []string, manifests []kubescapev1.VulnerabilityManifest) (*types.ValidationRuleResult, error) {
+// ReconcileSeverityRule reconciles a severity limit rule.
+func (n *KubescapeService) ReconcileSeverityRule(rule validationv1.SeverityLimitRule, manifests []kubescapev1.VulnerabilityManifest) (*types.ValidationRuleResult, error) {
 	vr := buildValidationResult(rule, constants.ValidationTypeSeverity)
 
 	critical := 0
@@ -145,7 +149,8 @@
 	return vr, nil
 }
 
-func (n *KubescapeService) ReconcileFlaggedCVERule(nn ktypes.NamespacedName, cve validationv1.FlaggedCVE, manifests []kubescapev1.VulnerabilityManifest) (*types.ValidationRuleResult, error) {
+// ReconcileFlaggedCVERule reconciles a flagged CVE rule.
+func (n *KubescapeService) ReconcileFlaggedCVERule(cve validationv1.FlaggedCVE, manifests []kubescapev1.VulnerabilityManifest) (*types.ValidationRuleResult, error) {
 	vr := buildValidationResult(cve, constants.ValidationTypeSeverity)
 
 	count := 0
@@ -163,7 +168,7 @@
 				}
 
 				checkedImages[imageTag] = true
-				count += 1
+				count++
 
 				vr.Condition.Details = append(vr.Condition.Details, fmt.Sprintf("%s found in %s", match.Vulnerability.ID, imageTag))
 				vr.Condition.Failures = append(vr.Condition.Failures, imageTag)

@@ -9,7 +9,6 @@ import (
 	kubescapev1 "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 	validationv1 "github.com/validator-labs/validator-plugin-kubescape/api/v1alpha1"
 	"github.com/validator-labs/validator/pkg/types"
-	ktypes "k8s.io/apimachinery/pkg/types"
 )
 
 func TestKubescapeService_ReconcileSeverityRule(t *testing.T) {
@@ -18,10 +17,8 @@ func TestKubescapeService_ReconcileSeverityRule(t *testing.T) {
 		API *kubevuln.APIServerStore
 	}
 	type args struct {
-		nn          ktypes.NamespacedName
-		rule        validationv1.SeverityLimitRule
-		ignoredCVEs []string
-		manifests   []kubescapev1.VulnerabilityManifest
+		rule      validationv1.SeverityLimitRule
+		manifests []kubescapev1.VulnerabilityManifest
 	}
 	tests := []struct {
 		name    string
@@ -38,7 +35,7 @@ func TestKubescapeService_ReconcileSeverityRule(t *testing.T) {
 				Log: tt.fields.Log,
 				API: tt.fields.API,
 			}
-			got, err := n.ReconcileSeverityRule(tt.args.nn, tt.args.rule, tt.args.ignoredCVEs, tt.args.manifests)
+			got, err := n.ReconcileSeverityRule(tt.args.rule, tt.args.manifests)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("KubescapeService.ReconcileSeverityRule() error = %v, wantErr %v", err, tt.wantErr)
 				return