From db64570b88d6e356ab74766adaf4cb1f9bcc5a35 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Thu, 19 Dec 2024 17:40:05 +0600 Subject: [PATCH] feat(misconf): support for ignoring by inline comments for Helm Signed-off-by: nikpivkin --- pkg/iac/scanners/helm/scanner.go | 3 ++ pkg/iac/scanners/helm/test/scanner_test.go | 36 ++++++++----------- .../testchart/templates/deployment.yaml | 1 + .../testchart/templates/deployment.yaml | 1 + .../testchart/templates/deployment.yaml | 1 + 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/pkg/iac/scanners/helm/scanner.go b/pkg/iac/scanners/helm/scanner.go index 6891606d908a..480d2b2edd46 100644 --- a/pkg/iac/scanners/helm/scanner.go +++ b/pkg/iac/scanners/helm/scanner.go @@ -12,6 +12,7 @@ import ( "github.com/liamg/memoryfs" "github.com/aquasecurity/trivy/pkg/iac/detection" + "github.com/aquasecurity/trivy/pkg/iac/ignore" "github.com/aquasecurity/trivy/pkg/iac/rego" "github.com/aquasecurity/trivy/pkg/iac/scan" "github.com/aquasecurity/trivy/pkg/iac/scanners" @@ -125,6 +126,7 @@ func (s *Scanner) getScanResults(path string, ctx context.Context, target fs.FS) file := file s.logger.Debug("Processing rendered chart file", log.FilePath(file.TemplateFilePath)) + ignoreRules := ignore.Parse(file.ManifestContent, file.TemplateFilePath, "") manifests, err := kparser.Parse(ctx, strings.NewReader(file.ManifestContent), file.TemplateFilePath) if err != nil { return nil, fmt.Errorf("unmarshal yaml: %w", err) @@ -150,6 +152,7 @@ func (s *Scanner) getScanResults(path string, ctx context.Context, target fs.FS) return nil, err } fileResults.SetSourceAndFilesystem(helmParser.ChartSource, renderedFS, detection.IsArchive(helmParser.ChartSource)) + fileResults.Ignore(ignoreRules, nil) } results = append(results, fileResults...) diff --git a/pkg/iac/scanners/helm/test/scanner_test.go b/pkg/iac/scanners/helm/test/scanner_test.go index ef751ac2a7b8..8cb0c7e39e27 100644 --- a/pkg/iac/scanners/helm/test/scanner_test.go +++ b/pkg/iac/scanners/helm/test/scanner_test.go @@ -10,6 +10,7 @@ import ( "strings" "testing" + "github.com/samber/lo" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -136,28 +137,28 @@ func Test_helm_scanner_with_dir(t *testing.T) { require.NotNil(t, results) failed := results.GetFailed() - assert.Len(t, failed, 14) + assert.Len(t, failed, 13) visited := make(map[string]bool) - var errorCodes []string for _, result := range failed { - id := result.Flatten().RuleID - if _, exists := visited[id]; !exists { - visited[id] = true - errorCodes = append(errorCodes, id) - } + visited[result.Rule().AVDID] = true } + errorCodes := lo.Keys(visited) - sort.Strings(errorCodes) - - assert.Equal(t, []string{ + assert.ElementsMatch(t, []string{ "AVD-KSV-0001", "AVD-KSV-0003", "AVD-KSV-0011", "AVD-KSV-0012", "AVD-KSV-0014", - "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018", + "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0104", "AVD-KSV-0106", "AVD-KSV-0117", }, errorCodes) + + ignored := results.GetIgnored() + assert.Len(t, ignored, 1) + + assert.Equal(t, "AVD-KSV-0018", ignored[0].Rule().AVDID) + assert.Equal(t, "templates/deployment.yaml", ignored[0].Metadata().Range().GetFilename()) } } @@ -231,19 +232,12 @@ deny[res] { assert.Len(t, failed, 15) visited := make(map[string]bool) - var errorCodes []string for _, result := range failed { - id := result.Flatten().RuleID - if _, exists := visited[id]; !exists { - visited[id] = true - errorCodes = append(errorCodes, id) - } + visited[result.Rule().AVDID] = true } - assert.Len(t, errorCodes, 14) - - sort.Strings(errorCodes) + errorCodes := lo.Keys(visited) - assert.Equal(t, []string{ + assert.ElementsMatch(t, []string{ "AVD-KSV-0001", "AVD-KSV-0003", "AVD-KSV-0011", "AVD-KSV-0012", "AVD-KSV-0014", "AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0018", diff --git a/pkg/iac/scanners/helm/test/testdata/expected/options/testchart/templates/deployment.yaml b/pkg/iac/scanners/helm/test/testdata/expected/options/testchart/templates/deployment.yaml index c41133c72716..1280e673b92a 100644 --- a/pkg/iac/scanners/helm/test/testdata/expected/options/testchart/templates/deployment.yaml +++ b/pkg/iac/scanners/helm/test/testdata/expected/options/testchart/templates/deployment.yaml @@ -25,6 +25,7 @@ spec: securityContext: {} containers: + # trivy:ignore:KSV018 - name: testchart securityContext: runAsUser: 0 diff --git a/pkg/iac/scanners/helm/test/testdata/expected/testchart/templates/deployment.yaml b/pkg/iac/scanners/helm/test/testdata/expected/testchart/templates/deployment.yaml index 8ace433f0c03..9a2e277c106a 100644 --- a/pkg/iac/scanners/helm/test/testdata/expected/testchart/templates/deployment.yaml +++ b/pkg/iac/scanners/helm/test/testdata/expected/testchart/templates/deployment.yaml @@ -25,6 +25,7 @@ spec: securityContext: {} containers: + # trivy:ignore:KSV018 - name: testchart securityContext: {} diff --git a/pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml b/pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml index cde22bc4fcc5..4f81b4f85eb9 100644 --- a/pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml +++ b/pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml @@ -28,6 +28,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: + # trivy:ignore:KSV018 - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }}