From 4f5f2a4ca17984f93df740a72dc301f2490e6ce8 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 10:50:54 +0100 Subject: [PATCH 1/7] fixed tokens --- .../query.rego | 4 +++- ...gative.dockerfile => negative1.dockerfile} | 3 +++ ...sitive.dockerfile => positive1.dockerfile} | 0 .../test/positive_expected_result.json | 23 ++++++++++++------- 4 files changed, 21 insertions(+), 9 deletions(-) rename assets/queries/dockerfile/npm_install_without_pinned_version/test/{negative.dockerfile => negative1.dockerfile} (71%) rename assets/queries/dockerfile/npm_install_without_pinned_version/test/{positive.dockerfile => positive1.dockerfile} (100%) diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego index cc5535abbed..f5d472adda6 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego @@ -13,7 +13,9 @@ CxPolicy[result] { indexof(currentCmd, installCmd) > -1 tokens := split(currentCmd, " ") - token := tokens[_] + refactor_tokens := [x | x := tokens[_]; x != ""] + + token := refactor_tokens[_] token != "npm" token != "install" diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative.dockerfile b/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative1.dockerfile similarity index 71% rename from assets/queries/dockerfile/npm_install_without_pinned_version/test/negative.dockerfile rename to assets/queries/dockerfile/npm_install_without_pinned_version/test/negative1.dockerfile index 2510224cbf8..e59acc254cd 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative.dockerfile +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative1.dockerfile @@ -6,3 +6,6 @@ RUN npm install sax@0.1.1 | grep fail && npm install sax@latest RUN npm install git://github.com/npm/cli.git RUN npm install git+ssh://git@github.com:npm/cli#semver:^5.0 RUN npm install --production --no-cache +RUN npm config set registry && \ + npm install && \ + npx vite build --mode $VITE_MODE \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive.dockerfile b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/npm_install_without_pinned_version/test/positive.dockerfile rename to assets/queries/dockerfile/npm_install_without_pinned_version/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index 1f79753c6d5..ec6862cd11b 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -2,36 +2,43 @@ { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive1.dockerfile" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive1.dockerfile" } -] +] \ No newline at end of file From d23bdac21579dff6ee8645ca35cf71d59001e6b5 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Fri, 1 Mar 2024 16:23:55 +0000 Subject: [PATCH 2/7] update(docs): docs and workflows maintenance --- .github/workflows/release-dkr-image.yml | 20 ----------------- .../release-docker-github-actions.yaml | 14 ------------ .github/workflows/release-nightly.yml | 22 ------------------- docs/releases.md | 7 +----- 4 files changed, 1 insertion(+), 62 deletions(-) diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml index 671e1749a43..912b3952a88 100644 --- a/.github/workflows/release-dkr-image.yml +++ b/.github/workflows/release-dkr-image.yml @@ -99,26 +99,6 @@ jobs: # password: ${{ secrets.DOCKER_PASSWORD }} # readme-filepath: docs/dockerhub.md # repository: checkmarx/kics - - name: Export Image Digests - run: | - VERSION=${{ steps.get-version.outputs.version }} - - DIGEST=${{ steps.build_alpine.outputs.digest }} - ALPINE_DIGEST=${{ steps.build_alpine.outputs.digest }} - DEBIAN_DIGEST=${{ steps.build_debian.outputs.digest }} - UBI8_DIGEST=${{ steps.build_ubi8.outputs.digest }} - - echo "${VERSION},${DIGEST}" >> docs/docker/digests.csv - echo "${VERSION}-alpine,${ALPINE_DIGEST}" >> docs/docker/digests.csv - echo "${VERSION}-debian,${DEBIAN_DIGEST}" >> docs/docker/digests.csv - echo "${VERSION}-ubi8,${UBI8_DIGEST}" >> docs/docker/digests.csv - - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Generate .md table - run: | - pip install csvtomd - csvtomd docs/docker/digests.csv > docs/docker/digests.md - name: Create Pull Request uses: peter-evans/create-pull-request@v4 with: diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml index bd05723a01f..6ff75ffbde0 100644 --- a/.github/workflows/release-docker-github-actions.yaml +++ b/.github/workflows/release-docker-github-actions.yaml @@ -49,20 +49,6 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Export Image Digests - run: | - VERSION=${{ github.event.inputs.version }} - - DIGEST=${{ steps.build_gh_action.outputs.digest }} - - echo "${VERSION}-gh-actions,${DIGEST}" >> docs/docker/digests.csv - - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Generate .md table - run: | - pip install csvtomd - csvtomd docs/docker/digests.csv > docs/docker/digests.md - name: Create Pull Request uses: peter-evans/create-pull-request@v4 with: diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 9c406adc57e..8e7cb454816 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -196,28 +196,6 @@ jobs: VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }} COMMIT=${{ github.sha }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - - name: Export Image Digests - run: | - VERSION=nightly - - COMMIT_SHA8=${{ needs.pre_release_job.outputs.sha8 }} - DATE=$(date +'%Y-%m-%d') - DIGEST=${{ steps.build_alpine.outputs.digest }} - ALPINE_DIGEST=${{ steps.build_alpine.outputs.digest }} - DEBIAN_DIGEST=${{ steps.build_debian.outputs.digest }} - UBI8_DIGEST=${{ steps.build_ubi8.outputs.digest }} - - echo "scratch,${COMMIT_SHA8},${DATE},${DIGEST}" >> docs/docker/nightly.csv - echo "alpine,${COMMIT_SHA8},${DATE},${ALPINE_DIGEST}" >> docs/docker/nightly.csv - echo "debian,${COMMIT_SHA8},${DATE},${DEBIAN_DIGEST}" >> docs/docker/nightly.csv - echo "ubi8,${COMMIT_SHA8},${DATE},${UBI8_DIGEST}" >> docs/docker/nightly.csv - - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Generate .md table - run: | - pip install csvtomd - csvtomd docs/docker/nightly.csv > docs/docker/nightly.md - name: Create Pull Request uses: peter-evans/create-pull-request@v4 with: diff --git a/docs/releases.md b/docs/releases.md index 9a9aff34b30..f2839af6952 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -18,9 +18,4 @@ You can find our releases Date: Fri, 1 Mar 2024 17:08:17 +0000 Subject: [PATCH 3/7] update --- docs/commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index ffd54622309..fc9107ff229 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -61,7 +61,7 @@ Use "kics [command] --help" for more information about a command. | --no-progress | hides the progress bar| | --output-name string | name used on report creations (default "results")| | -o, --output-path string | directory path to store reports| -| --parallel | number of workers per platform enabled for parallel scanning, set 0 to auto-detect parallelism (default 1)| +| --parallel int | number of workers per platform enabled for parallel scanning, set 0 to auto-detect parallelism (default 1)| | -p, --path strings | paths or directories to scan
example: "./somepath,somefile.txt"| | --payload-lines | adds line information inside the payload when printing the payload file| | -d, --payload-path string | path to store internal representation JSON file| From 5b555187bcadd0ff5604b5798f416245b7b373f1 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 6 Mar 2024 13:28:42 +0000 Subject: [PATCH 4/7] remediation error added --- docs/results.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/results.md b/docs/results.md index 084b4eebdaf..589513b20ab 100644 --- a/docs/results.md +++ b/docs/results.md @@ -999,5 +999,6 @@ KICS displays the results in CLI. For detailed information, you can use `-v --lo | Code | Description | | ----- | ---------------- | +| `70` | Remediation Error| | `126` | Engine Error | | `130` | Signal-Interrupt | From c87b1aabd0feaa83f4b8e495ed252cb948da67ec Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Fri, 8 Mar 2024 20:54:00 +0000 Subject: [PATCH 5/7] update(query): S3 Bucket Without Enabled MFA Delete severity updated --- .../aws/s3_bucket_without_enabled_mfa_delete/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json index 7557b845e86..706dc87b008 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/metadata.json @@ -1,7 +1,7 @@ { "id": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d", "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "category": "Insecure Configurations", "descriptionText": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=\u003cBUCKET_NAME\u003e --mfa=\u003cMFA_SERIAL_NUMBER\u003e'. Please, also notice that MFA delete can not be used with lifecycle configurations", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete", From 724ed0f3725c60471b59d15fa8fa6f2bed45160e Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Fri, 8 Mar 2024 20:56:22 +0000 Subject: [PATCH 6/7] tests updated --- .../test/positive_expected_result.json | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 3dfb90b33a0..46f89917c14 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -1,74 +1,74 @@ [ { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 14, "fileName": "positive1.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 23, "fileName": "positive2.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 25, "fileName": "positive3.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 24, "fileName": "positive4.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 23, "fileName": "positive4.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 1, "fileName": "positive5.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 8, "fileName": "positive6.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 10, "fileName": "positive7.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 8, "fileName": "positive8.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 9, "fileName": "positive8.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 28, "fileName": "positive9.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "HIGH", + "severity": "LOW", "line": 27, "fileName": "positive10.tf" } From 2ada9186a9cd2af92200f6df3568d89ab21d8ded Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Thu, 28 Mar 2024 11:24:38 +0000 Subject: [PATCH 7/7] fix(queries): removing deprecated queries --- .../metadata.json | 11 ---- .../query.rego | 54 ------------------ .../test/negative.yaml | 25 -------- .../test/negative1.yaml | 21 ------- .../test/positive.yaml | 32 ----------- .../test/positive2.yaml | 16 ------ .../test/positive_expected_result.json | 26 --------- .../metadata.json | 11 ---- .../query.rego | 57 ------------------- .../test/negative.yaml | 24 -------- .../test/negative1.yaml | 20 ------- .../test/positive.yaml | 32 ----------- .../test/positive2.yaml | 15 ----- .../test/positive_expected_result.json | 26 --------- 14 files changed, 370 deletions(-) delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative.yaml delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive.yaml delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive2.yaml delete mode 100644 assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative.yaml delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive.yaml delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive2.yaml delete mode 100644 assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json deleted file mode 100644 index c25235b526b..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "9d43040e-e703-4e16-8bfe-8d4da10fa7e6", - "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.", - "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "platform": "Kubernetes", - "descriptionID": "3e1c6d16", - "cwe": "" -} diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego deleted file mode 100644 index b539d26fc71..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego +++ /dev/null @@ -1,54 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.k8s as k8sLib - -types := {"initContainers", "containers"} -rec := {"requests", "limits"} - -CxPolicy[result] { - document := input.document[i] - document.kind == k8sLib.valid_pod_spec_kind_list[_] - specInfo := k8sLib.getSpecInfo(document) - container := specInfo.spec[types[x]][c] - - has_request_or_limits(container) - not common_lib.valid_key(container.resources[rec[t]], "cpu") - - result := { - "documentId": document.id, - "resourceType": document.kind, - "resourceName": document.metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.%s", [document.metadata.name, specInfo.path, types[x], container.name, rec[t]]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("spec.%s[%s].resources.%s.cpu should be defined", [types[x], container.name, rec[t]]), - "keyActualValue": sprintf("spec.%s[%s].resources.%s.cpu is not defined", [types[x], container.name, rec[t]]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources", rec[t]]), - } -} - -CxPolicy[result] { - document := input.document[i] - document.kind == k8sLib.valid_pod_spec_kind_list[_] - specInfo := k8sLib.getSpecInfo(document) - container := specInfo.spec[types[x]][c] - - container.resources.requests.cpu != container.resources.limits.cpu - - result := { - "documentId": document.id, - "resourceType": document.kind, - "resourceName": document.metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources", [document.metadata.name, specInfo.path, types[x], container.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("spec.%s[%s].resources.requests.cpu is equal to spec.%s[%s].resources.limits.cpu", [types[x], container.name, types[x], container.name]), - "keyActualValue": sprintf("spec.%s[%s].resources.requests.cpu is not equal to spec.%s[%s].resources.limits.cpu", [types[x], container.name, types[x], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"]), - } -} - -has_request_or_limits(x){ - common_lib.valid_key(x.resources[rec["requests"]],"cpu") -}else{ - common_lib.valid_key(x.resources[rec["limits"]],"cpu") -} diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative.yaml deleted file mode 100644 index 9045cb76a00..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative.yaml +++ /dev/null @@ -1,25 +0,0 @@ -#this code is a correct code for which the query should not find any result -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" \ No newline at end of file diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml deleted file mode 100644 index 17b3ca99f22..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml +++ /dev/null @@ -1,21 +0,0 @@ -#this code is a correct code for which the query should not find any result -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - memory: "128Mi" - limits: - memory: "128Mi" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - memory: "128Mi" - limits: - memory: "128Mi" diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive.yaml deleted file mode 100644 index 5706027ac69..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -#this is a problematic code where the query should report a result(s) -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - memory: "128Mi" - limits: - memory: "128Mi" - cpu: "500m" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - memory: "128Mi" - - name: app2 - image: images.my-company.example/app:v4 - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" \ No newline at end of file diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive2.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive2.yaml deleted file mode 100644 index f94dfc40f58..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive2.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: serving.knative.dev/v1 -kind: Revision -metadata: - name: dummy-rev - namespace: knative-sequence -spec: - containers: - - name: app2 - image: images.my-company.example/app:v4 - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json deleted file mode 100644 index 61a80c2247e..00000000000 --- a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 11, - "fileName": "positive.yaml" - }, - { - "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 22, - "fileName": "positive.yaml" - }, - { - "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 26, - "fileName": "positive.yaml" - }, - { - "queryName": "Container CPU Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 10, - "fileName": "positive2.yaml" - } -] diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json deleted file mode 100644 index 8a08d4a9654..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "aafa7d94-62de-4fbf-8838-b69ee217b0e6", - "queryName": "Container Memory Requests Not Equal To Its Limits", - "severity": "LOW", - "category": "Resource Management", - "descriptionText": "A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.", - "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "platform": "Kubernetes", - "descriptionID": "0c15063c", - "cwe": "" -} diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego deleted file mode 100644 index dc2b504268a..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego +++ /dev/null @@ -1,57 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.k8s as k8sLib - -types := {"initContainers", "containers"} -rec := {"requests", "limits"} - -CxPolicy[result] { - document := input.document[i] - document.kind == k8sLib.valid_pod_spec_kind_list[_] - specInfo := k8sLib.getSpecInfo(document) - container := specInfo.spec[types[x]][c] - - has_request_or_limits(container) - not common_lib.valid_key(container.resources[rec[t]], "memory") - - result := { - "documentId": document.id, - "resourceType": document.kind, - "resourceName": document.metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.%s", [document.metadata.name,specInfo.path, types[x], container.name, rec[t]]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("spec.%s[%s].resources.%s.memory should be defined", [types[x], container.name, rec[t]]), - "keyActualValue": sprintf("spec.%s[%s].resources.%s.memory is not defined", [types[x], container.name, rec[t]]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources", rec[t]]) - } -} - -CxPolicy[result] { - document := input.document[i] - document.kind == k8sLib.valid_pod_spec_kind_list[_] - - specInfo := k8sLib.getSpecInfo(document) - types := {"initContainers", "containers"} - - container := specInfo.spec[types[x]][c] - - container.resources.requests.memory != container.resources.limits.memory - - result := { - "documentId": document.id, - "resourceType": document.kind, - "resourceName": document.metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources", [document.metadata.name, specInfo.path,types[x], container.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("spec.%s[%s].resources.requests.memory is equal to spec.%s[%s].resources.limits.memory", [types[x], container.name, types[x], container.name]), - "keyActualValue": sprintf("spec.%s[%s].resources.requests.memory is not equal to spec.%s[%s].resources.limits.memory", [types[x], container.name, types[x], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"]) - } -} - -has_request_or_limits(x){ - common_lib.valid_key(x.resources[rec["requests"]],"memory") -}else{ - common_lib.valid_key(x.resources[rec["limits"]],"memory") -} diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative.yaml deleted file mode 100644 index 23541fe6fc9..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml deleted file mode 100644 index 23c4aca5619..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - cpu: "500m" - limits: - cpu: "500m" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - cpu: "500m" - limits: - cpu: "500m" diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive.yaml deleted file mode 100644 index 8d994b59d70..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -#this is a problematic code where the query should report a result(s) -apiVersion: v1 -kind: Pod -metadata: - name: frontend -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" - - name: log-aggregator - image: images.my-company.example/log-aggregator:v6 - resources: - requests: - memory: "128Mi" - cpu: "500m" - limits: - cpu: "500m" - - name: app2 - image: images.my-company.example/app:v4 - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" \ No newline at end of file diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive2.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive2.yaml deleted file mode 100644 index 1075b5fc435..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive2.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: serving.knative.dev/v1 -kind: Revision -metadata: - name: dummy-rev - namespace: knative-sequence -spec: - containers: - - name: app - image: images.my-company.example/app:v4 - resources: - requests: - cpu: "500m" - limits: - memory: "128Mi" - cpu: "500m" diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json deleted file mode 100644 index 998df986586..00000000000 --- a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "queryName": "Container Memory Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 11, - "fileName": "positive.yaml" - }, - { - "queryName": "Container Memory Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 22, - "fileName": "positive.yaml" - }, - { - "queryName": "Container Memory Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 26, - "fileName": "positive.yaml" - }, - { - "queryName": "Container Memory Requests Not Equal To Its Limits", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } -]