Update exclusions check to only fail under certain conditions. extern…

…al feeds, disabled drivers Signed-off-by: Hung Nguyen <[email protected]>
anchore · Oct 10, 2024 · 7606537 · 7606537
1 parent 62d0980
commit 7606537
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 3 deletions.
diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml
@@ -201,8 +201,16 @@ services:
             enabled: true
       matching:
         exclude:
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
           providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          {{- else }}
+          providers: []
+          {{- end }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
           package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          {{- else }}
+          package_types: []
+          {{- end }}
         default:
           search:
             by_cpe:

diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml
@@ -209,8 +209,16 @@ services:
             enabled: true
       matching:
         exclude:
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
           providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          {{- else }}
+          providers: []
+          {{- end }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
           package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          {{- else }}
+          package_types: []
+          {{- end }}
         default:
           search:
             by_cpe:

diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl
@@ -154,4 +154,91 @@ secretName: {{ . }}
 {{- else }}
 secretName: {{ template "enterprise.fullname" . }}-license
 {{- end }}
-{{- end -}}
+{{- end -}}
+
+{{- define "checkDriverEnabled" -}}
+  {{- $drivers := .drivers -}}
+  {{- $driverName := .driverName -}}
+  {{- $driver := index $drivers $driverName -}}
+  {{- if $driver }}
+    {{- $driverEnabled := index $driver "enabled" -}}
+    {{- if not $driverEnabled }}
+      # we only ever update notify to true, we should never override a true value to false
+      {{- $notify := .notify -}}
+      {{- $_ := set . "notify" true -}}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "enterprise.exclusionCheck" -}}
+
+{{ $notify := false }}
+
+{{ $feeds := index .Values "feeds" }}
+{{- if $feeds -}}
+  {{ $feedsChartEnabled := index .Values "feeds" "chartEnabled" }}
+  {{- if (not $feedsChartEnabled) -}}
+    {{ $notify = true }}
+  {{- end -}}
+  # check extraEnvs to see if it contains a key with "DRIVER" in its name. If so, notify so manual action is taken
+  {{- if not $notify -}}
+    {{ $feedsExtraEnvs := index .Values "feeds" "extraEnv" }}
+    {{- if $feedsExtraEnvs -}}
+      {{- range $index, $val := $feedsExtraEnvs -}}
+        {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}}
+          {{ $notify = true }}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if not $notify -}}
+    {{- $anchoreConfig := index $feeds "anchoreConfig" }}
+    {{- if $anchoreConfig }}
+      {{- $anchoreFeeds := index $anchoreConfig "feeds" }}
+      {{- if $anchoreFeeds }}
+        {{- $drivers := index $anchoreFeeds "drivers" }}
+        {{- if $drivers }}
+
+
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "gem" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "github" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "msrc" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "npm" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+
+{{- end -}}
+
+# check extraEnvs to see if it contains a key with "DRIVER" in its name. If so, notify so manual action is taken
+{{- if not $notify -}}
+  {{- range $index, $val := .Values.extraEnv -}}
+    {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}}
+      {{ $notify = true }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{ if $notify }}
+    {{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}}
+    {{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml
@@ -1,5 +1,4 @@
-{{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}}
-{{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}}
+{{- include "enterprise.exclusionCheck" . -}}
 kind: ConfigMap
 apiVersion: v1
 metadata: