Skip to content

Commit

Permalink
refactor: move setting scanners when using compliance reports to flag…
Browse files Browse the repository at this point in the history
… parsing (#6619)
  • Loading branch information
DmitriyLewen authored May 3, 2024
1 parent 998f750 commit 14c1024
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 21 deletions.
42 changes: 42 additions & 0 deletions pkg/commands/app_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ func TestFlags(t *testing.T) {
type want struct {
format types.Format
severities []dbTypes.Severity
scanners types.Scanners
}
tests := []struct {
name string
Expand All @@ -193,6 +194,10 @@ func TestFlags(t *testing.T) {
dbTypes.SeverityHigh,
dbTypes.SeverityCritical,
},
scanners: types.Scanners{
types.VulnerabilityScanner,
types.SecretScanner,
},
},
},
{
Expand All @@ -208,6 +213,10 @@ func TestFlags(t *testing.T) {
dbTypes.SeverityLow,
dbTypes.SeverityMedium,
},
scanners: types.Scanners{
types.VulnerabilityScanner,
types.SecretScanner,
},
},
},
{
Expand All @@ -225,6 +234,10 @@ func TestFlags(t *testing.T) {
dbTypes.SeverityLow,
dbTypes.SeverityHigh,
},
scanners: types.Scanners{
types.VulnerabilityScanner,
types.SecretScanner,
},
},
},
{
Expand All @@ -241,6 +254,33 @@ func TestFlags(t *testing.T) {
severities: []dbTypes.Severity{
dbTypes.SeverityCritical,
},
scanners: types.Scanners{
types.VulnerabilityScanner,
types.SecretScanner,
},
},
},
{
name: "happy path with scanners for compliance report",
arguments: []string{
"test",
"--scanners",
"license",
"--compliance",
"docker-cis",
},
want: want{
format: types.FormatTable,
severities: []dbTypes.Severity{
dbTypes.SeverityUnknown,
dbTypes.SeverityLow,
dbTypes.SeverityMedium,
dbTypes.SeverityHigh,
dbTypes.SeverityCritical,
},
scanners: types.Scanners{
types.VulnerabilityScanner,
},
},
},
{
Expand All @@ -264,6 +304,7 @@ func TestFlags(t *testing.T) {
flags := &flag.Flags{
GlobalFlagGroup: globalFlags,
ReportFlagGroup: flag.NewReportFlagGroup(),
ScanFlagGroup: flag.NewScanFlagGroup(),
}
cmd := &cobra.Command{
Use: "test",
Expand All @@ -280,6 +321,7 @@ func TestFlags(t *testing.T) {

assert.Equal(t, tt.want.format, options.Format)
assert.Equal(t, tt.want.severities, options.Severities)
assert.Equal(t, tt.want.scanners, options.Scanners)
return nil
},
}
Expand Down
19 changes: 0 additions & 19 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -533,25 +533,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
target = opts.Input
}

if opts.Compliance.Spec.ID != "" {
// set scanners types by spec
scanners, err := opts.Compliance.Scanners()
if err != nil {
return ScannerConfig{}, types.ScanOptions{}, xerrors.Errorf("scanner error: %w", err)
}

opts.Scanners = scanners
opts.ImageConfigScanners = nil
// TODO: define image-config-scanners in the spec
if opts.Compliance.Spec.ID == "docker-cis" {
opts.Scanners = types.Scanners{types.VulnerabilityScanner}
opts.ImageConfigScanners = types.Scanners{
types.MisconfigScanner,
types.SecretScanner,
}
}
}

scanOptions := types.ScanOptions{
VulnType: opts.VulnType,
Scanners: opts.Scanners,
Expand Down
34 changes: 32 additions & 2 deletions pkg/flag/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ type Options struct {
}

// Align takes consistency of options
func (o *Options) Align() {
func (o *Options) Align() error {
if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON {
log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`)
o.Scanners = nil
Expand All @@ -364,6 +364,34 @@ func (o *Options) Align() {
log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`)
o.Scanners = nil
}

if o.Compliance.Spec.ID != "" {
if viper.IsSet(ScannersFlag.ConfigName) {
log.Info(`The option to change scanners is disabled for scanning with the "--compliance" flag. Default scanners used.`)
}
if viper.IsSet(ImageConfigScannersFlag.ConfigName) {
log.Info(`The option to change image config scanners is disabled for scanning with the "--compliance" flag. Default image config scanners used.`)
}

// set scanners types by spec
scanners, err := o.Compliance.Scanners()
if err != nil {
return xerrors.Errorf("scanner error: %w", err)
}

o.Scanners = scanners
o.ImageConfigScanners = nil
// TODO: define image-config-scanners in the spec
if o.Compliance.Spec.ID == types.ComplianceDockerCIS {
o.Scanners = types.Scanners{types.VulnerabilityScanner}
o.ImageConfigScanners = types.Scanners{
types.MisconfigScanner,
types.SecretScanner,
}
}
}

return nil
}

// RegistryOpts returns options for OCI registries
Expand Down Expand Up @@ -693,7 +721,9 @@ func (f *Flags) ToOptions(args []string) (Options, error) {
}
}

opts.Align()
if err := opts.Align(); err != nil {
return Options{}, xerrors.Errorf("align options error: %w", err)
}

return opts, nil
}
Expand Down

0 comments on commit 14c1024

Please sign in to comment.