From 14c1024b47bff7e2fd59ccfa735906b8ffff2614 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 3 May 2024 17:27:37 +0600 Subject: [PATCH] refactor: move setting scanners when using compliance reports to flag parsing (#6619) --- pkg/commands/app_test.go | 42 ++++++++++++++++++++++++++++++++++++ pkg/commands/artifact/run.go | 19 ---------------- pkg/flag/options.go | 34 +++++++++++++++++++++++++++-- 3 files changed, 74 insertions(+), 21 deletions(-) diff --git a/pkg/commands/app_test.go b/pkg/commands/app_test.go index c1f1593cf53c..858e2ed6b245 100644 --- a/pkg/commands/app_test.go +++ b/pkg/commands/app_test.go @@ -172,6 +172,7 @@ func TestFlags(t *testing.T) { type want struct { format types.Format severities []dbTypes.Severity + scanners types.Scanners } tests := []struct { name string @@ -193,6 +194,10 @@ func TestFlags(t *testing.T) { dbTypes.SeverityHigh, dbTypes.SeverityCritical, }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.SecretScanner, + }, }, }, { @@ -208,6 +213,10 @@ func TestFlags(t *testing.T) { dbTypes.SeverityLow, dbTypes.SeverityMedium, }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.SecretScanner, + }, }, }, { @@ -225,6 +234,10 @@ func TestFlags(t *testing.T) { dbTypes.SeverityLow, dbTypes.SeverityHigh, }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.SecretScanner, + }, }, }, { @@ -241,6 +254,33 @@ func TestFlags(t *testing.T) { severities: []dbTypes.Severity{ dbTypes.SeverityCritical, }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + types.SecretScanner, + }, + }, + }, + { + name: "happy path with scanners for compliance report", + arguments: []string{ + "test", + "--scanners", + "license", + "--compliance", + "docker-cis", + }, + want: want{ + format: types.FormatTable, + severities: []dbTypes.Severity{ + dbTypes.SeverityUnknown, + dbTypes.SeverityLow, + dbTypes.SeverityMedium, + dbTypes.SeverityHigh, + dbTypes.SeverityCritical, + }, + scanners: types.Scanners{ + types.VulnerabilityScanner, + }, }, }, { @@ -264,6 +304,7 @@ func TestFlags(t *testing.T) { flags := &flag.Flags{ GlobalFlagGroup: globalFlags, ReportFlagGroup: flag.NewReportFlagGroup(), + ScanFlagGroup: flag.NewScanFlagGroup(), } cmd := &cobra.Command{ Use: "test", @@ -280,6 +321,7 @@ func TestFlags(t *testing.T) { assert.Equal(t, tt.want.format, options.Format) assert.Equal(t, tt.want.severities, options.Severities) + assert.Equal(t, tt.want.scanners, options.Scanners) return nil }, } diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index a1fde23d519f..d6a61018fecc 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -533,25 +533,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi target = opts.Input } - if opts.Compliance.Spec.ID != "" { - // set scanners types by spec - scanners, err := opts.Compliance.Scanners() - if err != nil { - return ScannerConfig{}, types.ScanOptions{}, xerrors.Errorf("scanner error: %w", err) - } - - opts.Scanners = scanners - opts.ImageConfigScanners = nil - // TODO: define image-config-scanners in the spec - if opts.Compliance.Spec.ID == "docker-cis" { - opts.Scanners = types.Scanners{types.VulnerabilityScanner} - opts.ImageConfigScanners = types.Scanners{ - types.MisconfigScanner, - types.SecretScanner, - } - } - } - scanOptions := types.ScanOptions{ VulnType: opts.VulnType, Scanners: opts.Scanners, diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 9d49f5dfe807..744abbd1ddaa 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -353,7 +353,7 @@ type Options struct { } // Align takes consistency of options -func (o *Options) Align() { +func (o *Options) Align() error { if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON { log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`) o.Scanners = nil @@ -364,6 +364,34 @@ func (o *Options) Align() { log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) o.Scanners = nil } + + if o.Compliance.Spec.ID != "" { + if viper.IsSet(ScannersFlag.ConfigName) { + log.Info(`The option to change scanners is disabled for scanning with the "--compliance" flag. Default scanners used.`) + } + if viper.IsSet(ImageConfigScannersFlag.ConfigName) { + log.Info(`The option to change image config scanners is disabled for scanning with the "--compliance" flag. Default image config scanners used.`) + } + + // set scanners types by spec + scanners, err := o.Compliance.Scanners() + if err != nil { + return xerrors.Errorf("scanner error: %w", err) + } + + o.Scanners = scanners + o.ImageConfigScanners = nil + // TODO: define image-config-scanners in the spec + if o.Compliance.Spec.ID == types.ComplianceDockerCIS { + o.Scanners = types.Scanners{types.VulnerabilityScanner} + o.ImageConfigScanners = types.Scanners{ + types.MisconfigScanner, + types.SecretScanner, + } + } + } + + return nil } // RegistryOpts returns options for OCI registries @@ -693,7 +721,9 @@ func (f *Flags) ToOptions(args []string) (Options, error) { } } - opts.Align() + if err := opts.Align(); err != nil { + return Options{}, xerrors.Errorf("align options error: %w", err) + } return opts, nil }