refactor(deps): Merge defsec into Trivy

go.mod

@@ -117,6 +117,8 @@ require (
 )
 
 require (
+	github.com/Masterminds/semver v1.5.0
+	github.com/alecthomas/chroma v0.10.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/smithy-go v1.19.0
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
@@ -127,6 +129,7 @@ require (
 	github.com/liamg/memoryfs v1.6.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/olekukonko/tablewriter v0.0.5
+	github.com/owenrumney/squealer v1.2.1
 	github.com/zclconf/go-cty v1.13.0
 	github.com/zclconf/go-cty-yaml v1.0.3
 	golang.org/x/crypto v0.18.0
@@ -164,7 +167,6 @@ require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
-	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
@@ -337,6 +339,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/runc v1.1.5 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
@@ -430,3 +433,5 @@ require (
 // testcontainers-go has a bug with versions v0.25.0 and v0.26.0
 // ref: https://github.com/testcontainers/testcontainers-go/issues/1782
 replace github.com/testcontainers/testcontainers-go => github.com/testcontainers/testcontainers-go v0.23.0
+
+replace github.com/aquasecurity/trivy-aws => /Users/simarpreetsingh/repos/trivy-aws

go.sum

@@ -344,8 +344,6 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-aws v0.7.1 h1:XElKZsP9Hqe2JVekQgGCIkFtgRgVlP+80wKL2JWBctk=
-github.com/aquasecurity/trivy-aws v0.7.1/go.mod h1:bJT7pzsqo9q5yi3arJSt789bAH0eDb7c+niFYMBNcMQ=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
 github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=

internal/adapters/arm/adapt.go

@@ -0,0 +1,50 @@
+package arm
+
+import (
+	"context"
+
+	"github.com/aquasecurity/trivy/internal/adapters/arm/appservice"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/authorization"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/compute"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/container"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/database"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/datafactory"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/datalake"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/keyvault"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/monitor"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/network"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/securitycenter"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/storage"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/synapse"
+
+	"github.com/aquasecurity/trivy/pkg/providers/azure"
+	scanner "github.com/aquasecurity/trivy/pkg/scanners/azure"
+	"github.com/aquasecurity/trivy/pkg/state"
+)
+
+// Adapt ...
+func Adapt(ctx context.Context, deployment scanner.Deployment) *state.State {
+	return &state.State{
+		Azure: adaptAzure(deployment),
+	}
+}
+
+func adaptAzure(deployment scanner.Deployment) azure.Azure {
+
+	return azure.Azure{
+		AppService:     appservice.Adapt(deployment),
+		Authorization:  authorization.Adapt(deployment),
+		Compute:        compute.Adapt(deployment),
+		Container:      container.Adapt(deployment),
+		Database:       database.Adapt(deployment),
+		DataFactory:    datafactory.Adapt(deployment),
+		DataLake:       datalake.Adapt(deployment),
+		KeyVault:       keyvault.Adapt(deployment),
+		Monitor:        monitor.Adapt(deployment),
+		Network:        network.Adapt(deployment),
+		SecurityCenter: securitycenter.Adapt(deployment),
+		Storage:        storage.Adapt(deployment),
+		Synapse:        synapse.Adapt(deployment),
+	}
+
+}

internal/adapters/arm/appservice/adapt.go

@@ -0,0 +1,58 @@
+package appservice
+
+import (
+	"github.com/aquasecurity/trivy/pkg/providers/azure/appservice"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+	defsecTypes "github.com/aquasecurity/trivy/pkg/types"
+)
+
+func Adapt(deployment azure.Deployment) appservice.AppService {
+	return appservice.AppService{
+		Services:     adaptServices(deployment),
+		FunctionApps: adaptFunctionApps(deployment),
+	}
+}
+
+func adaptFunctionApps(deployment azure.Deployment) []appservice.FunctionApp {
+	var functionApps []appservice.FunctionApp
+
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		functionApps = append(functionApps, adaptFunctionApp(resource))
+	}
+	return functionApps
+}
+
+func adaptServices(deployment azure.Deployment) []appservice.Service {
+	var services []appservice.Service
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		services = append(services, adaptService(resource))
+	}
+	return services
+}
+
+func adaptFunctionApp(resource azure.Resource) appservice.FunctionApp {
+	return appservice.FunctionApp{
+		Metadata:  resource.Metadata,
+		HTTPSOnly: resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+	}
+}
+
+func adaptService(resource azure.Resource) appservice.Service {
+	return appservice.Service{
+		Metadata:         resource.Metadata,
+		EnableClientCert: resource.Properties.GetMapValue("clientCertEnabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		Identity: struct{ Type defsecTypes.StringValue }{
+			Type: resource.Properties.GetMapValue("identity").GetMapValue("type").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+		Authentication: struct{ Enabled defsecTypes.BoolValue }{
+			Enabled: resource.Properties.GetMapValue("siteAuthSettings").GetMapValue("enabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		},
+		Site: struct {
+			EnableHTTP2       defsecTypes.BoolValue
+			MinimumTLSVersion defsecTypes.StringValue
+		}{
+			EnableHTTP2:       resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+			MinimumTLSVersion: resource.Properties.GetMapValue("minTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+	}
+}

internal/adapters/arm/authorization/adapt.go

@@ -0,0 +1,38 @@
+package authorization
+
+import (
+	"github.com/aquasecurity/trivy/pkg/providers/azure/authorization"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) authorization.Authorization {
+	return authorization.Authorization{
+		RoleDefinitions: adaptRoleDefinitions(deployment),
+	}
+}
+
+func adaptRoleDefinitions(deployment azure.Deployment) (roleDefinitions []authorization.RoleDefinition) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Authorization/roleDefinitions") {
+		roleDefinitions = append(roleDefinitions, adaptRoleDefinition(resource))
+	}
+	return roleDefinitions
+}
+
+func adaptRoleDefinition(resource azure.Resource) authorization.RoleDefinition {
+
+	return authorization.RoleDefinition{
+		Metadata:         resource.Metadata,
+		Permissions:      adaptPermissions(resource),
+		AssignableScopes: resource.Properties.GetMapValue("assignableScopes").AsStringValuesList(""),
+	}
+}
+
+func adaptPermissions(resource azure.Resource) (permissions []authorization.Permission) {
+	for _, permission := range resource.Properties.GetMapValue("permissions").AsList() {
+		permissions = append(permissions, authorization.Permission{
+			Metadata: resource.Metadata,
+			Actions:  permission.GetMapValue("actions").AsStringValuesList(""),
+		})
+	}
+	return permissions
+}

internal/adapters/arm/compute/adapt.go

@@ -0,0 +1,85 @@
+package compute
+
+import (
+	"github.com/aquasecurity/trivy/pkg/providers/azure/compute"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+	defsecTypes "github.com/aquasecurity/trivy/pkg/types"
+)
+
+func Adapt(deployment azure.Deployment) compute.Compute {
+	return compute.Compute{
+		LinuxVirtualMachines:   adaptLinuxVirtualMachines(deployment),
+		WindowsVirtualMachines: adaptWindowsVirtualMachines(deployment),
+		ManagedDisks:           adaptManagedDisks(deployment),
+	}
+}
+
+func adaptManagedDisks(deployment azure.Deployment) (managedDisks []compute.ManagedDisk) {
+
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/disks") {
+		managedDisks = append(managedDisks, adaptManagedDisk(resource))
+	}
+
+	return managedDisks
+}
+
+func adaptManagedDisk(resource azure.Resource) compute.ManagedDisk {
+	hasEncryption := resource.Properties.HasKey("encryption")
+
+	return compute.ManagedDisk{
+		Metadata: resource.Metadata,
+		Encryption: compute.Encryption{
+			Metadata: resource.Metadata,
+			Enabled:  defsecTypes.Bool(hasEncryption, resource.Metadata),
+		},
+	}
+}
+
+func adaptWindowsVirtualMachines(deployment azure.Deployment) (windowsVirtualMachines []compute.WindowsVirtualMachine) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
+		if resource.Properties.GetMapValue("osProfile").GetMapValue("windowsConfiguration").AsMap() != nil {
+			windowsVirtualMachines = append(windowsVirtualMachines, adaptWindowsVirtualMachine(resource))
+		}
+	}
+
+	return windowsVirtualMachines
+}
+
+func adaptWindowsVirtualMachine(resource azure.Resource) compute.WindowsVirtualMachine {
+	return compute.WindowsVirtualMachine{
+		Metadata: resource.Metadata,
+		VirtualMachine: compute.VirtualMachine{
+			Metadata: resource.Metadata,
+			CustomData: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("customData").AsStringValue("", resource.Metadata),
+		},
+	}
+}
+
+func adaptLinuxVirtualMachines(deployment azure.Deployment) (linuxVirtualMachines []compute.LinuxVirtualMachine) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
+		if resource.Properties.GetMapValue("osProfile").GetMapValue("linuxConfiguration").AsMap() != nil {
+			linuxVirtualMachines = append(linuxVirtualMachines, adaptLinuxVirtualMachine(resource))
+		}
+	}
+
+	return linuxVirtualMachines
+}
+
+func adaptLinuxVirtualMachine(resource azure.Resource) compute.LinuxVirtualMachine {
+	return compute.LinuxVirtualMachine{
+		Metadata: resource.Metadata,
+		VirtualMachine: compute.VirtualMachine{
+			Metadata: resource.Metadata,
+			CustomData: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("customData").AsStringValue("", resource.Metadata),
+		},
+		OSProfileLinuxConfig: compute.OSProfileLinuxConfig{
+			Metadata: resource.Metadata,
+			DisablePasswordAuthentication: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("linuxConfiguration").
+				GetMapValue("disablePasswordAuthentication").AsBoolValue(false, resource.Metadata),
+		},
+	}
+
+}

internal/adapters/arm/compute/adapt_test.go

@@ -0,0 +1,60 @@
+package compute
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+	"github.com/aquasecurity/trivy/pkg/types"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_AdaptLinuxVM(t *testing.T) {
+
+	input := azure.Deployment{
+		Resources: []azure.Resource{
+			{
+				Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMisconfigMetadata()),
+				Properties: azure.NewValue(map[string]azure.Value{
+					"osProfile": azure.NewValue(map[string]azure.Value{
+						"linuxConfiguration": azure.NewValue(map[string]azure.Value{
+							"disablePasswordAuthentication": azure.NewValue(true, types.NewTestMisconfigMetadata()),
+						}, types.NewTestMisconfigMetadata()),
+					}, types.NewTestMisconfigMetadata()),
+				}, types.NewTestMisconfigMetadata()),
+			},
+		},
+	}
+
+	output := Adapt(input)
+
+	require.Len(t, output.LinuxVirtualMachines, 1)
+	require.Len(t, output.WindowsVirtualMachines, 0)
+
+	linuxVM := output.LinuxVirtualMachines[0]
+	assert.True(t, linuxVM.OSProfileLinuxConfig.DisablePasswordAuthentication.IsTrue())
+
+}
+
+func Test_AdaptWindowsVM(t *testing.T) {
+
+	input := azure.Deployment{
+		Resources: []azure.Resource{
+			{
+				Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMisconfigMetadata()),
+				Properties: azure.NewValue(map[string]azure.Value{
+					"osProfile": azure.NewValue(map[string]azure.Value{
+						"windowsConfiguration": azure.NewValue(map[string]azure.Value{}, types.NewTestMisconfigMetadata()),
+					}, types.NewTestMisconfigMetadata()),
+				}, types.NewTestMisconfigMetadata()),
+			},
+		},
+	}
+
+	output := Adapt(input)
+
+	require.Len(t, output.LinuxVirtualMachines, 0)
+	require.Len(t, output.WindowsVirtualMachines, 1)
+}

internal/adapters/arm/container/adapt.go

@@ -0,0 +1,17 @@
+package container
+
+import (
+	"github.com/aquasecurity/trivy/pkg/providers/azure/container"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) container.Container {
+	return container.Container{
+		KubernetesClusters: adaptKubernetesClusters(deployment),
+	}
+}
+
+func adaptKubernetesClusters(deployment azure.Deployment) []container.KubernetesCluster {
+
+	return nil
+}

internal/adapters/arm/database/adapt.go

@@ -0,0 +1,35 @@
+package database
+
+import (
+	"github.com/aquasecurity/trivy/pkg/providers/azure/database"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) database.Database {
+	return database.Database{
+		MSSQLServers:      adaptMSSQLServers(deployment),
+		MariaDBServers:    adaptMariaDBServers(deployment),
+		MySQLServers:      adaptMySQLServers(deployment),
+		PostgreSQLServers: adaptPostgreSQLServers(deployment),
+	}
+}
+
+func adaptMySQLServers(deployment azure.Deployment) (mysqlDbServers []database.MySQLServer) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.DBforMySQL/servers") {
+		mysqlDbServers = append(mysqlDbServers, adaptMySQLServer(resource, deployment))
+	}
+	return mysqlDbServers
+}
+
+func adaptMySQLServer(resource azure.Resource, deployment azure.Deployment) database.MySQLServer {
+	return database.MySQLServer{
+		Metadata: resource.Metadata,
+		Server: database.Server{
+			Metadata:                  resource.Metadata,
+			EnableSSLEnforcement:      resource.Properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
+			MinimumTLSVersion:         resource.Properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
+			EnablePublicNetworkAccess: resource.Properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
+			FirewallRules:             addFirewallRule(resource),
+		},
+	}
+}