armosec · kooomix · May 1, 2024 · May 1, 2024 · May 1, 2024
diff --git a/...ions/scenarios_expected_values/attack-chain-5_security-risks-resources_sidebar_R0007.json b/...ions/scenarios_expected_values/attack-chain-5_security-risks-resources_sidebar_R0007.json
@@ -0,0 +1,53 @@
+{
+    "total": {
+        "value": 2,
+        "relation": "eq"
+    },
+    "response": [
+        {
+            "cluster": "systestcontrolnp",
+            "clusterShortName": "systestcontrolnp",
+            "namespace": "systest-ns-kywj",
+            "resourceName": "wordpress",
+            "kind": "Deployment",
+            "resourceID": "apps/v1/systest-ns-kywj/Deployment/wordpress",
+            "k8sResourceHash": "5478696838889374112",
+            "riskID": "C-0260",
+            "riskType": "Control",
+            "securityRiskID": "R_0007",
+            "status": "Detected",
+            "isNew": true,
+            "lastTimeDetected": "2024-05-01T06:23:40Z",
+            "exceptionApplied": false,
+            "exceptionPolicyGUID": "",
+            "controlID": "C-0260",
+            "reportGUID": "fdfa10a9-4b3d-4331-ba44-fad76ea1fac8",
+            "frameworkName": "security",
+            "networkPolicyStatus": 1,
+            "missingRuntimeInfoReason": 1
+        },
+        {
+            "cluster": "systestcontrolnp",
+            "clusterShortName": "systestcontrolnp",
+            "namespace": "systest-ns-kywj",
+            "resourceName": "wordpress-mysql",
+            "kind": "Deployment",
+            "resourceID": "apps/v1/systest-ns-kywj/Deployment/wordpress-mysql",
+            "k8sResourceHash": "15403887904473520079",
+            "riskID": "C-0260",
+            "riskType": "Control",
+            "securityRiskID": "R_0007",
+            "status": "Detected",
+            "isNew": true,
+            "lastTimeDetected": "2024-05-01T06:23:40Z",
+            "exceptionApplied": false,
+            "exceptionPolicyGUID": "",
+            "controlID": "C-0260",
+            "reportGUID": "fdfa10a9-4b3d-4331-ba44-fad76ea1fac8",
+            "frameworkName": "security",
+            "networkPolicyStatus": 1,
+            "missingRuntimeInfoReason": 1
+        }
+    ],
+    "cursor": ""
+}
diff --git a/configurations/system/tests_cases/security_risks_tests.py b/configurations/system/tests_cases/security_risks_tests.py
@@ -11,7 +11,7 @@ class SecurityRisksTests(object):
     @staticmethod
     # test security risks detection and resolve with kubescape helm chart
     # based on attack chain 5 scenarios.
-    def sr_detect_and_resolve_attack_chain():
+    def sr_r_0035_attack_chain():
         from tests_scripts.helm.ks_microservice import ScanSecurityRisksWithKubescapeHelmChart
         return TestConfiguration(
             name=inspect.currentframe().f_code.co_name,
@@ -31,7 +31,7 @@ def sr_detect_and_resolve_attack_chain():
     @staticmethod
     # test security risks detection and resolve with kubescape helm chart
     # based on attack chain 5 scenarios.
-    def sr_detect_and_resolve_control():
+    def sr_r_0005_control():
         from tests_scripts.helm.ks_microservice import ScanSecurityRisksWithKubescapeHelmChart
         return TestConfiguration(
             name=inspect.currentframe().f_code.co_name,
@@ -48,6 +48,26 @@ def sr_detect_and_resolve_control():
                          }
         )
 
+    @staticmethod
+    # test security risks detection and resolve with kubescape helm chart
+    # based on attack chain 5 scenarios.
+    def sr_r_0007_control_networkpolicy():
+        from tests_scripts.helm.ks_microservice import ScanSecurityRisksWithKubescapeHelmChart
+        return TestConfiguration(
+            name=inspect.currentframe().f_code.co_name,
+            test_obj=ScanSecurityRisksWithKubescapeHelmChart,
+            test_scenario="attack-chain-5",
+            test_job=[{"trigger_by": "scan_on_start", "security_risks_ids": ["R_0007"], "with_network_policy": True}],
+            fix_object="control",
+            relevancy_enabled=False,
+            helm_kwargs={
+                        statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED,
+                        statics.HELM_NETWORK_POLICY_FEATURE: statics.HELM_RELEVANCY_FEATURE_ENABLED,
+                         statics.HELM_NODE_AGENT_LEARNING_PERIOD: '30s',
+                         statics.HELM_NODE_AGENT_UPDATE_PERIOD: '10s'
+                         }
+        )
+
     @staticmethod
     # test security risks detection and resolve with kubescape helm chart
     # based on attack chain 5 scenarios.

diff --git a/readme.md b/readme.md
@@ -89,8 +89,9 @@ Please ensure all these details are accurately filled to maintain the effectiven
 | `synchronizer_proxy`                | helm-chart |  synchronizer network disconnection and proxy | in-cluster synchronizer, backend |
 | `synchronizer_race_condition`       | helm-chart |  synchronizer multiple frequent modifications | in-cluster synchronizer, backend |
 | `synchronizer_kubescape_crds`       | helm-chart |  synchronizer Kubescape CRDs | in-cluster synchronizer, backend |
-| `sr_detect_and_resolve_attack_chain`             | helm-chart |                                    | in-cluster kubescape, backend |
-| `sr_detect_and_resolve_control`             | helm-chart |                                    | in-cluster kubescape, backend |
+| `sr_r_0035_attack_chain`             | helm-chart |                                    | in-cluster kubescape, backend |
+| `sr_r_0005_control`             | helm-chart |                                    | in-cluster kubescape, backend |
+| `sr_r_0007_control_networkpolicy`             | helm-chart |                                    | in-cluster kubescape, backend |
 | `sr_with_exceptions`             | helm-chart |                                    | in-cluster kubescape, backend |
 | `basic_incident_presented`         | helm-chart |  basic incident from in cluster presented in BE API | in-cluster , backend |
 

diff --git a/system_test_mapping.json b/system_test_mapping.json
@@ -1225,7 +1225,7 @@
         "description": "testing slack alert channels with compliance and vulnerabilities notifications",
         "skip_on_environment": "production"
     },
-    "sr_detect_and_resolve_attack_chain": {
+    "sr_r_0035_attack_chain": {
         "target": [
             "In cluster",
             "Backend"
@@ -1239,7 +1239,21 @@
         "description": "",
         "skip_on_environment": ""
     },
-    "sr_detect_and_resolve_control": {
+    "sr_r_0005_control": {
+        "target": [
+            "In cluster",
+            "Backend"
+        ],
+        "target_repositories": [
+            "cadashboardbe",
+            "careportsreceiver",
+            "event-ingester-service",
+            "gateway"
+        ],
+        "description": "",
+        "skip_on_environment": ""
+    },
+    "sr_r_0007_control_networkpolicy": {
         "target": [
             "In cluster",
             "Backend"

diff --git a/systest_utils/scenarios_manager.py b/systest_utils/scenarios_manager.py
@@ -28,6 +28,7 @@
     "R_0002": "_security-risks-resources_sidebar_R0002", # control security risk type
     "R_0035": "_security-risks-resources_sidebar_R0035", # attack path security risk type
     "R_0005": "_security-risks-resources_sidebar_R0005", # control security risk type
+    "R_0007": "_security-risks-resources_sidebar_R0007", # control security risk type with network policy
 
 }
 
@@ -197,6 +198,7 @@ def __init__(self, test_obj, backend: backend_api.ControlPanelAPI, cluster, name
         super().__init__(test_obj, backend, cluster, namespace, SCENARIOS_TEST_PATH)
 
         self.test_security_risk_ids = test_obj["test_job"][0].get("security_risks_ids", [])
+        self.with_network_policy = test_obj["test_job"][0].get("with_network_policy", False)
 
     def verify_scenario(self):
         """
@@ -464,6 +466,11 @@ def verify_security_risks_list_uniquevalues(self, list_result):
                         "smartRemediation":"",
                         "exceptionApplied":"|empty"}
 
+        if self.with_network_policy:
+            baseFilters["label"] = ""
+            baseFilters["networkPolicyStatus"] = ""
+
+
         if self.test_security_risk_ids:
             baseFilters["securityRiskID"] = ','.join(self.test_security_risk_ids)
 

diff --git a/tests_scripts/helm/ks_microservice.py b/tests_scripts/helm/ks_microservice.py
@@ -106,7 +106,6 @@ def start(self):
         9. trigger scan after fix
         10. verify fix
         11. validate security risks trends
-        TODO: validate security risks trends
 
         """
         assert self.backend != None;
@@ -142,8 +141,6 @@ def start(self):
 
         Logger.logger.info("5. validating security risks severities")
         scenarios_manager.verify_security_risks_severities(result)
-
-        # TODO: Fix verify_security_risks_list_uniquevalues
         # verify unique values - no need to wait.
         Logger.logger.info("6. validating security risks unique values")
         scenarios_manager.verify_security_risks_list_uniquevalues(result["response"])