From fc88e48a749f88cd122407e6efd69a01071a16bf Mon Sep 17 00:00:00 2001 From: Johannes Feichtner Date: Mon, 28 Feb 2022 00:04:45 +0100 Subject: [PATCH 1/2] fix(query): Fix searchKey and additional resource kinds in volume_mount_with_os_directory_write_permissions k8s rule --- .../query.rego | 35 +++++++++++-------- .../test/positive_expected_result.json | 4 +-- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego index 894b8270734..14134f9be9c 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego @@ -1,40 +1,47 @@ package Cx import data.generic.common as common_lib +import data.generic.k8s as k8sLib types := {"initContainers", "containers"} CxPolicy[result] { - resource := input.document[i] - containers := resource.spec[types[x]] - volumeMounts := containers[_].volumeMounts + document := input.document[i] + metadata := document.metadata + specInfo := k8sLib.getSpecInfo(document) + container := specInfo.spec[types[x]][_] + + volumeMounts := container.volumeMounts is_os_dir(volumeMounts[v].mountPath) volumeMounts[v].readOnly == false result := { - "documentId": input.document[i].id, - "searchKey": sprintf("metadata.name={{%s}}.spec.%s.volumeMounts.name={{%s}}.readyOnly", [resource.metadata.name, types[x], volumeMounts[v].name]), + "documentId": document.id, + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("spec.%s.volumeMounts[%s].readOnly is true", [types[x], volumeMounts[v].name]), - "keyActualValue": sprintf("spec.%s.volumeMounts[%s].readOnly is false", [types[x], volumeMounts[v].name]), + "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is true", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), + "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is false", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), } } CxPolicy[result] { - resource := input.document[i] - containers := resource.spec[types[x]] - volumeMounts := containers[_].volumeMounts + document := input.document[i] + metadata := document.metadata + + specInfo := k8sLib.getSpecInfo(document) + container := specInfo.spec[types[x]][_] + volumeMounts := container.volumeMounts is_os_dir(volumeMounts[v].mountPath) not common_lib.valid_key(volumeMounts[v], "readOnly") result := { - "documentId": input.document[i].id, - "searchKey": sprintf("metadata.name={{%s}}.spec.%s.volumeMounts.name=%s", [resource.metadata.name, types[x], volumeMounts[v].name]), + "documentId": document.id, + "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("spec.%s.volumeMounts[%s].readOnly is set", [types[x], volumeMounts[v].name]), - "keyActualValue": sprintf("spec.%s.volumeMounts[%s].readOnly is undefined", [types[x], volumeMounts[v].name]), + "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is defined and set to false", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), + "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is undefined", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), } } diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 0483f1799ca..7a9b20ea769 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,12 +2,12 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "MEDIUM", - "line": 13 + "line": 14 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "MEDIUM", - "line": 39 + "line": 40 }, { "queryName": "Volume Mount With OS Directory Write Permissions", From 5c30253d9ff31c4300dd5e969665ea0ca79892d5 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner Date: Wed, 2 Mar 2022 19:37:54 +0100 Subject: [PATCH 2/2] Fixed keyExpectedValue to show readOnly: true instead of false --- .../volume_mount_with_os_directory_write_permissions/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego index 14134f9be9c..03b956481a6 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "documentId": document.id, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is defined and set to false", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), + "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is defined and set to true", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}.readOnly is undefined", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), } }