From 2d21bd950538d40e582bf08d0dfeca9523a7d758 Mon Sep 17 00:00:00 2001
From: rafaela-soares <rafaela.soares@checkmarx.com>
Date: Tue, 21 Jun 2022 10:45:15 +0100
Subject: [PATCH 1/4] added mutex to lock addVulnerability

---
 pkg/engine/secrets/inspector.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go
index 896822eb5c7..bcb58871679 100644
--- a/pkg/engine/secrets/inspector.go
+++ b/pkg/engine/secrets/inspector.go
@@ -41,6 +41,7 @@ type Inspector struct {
 	vulnerabilities       []model.Vulnerability
 	queryExecutionTimeout time.Duration
 	foundLines            []int
+	mu                    sync.RWMutex
 }
 
 type Entropy struct {
@@ -480,6 +481,7 @@ func (c *Inspector) addVulnerability(basePaths []string, file *model.FileMetadat
 		log.Error().Msg("unable to compute similarity ID")
 	}
 
+	c.mu.Lock()
 	if _, ok := c.excludeResults[engine.PtrStringToString(simID)]; !ok {
 		linesVuln := c.detector.GetAdjecent(file, lineNumber+1)
 		if !ignoreLine(linesVuln.Line, file.LinesIgnore) {
@@ -505,6 +507,7 @@ func (c *Inspector) addVulnerability(basePaths []string, file *model.FileMetadat
 			c.vulnerabilities = append(c.vulnerabilities, vuln)
 		}
 	}
+	c.mu.Unlock()
 }
 
 // CheckEntropyInterval - verifies if a given token's entropy is within expected bounds

From 764114b9f1c9c57fef6156a4e65e4d278b068a44 Mon Sep 17 00:00:00 2001
From: rafaela-soares <rafaela.soares@checkmarx.com>
Date: Tue, 21 Jun 2022 10:54:31 +0100
Subject: [PATCH 2/4] increased timeout for go lint and go test race

---
 .github/workflows/go-ci.yml        | 2 +-
 .github/workflows/go-test-race.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
index 582465cde2a..dc765927df8 100644
--- a/.github/workflows/go-ci.yml
+++ b/.github/workflows/go-ci.yml
@@ -18,7 +18,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3.2.0
         with:
           version: v1.46.1
-          args: -c .golangci.yml --timeout 15m
+          args: -c .golangci.yml --timeout 20m
   go-generate:
     name: go-generate
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go-test-race.yml b/.github/workflows/go-test-race.yml
index 2de5c42ee45..ed1c65614f8 100644
--- a/.github/workflows/go-test-race.yml
+++ b/.github/workflows/go-test-race.yml
@@ -41,7 +41,7 @@ jobs:
           go mod vendor
       - name: Test and Generate Report
         run: |
-          go test -race -timeout 3600s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
+          go test -race -timeout 9999s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
           result_code=${PIPESTATUS[0]}
           exit $result_code
       - name: Archive test logs

From 9455bc828fa1c30f1013f6ef497d57eb09fc2457 Mon Sep 17 00:00:00 2001
From: rafaela-soares <rafaela.soares@checkmarx.com>
Date: Tue, 21 Jun 2022 11:12:41 +0100
Subject: [PATCH 3/4] fixed tiller queries

---
 assets/queries/k8s/tiller_is_deployed/query.rego | 16 ++++++++--------
 .../k8s/tiller_service_is_not_deleted/query.rego | 12 ++++++------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/assets/queries/k8s/tiller_is_deployed/query.rego b/assets/queries/k8s/tiller_is_deployed/query.rego
index f8acddf988d..d9e6e355cc8 100644
--- a/assets/queries/k8s/tiller_is_deployed/query.rego
+++ b/assets/queries/k8s/tiller_is_deployed/query.rego
@@ -12,8 +12,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'metadata' does not refer any to a Tiller resource",
-		"keyActualValue": "'metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'metadata' of %s does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'metadata' of %s refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.containers' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.containers' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 
@@ -51,8 +51,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.metadata", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'spec.template.metadata' does not refer to any Tiller resource",
-		"keyActualValue": "'spec.template.metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'spec.template.metadata' does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'spec.template.metadata' refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -70,8 +70,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.template.spec.%s' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.template.spec.%s' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.template.spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.template.spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 
diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/query.rego b/assets/queries/k8s/tiller_service_is_not_deleted/query.rego
index 391f299636b..ee8cf8429eb 100644
--- a/assets/queries/k8s/tiller_service_is_not_deleted/query.rego
+++ b/assets/queries/k8s/tiller_service_is_not_deleted/query.rego
@@ -13,8 +13,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.name does not contain 'tiller'",
-		"keyActualValue": "metadata.name contains 'tiller'",
+		"keyExpectedValue": sprintf("metadata.name of %s does not contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.name of %s contains 'tiller'", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.labels does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("metadata.labels.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("metadata.labels of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.labels.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }
 
@@ -54,7 +54,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.selector.%s", [metadata.name, j]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "spec.selector does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("spec.selector.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("spec.selector of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("spec.selector.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }

From 7589dfe906ffe0b28e530730b5d0b678bef81a00 Mon Sep 17 00:00:00 2001
From: rafaela-soares <rafaela.soares@checkmarx.com>
Date: Tue, 21 Jun 2022 13:01:58 +0100
Subject: [PATCH 4/4] fixed 94b76ea5-e074-4ca2-8a03-c5a606e30645

---
 .../k8s/object_is_using_a_deprecated_api_version/query.rego   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego b/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego
index 551f8e3551b..97efdf6babe 100644
--- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego
+++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego
@@ -44,7 +44,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("apiVersion={{%s}}", [document.apiVersion]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion should be {{%s}}", [metadata.name, recommendedVersions[document.apiVersion][document.kind]]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion is deprecated and is {{%s}}", [metadata.name, document.apiVersion]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion of %s should be {{%s}}", [metadata.name,  document.kind, recommendedVersions[document.apiVersion][document.kind]]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion of %s  is deprecated and is {{%s}}", [metadata.name, document.kind, document.apiVersion]),
 	}
 }