fix(validator): fix taxonomy

kubeshop · Jan 18, 2024 · 4fc3634 · 4fc3634
1 parent 3680e24
commit 4fc3634
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 41 deletions.
diff --git a/.changeset/great-meals-juggle.md b/.changeset/great-meals-juggle.md
@@ -0,0 +1,5 @@
+---
+"@monokle/validation": patch
+---
+
+Fix taxonomies
diff --git a/packages/validation/src/MonokleValidator.ts b/packages/validation/src/MonokleValidator.ts
@@ -6,7 +6,7 @@ import {ResourceParser} from './common/resourceParser.js';
 import type {Suppression, Tool, ValidationResponse, ValidationResult, ValidationRun} from './common/sarif.js';
 import type {CustomSchema, Plugin, Resource} from './common/types.js';
 import {Config} from './config/parse.js';
-import {CIS_TAXONOMY, NSA_TAXONOMY} from './taxonomies/index.js';
+import {NSA_TAXONOMY, PSS_TAXONOMY} from './taxonomies/index.js';
 import {PluginMetadataWithConfig, PluginName, RuleMetadataWithConfig, ValidateParams, Validator} from './types.js';
 import {nextTick, throwIfAborted} from './utils/abort.js';
 import {extractSchema, findDefaultVersion} from './utils/customResourceDefinitions.js';
@@ -20,7 +20,7 @@ import {PluginLoader} from './pluginLoaders/PluginLoader.js';
 import {ValidationConfig} from '@monokle/types';
 import {PluginContext} from './pluginLoaders/types.js';
 import {sortResults} from './utils/sortResults.js';
-import { createOriginalUriBaseIds } from './utils/uriBase.js';
+import {createOriginalUriBaseIds} from './utils/uriBase.js';
 
 export type ValidatorInit = {
   loader: PluginLoader;
@@ -216,7 +216,7 @@ export class MonokleValidator implements Validator {
     incremental,
     baseline,
     abortSignal: externalAbortSignal,
-    srcroot
+    srcroot,
   }: ValidateParams): Promise<ValidationResponse> {
     if (this._loading === undefined) {
       this.load();
@@ -256,7 +256,7 @@ export class MonokleValidator implements Validator {
       originalUriBaseIds: createOriginalUriBaseIds({srcroot}),
       tool,
       results,
-      taxonomies: [NSA_TAXONOMY, CIS_TAXONOMY],
+      taxonomies: [NSA_TAXONOMY, PSS_TAXONOMY],
     };
 
     const response: ValidationResponse = {

diff --git a/packages/validation/src/taxonomies/cis.ts b/packages/validation/src/taxonomies/cis.ts
diff --git a/packages/validation/src/taxonomies/index.ts b/packages/validation/src/taxonomies/index.ts
@@ -1,3 +1,2 @@
-export * from './cis.js';
 export * from './nsa.js';
 export * from './pss.js';
diff --git a/packages/validation/src/validators/open-policy-agent/rules.ts b/packages/validation/src/validators/open-policy-agent/rules.ts
@@ -1,4 +1,3 @@
-import {CIS_RELATIONS} from '../../taxonomies/cis.js';
 import {NSA_RELATIONS} from '../../taxonomies/nsa.js';
 import {PolicyMetadata} from './types.js';
 
@@ -32,7 +31,7 @@ export const DEFAULT_TRIVY_PLUGIN: PolicyMetadata = {
         entrypoint: 'appshield/kubernetes/KSV001/deny',
         path: '$container.securityContext.allowPrivilegeEscalation',
       },
-      relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']],
+      relationships: [NSA_RELATIONS['kubernetes-pod-security']],
     },
     {
       id: 'KSV002',
@@ -141,7 +140,7 @@ export const DEFAULT_TRIVY_PLUGIN: PolicyMetadata = {
         entrypoint: 'appshield/kubernetes/KSV008/deny',
         path: 'spec.template.spec.hostIPC',
       },
-      relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']],
+      relationships: [NSA_RELATIONS['kubernetes-pod-security']],
     },
     {
       id: 'KSV009',

diff --git a/...ges/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts b/...ges/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts
@@ -1,4 +1,4 @@
-import {CIS_RELATIONS, NSA_RELATIONS, PSS_RELATIONS} from '../../../taxonomies/index.js';
+import {NSA_RELATIONS, PSS_RELATIONS} from '../../../taxonomies/index.js';
 import {defineRule} from '../../custom/config.js';
 import {validatePodSpec} from '../../custom/utils.js';
 
@@ -11,7 +11,7 @@ export const privilegeEscalation = defineRule({
   advanced: {
     enabled: false,
     severity: 8,
-    relationships: [PSS_RELATIONS['restricted'], NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']],
+    relationships: [PSS_RELATIONS['restricted'], NSA_RELATIONS['kubernetes-pod-security']],
   },
   validate({resources}, {report}) {
     validatePodSpec(resources, (resource, pod, prefix) => {

diff --git a/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts b/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts
@@ -1,4 +1,4 @@
-import {CIS_RELATIONS, NSA_RELATIONS} from '../../../taxonomies/index.js';
+import {NSA_RELATIONS} from '../../../taxonomies/index.js';
 import {defineRule} from '../../custom/config.js';
 import {validatePodSpec} from '../../custom/utils.js';
 
@@ -10,7 +10,7 @@ export const dropCapabilities = defineRule({
   help: "Add 'ALL' to containers[].securityContext.capabilities.drop.",
   advanced: {
     severity: 5,
-    relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']],
+    relationships: [NSA_RELATIONS['kubernetes-pod-security']],
   },
   validate({resources}, {report}) {
     validatePodSpec(resources, (resource, pod, prefix) => {