From 4fc36343ae5721b5e7e85c51a84981a219e0a3c5 Mon Sep 17 00:00:00 2001 From: Delnat Wito Date: Thu, 18 Jan 2024 09:55:40 +0100 Subject: [PATCH] fix(validator): fix taxonomy --- .changeset/great-meals-juggle.md | 5 ++++ packages/validation/src/MonokleValidator.ts | 8 ++--- packages/validation/src/taxonomies/cis.ts | 29 ------------------- packages/validation/src/taxonomies/index.ts | 1 - .../src/validators/open-policy-agent/rules.ts | 5 ++-- .../rules/PSS202-privilege-escalation.ts | 4 +-- .../rules/KBP103-drop-capabilities.ts | 4 +-- 7 files changed, 15 insertions(+), 41 deletions(-) create mode 100644 .changeset/great-meals-juggle.md delete mode 100644 packages/validation/src/taxonomies/cis.ts diff --git a/.changeset/great-meals-juggle.md b/.changeset/great-meals-juggle.md new file mode 100644 index 000000000..28db54e3d --- /dev/null +++ b/.changeset/great-meals-juggle.md @@ -0,0 +1,5 @@ +--- +"@monokle/validation": patch +--- + +Fix taxonomies diff --git a/packages/validation/src/MonokleValidator.ts b/packages/validation/src/MonokleValidator.ts index 2c4e5ed59..ff4e3543a 100644 --- a/packages/validation/src/MonokleValidator.ts +++ b/packages/validation/src/MonokleValidator.ts @@ -6,7 +6,7 @@ import {ResourceParser} from './common/resourceParser.js'; import type {Suppression, Tool, ValidationResponse, ValidationResult, ValidationRun} from './common/sarif.js'; import type {CustomSchema, Plugin, Resource} from './common/types.js'; import {Config} from './config/parse.js'; -import {CIS_TAXONOMY, NSA_TAXONOMY} from './taxonomies/index.js'; +import {NSA_TAXONOMY, PSS_TAXONOMY} from './taxonomies/index.js'; import {PluginMetadataWithConfig, PluginName, RuleMetadataWithConfig, ValidateParams, Validator} from './types.js'; import {nextTick, throwIfAborted} from './utils/abort.js'; import {extractSchema, findDefaultVersion} from './utils/customResourceDefinitions.js'; @@ -20,7 +20,7 @@ import {PluginLoader} from './pluginLoaders/PluginLoader.js'; import {ValidationConfig} from '@monokle/types'; import {PluginContext} from './pluginLoaders/types.js'; import {sortResults} from './utils/sortResults.js'; -import { createOriginalUriBaseIds } from './utils/uriBase.js'; +import {createOriginalUriBaseIds} from './utils/uriBase.js'; export type ValidatorInit = { loader: PluginLoader; @@ -216,7 +216,7 @@ export class MonokleValidator implements Validator { incremental, baseline, abortSignal: externalAbortSignal, - srcroot + srcroot, }: ValidateParams): Promise { if (this._loading === undefined) { this.load(); @@ -256,7 +256,7 @@ export class MonokleValidator implements Validator { originalUriBaseIds: createOriginalUriBaseIds({srcroot}), tool, results, - taxonomies: [NSA_TAXONOMY, CIS_TAXONOMY], + taxonomies: [NSA_TAXONOMY, PSS_TAXONOMY], }; const response: ValidationResponse = { diff --git a/packages/validation/src/taxonomies/cis.ts b/packages/validation/src/taxonomies/cis.ts deleted file mode 100644 index df2643164..000000000 --- a/packages/validation/src/taxonomies/cis.ts +++ /dev/null @@ -1,29 +0,0 @@ -import {Taxonomy, reportingDescriptorRelationship} from '../common/sarif.js'; - -type CIS_TAXA_NAMES = 'general'; - -export const CIS_RELATIONS: Record = { - general: { - target: { - id: 'CIS000', - index: 0, - toolComponent: {name: 'CIS'}, - }, - }, -}; - -export const CIS_TAXONOMY: Taxonomy = { - name: 'CIS', - version: 'v0.1', - organization: 'CIS', - shortDescription: {text: 'CIS is something.'}, - taxa: [ - { - id: 'CIS000', - name: 'general', - shortDescription: { - text: 'General misconfigurations', - }, - }, - ], -}; diff --git a/packages/validation/src/taxonomies/index.ts b/packages/validation/src/taxonomies/index.ts index 9d9237584..6fb6e3c0e 100644 --- a/packages/validation/src/taxonomies/index.ts +++ b/packages/validation/src/taxonomies/index.ts @@ -1,3 +1,2 @@ -export * from './cis.js'; export * from './nsa.js'; export * from './pss.js'; diff --git a/packages/validation/src/validators/open-policy-agent/rules.ts b/packages/validation/src/validators/open-policy-agent/rules.ts index f229eaab1..72580a40e 100644 --- a/packages/validation/src/validators/open-policy-agent/rules.ts +++ b/packages/validation/src/validators/open-policy-agent/rules.ts @@ -1,4 +1,3 @@ -import {CIS_RELATIONS} from '../../taxonomies/cis.js'; import {NSA_RELATIONS} from '../../taxonomies/nsa.js'; import {PolicyMetadata} from './types.js'; @@ -32,7 +31,7 @@ export const DEFAULT_TRIVY_PLUGIN: PolicyMetadata = { entrypoint: 'appshield/kubernetes/KSV001/deny', path: '$container.securityContext.allowPrivilegeEscalation', }, - relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']], + relationships: [NSA_RELATIONS['kubernetes-pod-security']], }, { id: 'KSV002', @@ -141,7 +140,7 @@ export const DEFAULT_TRIVY_PLUGIN: PolicyMetadata = { entrypoint: 'appshield/kubernetes/KSV008/deny', path: 'spec.template.spec.hostIPC', }, - relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']], + relationships: [NSA_RELATIONS['kubernetes-pod-security']], }, { id: 'KSV009', diff --git a/packages/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts b/packages/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts index 89524f9e4..4be80cbe0 100644 --- a/packages/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts +++ b/packages/validation/src/validators/pod-security-standards/rules/PSS202-privilege-escalation.ts @@ -1,4 +1,4 @@ -import {CIS_RELATIONS, NSA_RELATIONS, PSS_RELATIONS} from '../../../taxonomies/index.js'; +import {NSA_RELATIONS, PSS_RELATIONS} from '../../../taxonomies/index.js'; import {defineRule} from '../../custom/config.js'; import {validatePodSpec} from '../../custom/utils.js'; @@ -11,7 +11,7 @@ export const privilegeEscalation = defineRule({ advanced: { enabled: false, severity: 8, - relationships: [PSS_RELATIONS['restricted'], NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']], + relationships: [PSS_RELATIONS['restricted'], NSA_RELATIONS['kubernetes-pod-security']], }, validate({resources}, {report}) { validatePodSpec(resources, (resource, pod, prefix) => { diff --git a/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts b/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts index 7889a5ea7..d5648bbd6 100644 --- a/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts +++ b/packages/validation/src/validators/practices/rules/KBP103-drop-capabilities.ts @@ -1,4 +1,4 @@ -import {CIS_RELATIONS, NSA_RELATIONS} from '../../../taxonomies/index.js'; +import {NSA_RELATIONS} from '../../../taxonomies/index.js'; import {defineRule} from '../../custom/config.js'; import {validatePodSpec} from '../../custom/utils.js'; @@ -10,7 +10,7 @@ export const dropCapabilities = defineRule({ help: "Add 'ALL' to containers[].securityContext.capabilities.drop.", advanced: { severity: 5, - relationships: [NSA_RELATIONS['kubernetes-pod-security'], CIS_RELATIONS['general']], + relationships: [NSA_RELATIONS['kubernetes-pod-security']], }, validate({resources}, {report}) { validatePodSpec(resources, (resource, pod, prefix) => {