Merge pull request #9 from yana1205/up-to-date-ocm-plugin

Up to date ocm plugin
oscal-compass · Dec 7, 2023 · 36a42c8 · 36a42c8
2 parents 67dd6b9 + c3c2bb6
commit 36a42c8
Show file tree

Hide file tree

Showing 150 changed files with 62,628 additions and 2,678 deletions.
diff --git a/README.md b/README.md
@@ -1,98 +1,34 @@
 # compliance-to-policy
 Compliance-to-Policy (C2P) provides the framework to bridge Compliance administration and Policy administration by [OSCAL](https://pages.nist.gov/OSCAL/). OSCAL (Open Security Controls Assessment Language) is a standardized framework developed by NIST for expressing and automating the assessment and management of security controls in machine-readable format (xml, json, yaml)
 
-## Continuous Compliance by C2P 
+![C2P Overview](/docs/images/e2e-pm.png)
 
-https://github.com/IBM/compliance-to-policy/assets/113283236/4b0b5357-4025-46c8-8d88-1f4c00538795
-
-## Usage of C2P commands
-
-### C2P for Kyverno
-Prepare Kyverno Policy Resources
-- You can use [policy-resources for test](/pkg/testdata/kyverno/policy-resources)
-- For bring your own policies, please see [Bring your own Kyverno Policy Resources](#bring-your-own-kyverno-policy-resources)
-
-#### Convert OSCAL to Kyverno Policy
-```
-$ go run cmd/c2pcli/main.go kyverno oscal2policy -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/kyverno-policies
-2023-10-31T07:23:56.291+0900    INFO    kyverno/c2pcr   kyverno/configparser.go:53      Component-definition is loaded from ./pkg/testdata/kyverno/component-definition.json
-
-$ tree /tmp/kyverno-policies 
-/tmp/kyverno-policies
-└── allowed-base-images
-    ├── 02-setup-cm.yaml
-    └── allowed-base-images.yaml
-```
-
-#### Convert Policy Report to OSCAL Assessment Results
+## Usage of C2P CLI
 ```
-$ go run cmd/c2pcli/main.go kyverno result2oscal -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/assessment-results
+$ c2pcli -h        
+C2P CLI
 
-$ tree /tmp/assessment-results 
-/tmp/assessment-results
-└── assessment-results.json
-```
+Usage:
+  c2pcli [flags]
+  c2pcli [command]
 
-#### Reformat in human-friendly format (markdown file)
-```
-$ go run cmd/c2pcli/main.go kyverno oscal2posture -c ./pkg/testdata/kyverno/c2p-config.yaml --assessment-results /tmp/assessment-results/assessment-results.json -o /tmp/compliance-report.md
-```
+Available Commands:
+  completion  Generate the autocompletion script for the specified shell
+  help        Help about any command
+  kyverno     C2P CLI Kyverno plugin
+  ocm         C2P CLI OCM plugin
+  version     Display version
 
-```
-$ head -n 15 /tmp/compliance-report.md
-## Catalog
+Flags:
+  -h, --help   help for c2pcli
 
-## Component: Kubernetes
-#### Result of control: cm-8.3_smt.a
-
-Rule ID: allowed-base-images
-<details><summary>Details</summary>
-
-  - Subject UUID: 0b1adf1c-f6e2-46af-889e-39255e669655
-    - Title: ApiVersion: v1, Kind: Pod, Namespace: argocd, Name: argocd-application-controller-0
-    - Result: fail
-    - Reason:
-      ```
-      validation failure: This container image&#39;s base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance.
-      ```
+Use "c2pcli [command] --help" for more information about a command.
 ```
 
-### Bring your own Kyverno Policy Resources
-- You can download Kyverno Policies (https://github.com/kyverno/policies) as Policy Resources and modify them
-    1. Run `kyverno tools load-policy-resources` command
-        ```
-        $ go run cmd/c2pcli/main.go kyverno tools load-policy-resources --src https://github.com/kyverno/policies --dest /tmp/policies
-        ```
-        ```
-        $ tree /tmp/policies
-        /tmp/policies
-        ├── add-apparmor-annotations
-        │   └── add-apparmor-annotations.yaml
-        ├── add-capabilities
-        │   └── add-capabilities.yaml
-        ├── add-castai-removal-disabled
-        │   └── add-castai-removal-disabled.yaml
-        ├── add-certificates-volume
-        │   └── add-certificates-volume.yaml
-        ├── add-default-resources
-        ...
-        ```
-    - You can check result.json about what resources are downloaded.
-        ```
-        $ cat /tmp/policies/result.json
-
-        ```
-    - There are some policies that depend on context. Please add the context resources manually. result.json contains list of the policies that have context field
-        ```
-        $ jq -r .summary.resourcesHavingContext /tmp/policies/result.json
-        [
-            "allowed-podpriorities",
-            "allowed-base-images",
-            "advanced-restrict-image-registries",
-            ...
-            "require-linkerd-server"
-        ]
-        ```
+C2P is targeting a plugin architecture to cover not only OCM Policy Framework but also other types of PVPs. 
+Please go to the docs for each usage.
+- [C2P for OCM](/docs/ocm/README.md) 
+- [C2P for Kyverno](/docs/kyverno/README.md) 
 
 ## Build at local
 ```

diff --git a/cmd/c2pcli/main.go b/cmd/c2pcli/main.go
@@ -17,13 +17,36 @@ limitations under the License.
 package main
 
 import (
+	"fmt"
 	"os"
 
 	"github.com/IBM/compliance-to-policy/cmd/c2pcli/cmd"
+	"github.com/spf13/cobra"
 )
 
+var (
+	version = "none"
+	commit  = "none"
+	date    = "unknown"
+)
+
+func newVersionSubCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "version",
+		Short: "Display version",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			message := fmt.Sprintf("version: %s, commit: %s, date: %s", version, commit, date)
+			fmt.Fprintln(os.Stdout, message)
+			return nil
+		},
+	}
+	return command
+}
+
 func main() {
-	err := cmd.New().Execute()
+	command := cmd.New()
+	command.AddCommand(newVersionSubCommand())
+	err := command.Execute()
 	if err != nil {
 		os.Exit(1)
 	}

diff --git a/cmd/c2pcli/subcommands/kyverno.go b/cmd/c2pcli/subcommands/kyverno.go
@@ -21,7 +21,6 @@ import (
 
 	"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
 	oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2policy/cmd"
-	oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2posture/cmd"
 	result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/cmd"
 	toolscmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/cmd"
 )
@@ -38,7 +37,6 @@ func NewKyvernoSubCommand() *cobra.Command {
 
 	command.AddCommand(oscal2policycmd.New())
 	command.AddCommand(result2oscalcmd.New())
-	command.AddCommand(oscal2posturecmd.New())
 	command.AddCommand(toolscmd.New())
 
 	return command

diff --git a/cmd/c2pcli/subcommands/ocm.go b/cmd/c2pcli/subcommands/ocm.go
@@ -21,8 +21,8 @@ import (
 
 	"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
 	oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/cmd"
-	oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2posture/cmd"
 	result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/ocm/result2oscal/cmd"
+	toolscmd "github.com/IBM/compliance-to-policy/cmd/ocm/tools/cmd"
 )
 
 func NewOcmSubCommand() *cobra.Command {
@@ -37,7 +37,7 @@ func NewOcmSubCommand() *cobra.Command {
 
 	command.AddCommand(oscal2policycmd.New())
 	command.AddCommand(result2oscalcmd.New())
-	command.AddCommand(oscal2posturecmd.New())
+	command.AddCommand(toolscmd.New())
 
 	return command
 }
diff --git a/cmd/kyverno/oscal2posture/main.go b/cmd/kyverno/oscal2posture/main.go
diff --git a/cmd/kyverno/result2oscal/cmd/cmd.go b/cmd/kyverno/result2oscal/cmd/cmd.go
@@ -17,8 +17,6 @@ limitations under the License.
 package cmd
 
 import (
-	"os"
-
 	"github.com/spf13/cobra"
 
 	"github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/options"
@@ -51,10 +49,7 @@ func New() *cobra.Command {
 }
 
 func Run(options *options.Options) error {
-	outputDir, c2pcrPath, tempDirPath := options.OutputDir, options.C2PCRPath, options.TempDirPath
-	if err := os.MkdirAll(outputDir, os.ModePerm); err != nil {
-		panic(err)
-	}
+	outputPath, c2pcrPath, policyResultsDir, tempDirPath := options.OutputPath, options.C2PCRPath, options.PolicyResultsDir, options.TempDirPath
 
 	var c2pcrSpec typec2pcr.Spec
 	if err := pkg.LoadYamlFileToObject(c2pcrPath, &c2pcrSpec); err != nil {
@@ -68,13 +63,13 @@ func Run(options *options.Options) error {
 		panic(err)
 	}
 
-	r := kyverno.NewResultToOscal(c2pcrParsed)
+	r := kyverno.NewResultToOscal(c2pcrParsed, policyResultsDir)
 	ar, err := r.GenerateAssessmentResults()
 	if err != nil {
 		return err
 	}
 
-	err = pkg.WriteObjToJsonFile(outputDir+"/assessment-results.json", ar)
+	err = pkg.WriteObjToJsonFile(outputPath, ar)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/kyverno/result2oscal/options/options.go b/cmd/kyverno/result2oscal/options/options.go
@@ -23,9 +23,10 @@ import (
 )
 
 type Options struct {
-	C2PCRPath   string
-	TempDirPath string
-	OutputDir   string
+	C2PCRPath        string
+	PolicyResultsDir string
+	TempDirPath      string
+	OutputPath       string
 }
 
 func NewOptions() *Options {
@@ -34,8 +35,9 @@ func NewOptions() *Options {
 
 func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVarP(&o.C2PCRPath, "config", "c", "", "path to c2p-config.yaml")
+	fs.StringVar(&o.PolicyResultsDir, "results", "", "path to directory containing Kyverno Policies List (policies.kyverno.io.yaml), ClusterPolicies List (clusterpolicies.kyverno.io.yaml), PolicyReports List (policyreports.wgpolicyk8s.io.yaml), and ClusterPolicyReports List (clusterpolicyreports.wgpolicyk8s.io.yaml)")
 	fs.StringVar(&o.TempDirPath, "temp-dir", "", "path to temp directory")
-	fs.StringVarP(&o.OutputDir, "out", "o", ".", "path to a directory for output files")
+	fs.StringVarP(&o.OutputPath, "out", "o", "./assessment-results.json", "path to output OSCAL Assessment Results")
 }
 
 func (o *Options) Complete() error {
@@ -46,5 +48,8 @@ func (o *Options) Validate() error {
 	if o.C2PCRPath == "" {
 		return errors.New("-c or --config <c2p-config.yaml> is required")
 	}
+	if o.PolicyResultsDir == "" {
+		return errors.New("--results is required")
+	}
 	return nil
 }
diff --git a/cmd/kyverno/tools/cmd/cmd.go b/cmd/kyverno/tools/cmd/cmd.go
@@ -21,6 +21,8 @@ import (
 
 	"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
 	kyvernocmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/subcommands/kyverno"
+	oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/pvpcommon/oscal2posture/cmd"
+	"github.com/IBM/compliance-to-policy/pkg"
 )
 
 func New() *cobra.Command {
@@ -44,6 +46,7 @@ func New() *cobra.Command {
 	opts.AddFlags(command.Flags())
 
 	command.AddCommand(kyvernocmd.New())
+	command.AddCommand(oscal2posturecmd.New(pkg.GetLogger("kyverno/oscal2posture")))
 
 	return command
 }
diff --git a/cmd/ocm/oscal2policy/c2p-config.yaml b/cmd/ocm/oscal2policy/c2p-config.yaml
diff --git a/cmd/ocm/oscal2policy/cmd/cmd.go b/cmd/ocm/oscal2policy/cmd/cmd.go
@@ -24,7 +24,6 @@ import (
 
 	"github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/options"
 	"github.com/IBM/compliance-to-policy/pkg"
-	"github.com/IBM/compliance-to-policy/pkg/c2pcr"
 	"github.com/IBM/compliance-to-policy/pkg/ocm"
 	typec2pcr "github.com/IBM/compliance-to-policy/pkg/types/c2pcr"
 )
@@ -63,7 +62,7 @@ func Run(options *options.Options) error {
 	}
 
 	gitUtils := pkg.NewGitUtils(pkg.NewTempDirectory(options.TempDirPath))
-	c2pcrParser := c2pcr.NewParser(gitUtils)
+	c2pcrParser := ocm.NewParser(gitUtils)
 	c2pcrParsed, err := c2pcrParser.Parse(c2pcrSpec)
 	if err != nil {
 		panic(err)

diff --git a/cmd/ocm/oscal2posture/main.go b/cmd/ocm/oscal2posture/main.go