Skip to content
This repository was archived by the owner on Jan 23, 2025. It is now read-only.

Commit 97ff1b4

Browse files
simar7simar7
authored
feat(scanner): Break out options for enabling libs and policies (#1280)
* feat(scanner): Break out options for enabling libs and policies Signed-off-by: Simar <[email protected]> * refactor Signed-off-by: Simar <[email protected]> * simplify terraform Signed-off-by: Simar <[email protected]> * remove un-needed work Signed-off-by: Simar <[email protected]> * fix ident Signed-off-by: Simar <[email protected]> --------- Signed-off-by: Simar <[email protected]>
1 parent 32da643 commit 97ff1b4

File tree

20 files changed

+217
-142
lines changed

20 files changed

+217
-142
lines changed

cmd/defsec/aws.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ func scanAWS(stdout, stderr io.Writer) error {
4040

4141
opts := []options.ScannerOption{
4242
options.ScannerWithEmbeddedPolicies(true),
43+
options.ScannerWithEmbeddedLibraries(true),
4344
}
4445

4546
if flagDebug {

cmd/defsec/fs.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ func scanFS(dir string, stdout, stderr io.Writer) error {
3636

3737
opts := []options.ScannerOption{
3838
options.ScannerWithEmbeddedPolicies(true),
39+
options.ScannerWithEmbeddedLibraries(true),
3940
}
4041

4142
if flagDebug {

pkg/rego/load.go

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -93,18 +93,8 @@ func (s *Scanner) LoadEmbeddedLibraries() error {
9393
return nil
9494
}
9595

96-
func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, readers []io.Reader) error {
97-
98-
if s.policies == nil {
99-
s.policies = make(map[string]*ast.Module)
100-
}
101-
102-
if s.policyFS != nil {
103-
s.debug.Log("Overriding filesystem for policies!")
104-
srcFS = s.policyFS
105-
}
106-
107-
if loadEmbedded {
96+
func (s *Scanner) loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies bool) error {
97+
if enableEmbeddedLibraries {
10898
loadedLibs, errLoad := loadEmbeddedLibraries()
10999
if errLoad != nil {
110100
return fmt.Errorf("failed to load embedded rego libraries: %w", errLoad)
@@ -113,6 +103,9 @@ func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, r
113103
s.policies[name] = policy
114104
}
115105
s.debug.Log("Loaded %d embedded libraries.", len(loadedLibs))
106+
}
107+
108+
if enableEmbeddedPolicies {
116109
loaded, err := loadEmbeddedPolicies()
117110
if err != nil {
118111
return fmt.Errorf("failed to load embedded rego policies: %w", err)
@@ -123,6 +116,24 @@ func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, r
123116
s.debug.Log("Loaded %d embedded policies.", len(loaded))
124117
}
125118

119+
return nil
120+
}
121+
122+
func (s *Scanner) LoadPolicies(enableEmbeddedLibraries, enableEmbeddedPolicies bool, srcFS fs.FS, paths []string, readers []io.Reader) error {
123+
124+
if s.policies == nil {
125+
s.policies = make(map[string]*ast.Module)
126+
}
127+
128+
if s.policyFS != nil {
129+
s.debug.Log("Overriding filesystem for policies!")
130+
srcFS = s.policyFS
131+
}
132+
133+
if err := s.loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies); err != nil {
134+
return err
135+
}
136+
126137
var err error
127138
if len(paths) > 0 {
128139
loaded, err := s.loadPoliciesFromDirs(srcFS, paths)

pkg/rego/scanner.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ type Scanner struct {
4545
sourceType types.Source
4646
}
4747

48+
func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
49+
// handled externally
50+
}
51+
4852
func (s *Scanner) SetSpec(spec string) {
4953
s.spec = spec
5054
}
@@ -58,6 +62,7 @@ func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
5862
func (s *Scanner) SetUseEmbeddedPolicies(b bool) {
5963
// handled externally
6064
}
65+
6166
func (s *Scanner) trace(heading string, input interface{}) {
6267
if s.traceWriter == nil {
6368
return

pkg/rego/scanner_test.go

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ deny {
3535
scanner := NewScanner(types.SourceJSON)
3636
require.NoError(
3737
t,
38-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
38+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
3939
)
4040

4141
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -70,7 +70,7 @@ deny {
7070
scanner := NewScanner(types.SourceJSON)
7171
require.NoError(
7272
t,
73-
scanner.LoadPolicies(false, srcFS, []string{"/policies"}, nil),
73+
scanner.LoadPolicies(false, false, srcFS, []string{"/policies"}, nil),
7474
)
7575

7676
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -105,7 +105,7 @@ warn {
105105
scanner := NewScanner(types.SourceJSON)
106106
require.NoError(
107107
t,
108-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
108+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
109109
)
110110

111111
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -137,7 +137,7 @@ deny {
137137
scanner := NewScanner(types.SourceJSON)
138138
require.NoError(
139139
t,
140-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
140+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
141141
)
142142

143143
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -180,7 +180,7 @@ exception[ns] {
180180
scanner := NewScanner(types.SourceJSON)
181181
require.NoError(
182182
t,
183-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
183+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
184184
)
185185

186186
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -228,7 +228,7 @@ exception[ns] {
228228
scanner := NewScanner(types.SourceJSON)
229229
require.NoError(
230230
t,
231-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
231+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
232232
)
233233

234234
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -265,7 +265,7 @@ exception[rules] {
265265
scanner := NewScanner(types.SourceJSON)
266266
require.NoError(
267267
t,
268-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
268+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
269269
)
270270

271271
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -301,7 +301,7 @@ exception[rules] {
301301
scanner := NewScanner(types.SourceJSON)
302302
require.NoError(
303303
t,
304-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
304+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
305305
)
306306

307307
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -335,7 +335,7 @@ deny_evil {
335335
scanner := NewScanner(types.SourceJSON)
336336
require.NoError(
337337
t,
338-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
338+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
339339
)
340340

341341
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -366,7 +366,7 @@ deny[msg] {
366366
scanner := NewScanner(types.SourceJSON)
367367
require.NoError(
368368
t,
369-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
369+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
370370
)
371371

372372
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -404,7 +404,7 @@ deny[res] {
404404
scanner := NewScanner(types.SourceJSON)
405405
require.NoError(
406406
t,
407-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
407+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
408408
)
409409

410410
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -446,7 +446,7 @@ deny[res] {
446446
scanner := NewScanner(types.SourceJSON)
447447
require.NoError(
448448
t,
449-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
449+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
450450
)
451451

452452
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -500,7 +500,7 @@ deny[res] {
500500
scanner := NewScanner(types.SourceJSON)
501501
require.NoError(
502502
t,
503-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
503+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
504504
)
505505

506506
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -549,7 +549,7 @@ deny {
549549
scanner := NewScanner(types.SourceJSON)
550550
require.NoError(
551551
t,
552-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
552+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
553553
)
554554

555555
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -583,7 +583,7 @@ deny {
583583
scanner := NewScanner(types.SourceJSON)
584584
require.NoError(
585585
t,
586-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
586+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
587587
)
588588

589589
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -614,7 +614,7 @@ deny {
614614
scanner := NewScanner(types.SourceJSON)
615615
require.NoError(
616616
t,
617-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
617+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
618618
)
619619

620620
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -649,7 +649,7 @@ deny {
649649
scanner := NewScanner(types.SourceJSON, options.ScannerWithTrace(traceBuffer))
650650
require.NoError(
651651
t,
652-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
652+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
653653
)
654654

655655
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -683,7 +683,7 @@ deny {
683683
scanner := NewScanner(types.SourceJSON, options.ScannerWithPerResultTracing(true))
684684
require.NoError(
685685
t,
686-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
686+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
687687
)
688688

689689
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -721,7 +721,7 @@ deny {
721721
scanner := NewScanner(types.SourceJSON)
722722
require.NoError(
723723
t,
724-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
724+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
725725
)
726726

727727
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -754,7 +754,7 @@ deny {
754754
scanner := NewScanner(types.SourceJSON)
755755
require.NoError(
756756
t,
757-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
757+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
758758
)
759759

760760
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -801,7 +801,7 @@ deny {
801801
scanner := NewScanner(types.SourceJSON)
802802
require.NoError(
803803
t,
804-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
804+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
805805
)
806806

807807
results, err := scanner.ScanInput(context.TODO(), Input{
@@ -839,7 +839,7 @@ deny {
839839
scanner := NewScanner(types.SourceDockerfile)
840840
assert.ErrorContains(
841841
t,
842-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
842+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
843843
"undefined ref: input.evil",
844844
)
845845
}
@@ -861,7 +861,7 @@ deny {
861861
scanner := NewScanner(types.SourceDockerfile)
862862
assert.NoError(
863863
t,
864-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
864+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
865865
)
866866
}
867867

@@ -880,7 +880,7 @@ deny {
880880
scanner := NewScanner(types.SourceJSON)
881881
assert.ErrorContains(
882882
t,
883-
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
883+
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
884884
"undefined ref: input.evil",
885885
)
886886
}

pkg/scanners/azure/arm/scanner.go

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -28,17 +28,18 @@ var _ scanners.FSScanner = (*Scanner)(nil)
2828
var _ options.ConfigurableScanner = (*Scanner)(nil)
2929

3030
type Scanner struct {
31-
scannerOptions []options.ScannerOption
32-
parserOptions []options.ParserOption
33-
debug debug.Logger
34-
frameworks []framework.Framework
35-
skipRequired bool
36-
regoOnly bool
37-
loadEmbedded bool
38-
policyDirs []string
39-
policyReaders []io.Reader
40-
regoScanner *rego.Scanner
41-
spec string
31+
scannerOptions []options.ScannerOption
32+
parserOptions []options.ParserOption
33+
debug debug.Logger
34+
frameworks []framework.Framework
35+
skipRequired bool
36+
regoOnly bool
37+
loadEmbeddedPolicies bool
38+
loadEmbeddedLibraries bool
39+
policyDirs []string
40+
policyReaders []io.Reader
41+
regoScanner *rego.Scanner
42+
spec string
4243
sync.Mutex
4344
}
4445

@@ -87,8 +88,12 @@ func (s *Scanner) SetDataFilesystem(_ fs.FS) {
8788
// handled by rego when option is passed on
8889
}
8990

90-
func (s *Scanner) SetUseEmbeddedPolicies(loadEmbedded bool) {
91-
s.loadEmbedded = loadEmbedded
91+
func (s *Scanner) SetUseEmbeddedPolicies(b bool) {
92+
s.loadEmbeddedPolicies = b
93+
}
94+
95+
func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
96+
s.loadEmbeddedLibraries = b
9297
}
9398

9499
func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
@@ -108,7 +113,7 @@ func (s *Scanner) initRegoScanner(srcFS fs.FS) error {
108113
}
109114
regoScanner := rego.NewScanner(types.SourceCloud, s.scannerOptions...)
110115
regoScanner.SetParentDebugLogger(s.debug)
111-
if err := regoScanner.LoadPolicies(s.loadEmbedded, srcFS, s.policyDirs, s.policyReaders); err != nil {
116+
if err := regoScanner.LoadPolicies(s.loadEmbeddedLibraries, s.loadEmbeddedPolicies, srcFS, s.policyDirs, s.policyReaders); err != nil {
112117
return err
113118
}
114119
s.regoScanner = regoScanner

0 commit comments

Comments
 (0)