github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/compliance/report/report_test.go (about) 1 package report_test 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 9 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 10 dbTypes "github.com/aquasecurity/trivy-db/pkg/types" 11 "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" 12 "github.com/devseccon/trivy/pkg/compliance/report" 13 "github.com/devseccon/trivy/pkg/compliance/spec" 14 ftypes "github.com/devseccon/trivy/pkg/fanal/types" 15 "github.com/devseccon/trivy/pkg/types" 16 ) 17 18 func TestBuildComplianceReport(t *testing.T) { 19 type args struct { 20 scanResults []types.Results 21 cs spec.ComplianceSpec 22 } 23 tests := []struct { 24 name string 25 args args 26 want *report.ComplianceReport 27 wantErr assert.ErrorAssertionFunc 28 }{ 29 { 30 name: "happy", 31 args: args{ 32 scanResults: []types.Results{ 33 { 34 { 35 Target: "Deployment/metrics-server", 36 Class: types.ClassConfig, 37 Type: ftypes.Kubernetes, 38 MisconfSummary: &types.MisconfSummary{ 39 Successes: 1, 40 Failures: 0, 41 Exceptions: 0, 42 }, 43 Misconfigurations: []types.DetectedMisconfiguration{ 44 { 45 Type: "Kubernetes Security Check", 46 ID: "KSV001", 47 AVDID: "AVD-KSV-0001", 48 Title: "Process can elevate its own privileges", 49 Description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", 50 Message: "Container 'metrics-server' of Deployment 'metrics-server' should set 'securityContext.allowPrivilegeEscalation' to false", 51 Namespace: "builtin.kubernetes.KSV001", 52 Query: "data.builtin.kubernetes.KSV001.deny", 53 Resolution: "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", 54 Severity: dbTypes.SeverityMedium.String(), 55 PrimaryURL: "https://avd.aquasec.com/misconfig/ksv001", 56 References: []string{ 57 "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", 58 "https://avd.aquasec.com/misconfig/ksv001", 59 }, 60 Status: types.StatusPassed, 61 }, 62 { 63 Type: "Kubernetes Security Check", 64 ID: "KSV002", 65 AVDID: "AVD-KSV-9999", 66 Status: types.StatusFailure, 67 }, 68 }, 69 }, 70 }, 71 { 72 { 73 Target: "rancher/metrics-server:v0.3.6 (debian 9.9)", 74 Class: types.ClassOSPkg, 75 Type: "debian", 76 Vulnerabilities: []types.DetectedVulnerability{ 77 { 78 VulnerabilityID: "DLA-2424-1", 79 VendorIDs: []string{"DLA-2424-1"}, 80 PkgName: "tzdata", 81 InstalledVersion: "2019a-0+deb9u1", 82 FixedVersion: "2020d-0+deb9u1", 83 Layer: ftypes.Layer{ 84 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 85 }, 86 DataSource: &dbTypes.DataSource{ 87 ID: vulnerability.Debian, 88 Name: "Debian Security Tracker", 89 URL: "https://salsa.debian.org/security-tracker-team/security-tracker", 90 }, 91 Vulnerability: dbTypes.Vulnerability{ 92 Title: "tzdata - new upstream version", 93 Severity: dbTypes.SeverityUnknown.String(), 94 }, 95 }, 96 }, 97 }, 98 }, 99 }, 100 cs: spec.ComplianceSpec{ 101 Spec: defsecTypes.Spec{ 102 ID: "1234", 103 Title: "NSA", 104 Description: "National Security Agency - Kubernetes Hardening Guidance", 105 Version: "1.0", 106 RelatedResources: []string{ 107 "https://example.com", 108 }, 109 Controls: []defsecTypes.Control{ 110 { 111 ID: "1.0", 112 Name: "Non-root containers", 113 Description: "Check that container is not running as root", 114 Severity: "MEDIUM", 115 Checks: []defsecTypes.SpecCheck{ 116 {ID: "AVD-KSV-0001"}, 117 }, 118 }, 119 { 120 ID: "1.1", 121 Name: "Immutable container file systems", 122 Description: "Check that container root file system is immutable", 123 Severity: "LOW", 124 Checks: []defsecTypes.SpecCheck{ 125 {ID: "AVD-KSV-0002"}, 126 }, 127 }, 128 { 129 ID: "1.2", 130 Name: "tzdata - new upstream version", 131 Description: "Bad tzdata package", 132 Severity: "CRITICAL", 133 Checks: []defsecTypes.SpecCheck{ 134 {ID: "DLA-2424-1"}, 135 }, 136 }, 137 }, 138 }, 139 }, 140 }, 141 want: &report.ComplianceReport{ 142 ID: "1234", 143 Title: "NSA", 144 Description: "National Security Agency - Kubernetes Hardening Guidance", 145 Version: "1.0", 146 RelatedResources: []string{ 147 "https://example.com", 148 }, 149 Results: []*report.ControlCheckResult{ 150 { 151 ID: "1.0", 152 Name: "Non-root containers", 153 Description: "Check that container is not running as root", 154 Severity: "MEDIUM", 155 Results: types.Results{ 156 { 157 Target: "Deployment/metrics-server", 158 Class: types.ClassConfig, 159 Type: ftypes.Kubernetes, 160 MisconfSummary: &types.MisconfSummary{ 161 Successes: 1, 162 Failures: 0, 163 Exceptions: 0, 164 }, 165 Misconfigurations: []types.DetectedMisconfiguration{ 166 { 167 Type: "Kubernetes Security Check", 168 ID: "KSV001", 169 AVDID: "AVD-KSV-0001", 170 Title: "Process can elevate its own privileges", 171 Description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", 172 Message: "Container 'metrics-server' of Deployment 'metrics-server' should set 'securityContext.allowPrivilegeEscalation' to false", 173 Namespace: "builtin.kubernetes.KSV001", 174 Query: "data.builtin.kubernetes.KSV001.deny", 175 Resolution: "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", 176 Severity: dbTypes.SeverityMedium.String(), 177 PrimaryURL: "https://avd.aquasec.com/misconfig/ksv001", 178 References: []string{ 179 "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", 180 "https://avd.aquasec.com/misconfig/ksv001", 181 }, 182 Status: types.StatusPassed, 183 }, 184 }, 185 }, 186 }, 187 }, 188 { 189 ID: "1.1", 190 Name: "Immutable container file systems", 191 Description: "Check that container root file system is immutable", 192 Severity: "LOW", 193 Results: nil, 194 }, 195 { 196 ID: "1.2", 197 Name: "tzdata - new upstream version", 198 Description: "Bad tzdata package", 199 Severity: "CRITICAL", 200 Results: types.Results{ 201 { 202 Target: "rancher/metrics-server:v0.3.6 (debian 9.9)", 203 Class: types.ClassOSPkg, 204 Type: "debian", 205 Vulnerabilities: []types.DetectedVulnerability{ 206 { 207 VulnerabilityID: "DLA-2424-1", 208 VendorIDs: []string{"DLA-2424-1"}, 209 PkgName: "tzdata", 210 InstalledVersion: "2019a-0+deb9u1", 211 FixedVersion: "2020d-0+deb9u1", 212 Layer: ftypes.Layer{ 213 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 214 }, 215 DataSource: &dbTypes.DataSource{ 216 ID: vulnerability.Debian, 217 Name: "Debian Security Tracker", 218 URL: "https://salsa.debian.org/security-tracker-team/security-tracker", 219 }, 220 Vulnerability: dbTypes.Vulnerability{ 221 Title: "tzdata - new upstream version", 222 Severity: dbTypes.SeverityUnknown.String(), 223 }, 224 }, 225 }, 226 }, 227 }, 228 }, 229 }, 230 }, 231 wantErr: assert.NoError, 232 }, 233 } 234 for _, tt := range tests { 235 t.Run(tt.name, func(t *testing.T) { 236 got, err := report.BuildComplianceReport(tt.args.scanResults, tt.args.cs) 237 if !tt.wantErr(t, err, fmt.Sprintf("BuildComplianceReport(%v, %v)", tt.args.scanResults, tt.args.cs)) { 238 return 239 } 240 assert.Equalf(t, tt.want, got, "BuildComplianceReport(%v, %v)", tt.args.scanResults, tt.args.cs) 241 }) 242 } 243 }