github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/compliance/spec/compliance_test.go (about) 1 package spec_test 2 3 import ( 4 "sort" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 9 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 10 "github.com/devseccon/trivy/pkg/compliance/spec" 11 "github.com/devseccon/trivy/pkg/types" 12 ) 13 14 func TestComplianceSpec_Scanners(t *testing.T) { 15 tests := []struct { 16 name string 17 spec defsecTypes.Spec 18 want types.Scanners 19 wantErr assert.ErrorAssertionFunc 20 }{ 21 { 22 name: "get config scanner type by check id prefix", 23 spec: defsecTypes.Spec{ 24 ID: "1234", 25 Title: "NSA", 26 Description: "National Security Agency - Kubernetes Hardening Guidance", 27 RelatedResources: []string{ 28 "https://example.com", 29 }, 30 Version: "1.0", 31 Controls: []defsecTypes.Control{ 32 { 33 Name: "Non-root containers", 34 Description: "Check that container is not running as root", 35 ID: "1.0", 36 Checks: []defsecTypes.SpecCheck{ 37 {ID: "AVD-KSV012"}, 38 }, 39 }, 40 { 41 Name: "Check that encryption resource has been set", 42 Description: "Control checks whether encryption resource has been set", 43 ID: "1.1", 44 Checks: []defsecTypes.SpecCheck{ 45 {ID: "AVD-1.2.31"}, 46 {ID: "AVD-1.2.32"}, 47 }, 48 }, 49 }, 50 }, 51 want: []types.Scanner{types.MisconfigScanner}, 52 wantErr: assert.NoError, 53 }, 54 { 55 name: "get config and vuln scanners types by check id prefix", 56 spec: defsecTypes.Spec{ 57 ID: "1234", 58 Title: "NSA", 59 Description: "National Security Agency - Kubernetes Hardening Guidance", 60 RelatedResources: []string{ 61 "https://example.com", 62 }, 63 Version: "1.0", 64 Controls: []defsecTypes.Control{ 65 { 66 Name: "Non-root containers", 67 Description: "Check that container is not running as root", 68 ID: "1.0", 69 Checks: []defsecTypes.SpecCheck{ 70 {ID: "AVD-KSV012"}, 71 }, 72 }, 73 { 74 Name: "Check that encryption resource has been set", 75 Description: "Control checks whether encryption resource has been set", 76 ID: "1.1", 77 Checks: []defsecTypes.SpecCheck{ 78 {ID: "AVD-1.2.31"}, 79 {ID: "AVD-1.2.32"}, 80 }, 81 }, 82 { 83 Name: "Ensure no critical vulnerabilities", 84 Description: "Control checks whether critical vulnerabilities are not found", 85 ID: "7.0", 86 Checks: []defsecTypes.SpecCheck{ 87 {ID: "CVE-9999-9999"}, 88 }, 89 }, 90 }, 91 }, 92 want: []types.Scanner{ 93 types.MisconfigScanner, 94 types.VulnerabilityScanner, 95 }, 96 wantErr: assert.NoError, 97 }, 98 { 99 name: "unknown prefix", 100 spec: defsecTypes.Spec{ 101 ID: "1234", 102 Title: "NSA", 103 Description: "National Security Agency - Kubernetes Hardening Guidance", 104 RelatedResources: []string{ 105 "https://example.com", 106 }, 107 Version: "1.0", 108 Controls: []defsecTypes.Control{ 109 { 110 Name: "Unknown", 111 ID: "1.0", 112 Checks: []defsecTypes.SpecCheck{ 113 {ID: "UNKNOWN-001"}, 114 }, 115 }, 116 }, 117 }, 118 wantErr: assert.Error, 119 }, 120 } 121 for _, tt := range tests { 122 t.Run(tt.name, func(t *testing.T) { 123 cs := &spec.ComplianceSpec{ 124 Spec: tt.spec, 125 } 126 got, err := cs.Scanners() 127 if !tt.wantErr(t, err, "Scanners()") { 128 return 129 } 130 sort.Slice(got, func(i, j int) bool { 131 return got[i] < got[j] 132 }) // for consistency 133 assert.Equalf(t, tt.want, got, "Scanners()") 134 }) 135 } 136 } 137 138 func TestComplianceSpec_CheckIDs(t *testing.T) { 139 tests := []struct { 140 name string 141 spec defsecTypes.Spec 142 want map[types.Scanner][]string 143 }{ 144 { 145 name: "get config scanner type by check id prefix", 146 spec: defsecTypes.Spec{ 147 ID: "1234", 148 Title: "NSA", 149 Description: "National Security Agency - Kubernetes Hardening Guidance", 150 RelatedResources: []string{ 151 "https://example.com", 152 }, 153 Version: "1.0", 154 Controls: []defsecTypes.Control{ 155 { 156 Name: "Non-root containers", 157 Description: "Check that container is not running as root", 158 ID: "1.0", 159 Checks: []defsecTypes.SpecCheck{ 160 {ID: "AVD-KSV012"}, 161 }, 162 }, 163 { 164 Name: "Check that encryption resource has been set", 165 Description: "Control checks whether encryption resource has been set", 166 ID: "1.1", 167 Checks: []defsecTypes.SpecCheck{ 168 {ID: "AVD-1.2.31"}, 169 {ID: "AVD-1.2.32"}, 170 }, 171 }, 172 }, 173 }, 174 want: map[types.Scanner][]string{ 175 types.MisconfigScanner: { 176 "AVD-KSV012", 177 "AVD-1.2.31", 178 "AVD-1.2.32", 179 }, 180 }, 181 }, 182 { 183 name: "get config and vuln scanners types by check id prefix", 184 spec: defsecTypes.Spec{ 185 ID: "1234", 186 Title: "NSA", 187 Description: "National Security Agency - Kubernetes Hardening Guidance", 188 RelatedResources: []string{ 189 "https://example.com", 190 }, 191 Version: "1.0", 192 Controls: []defsecTypes.Control{ 193 { 194 Name: "Non-root containers", 195 Description: "Check that container is not running as root", 196 ID: "1.0", 197 Checks: []defsecTypes.SpecCheck{ 198 {ID: "AVD-KSV012"}, 199 }, 200 }, 201 { 202 Name: "Check that encryption resource has been set", 203 Description: "Control checks whether encryption resource has been set", 204 ID: "1.1", 205 Checks: []defsecTypes.SpecCheck{ 206 {ID: "AVD-1.2.31"}, 207 {ID: "AVD-1.2.32"}, 208 }, 209 }, 210 { 211 Name: "Ensure no critical vulnerabilities", 212 Description: "Control checks whether critical vulnerabilities are not found", 213 ID: "7.0", 214 Checks: []defsecTypes.SpecCheck{ 215 {ID: "CVE-9999-9999"}, 216 }, 217 }, 218 }, 219 }, 220 want: map[types.Scanner][]string{ 221 types.MisconfigScanner: { 222 "AVD-KSV012", 223 "AVD-1.2.31", 224 "AVD-1.2.32", 225 }, 226 types.VulnerabilityScanner: { 227 "CVE-9999-9999", 228 }, 229 }, 230 }, 231 } 232 for _, tt := range tests { 233 t.Run(tt.name, func(t *testing.T) { 234 cs := &spec.ComplianceSpec{ 235 Spec: tt.spec, 236 } 237 got := cs.CheckIDs() 238 assert.Equalf(t, tt.want, got, "CheckIDs()") 239 }) 240 } 241 }