github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/compliance/spec/custom.go

github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/compliance/spec/custom.go (about)

     1  package spec
     2  
     3  import (
     4  	"github.com/samber/lo"
     5  
     6  	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
     7  	ftypes "github.com/devseccon/trivy/pkg/fanal/types"
     8  	"github.com/devseccon/trivy/pkg/types"
     9  )
    10  
    11  // We might be going to rewrite these functions in Rego,
    12  // but we'll keep them for now until we need flexibility.
    13  var customIDs = map[string]func(types.Result) types.Result{
    14  	"VULN-CRITICAL":   filterCriticalVulns,
    15  	"VULN-HIGH":       filterHighVulns,
    16  	"SECRET-CRITICAL": filterCriticalSecrets,
    17  	"SECRET-HIGH":     filterHighSecrets,
    18  }
    19  
    20  func mapCustomIDsToFilteredResults(result types.Result, checkIDs map[types.Scanner][]string,
    21  	mapCheckByID map[string]types.Results) {
    22  	for _, ids := range checkIDs {
    23  		for _, id := range ids {
    24  			filterFunc, ok := customIDs[id]
    25  			if !ok {
    26  				continue
    27  			}
    28  			filtered := filterFunc(result)
    29  			if filtered.IsEmpty() {
    30  				continue
    31  			}
    32  			mapCheckByID[id] = types.Results{filtered}
    33  		}
    34  	}
    35  }
    36  
    37  func filterCriticalVulns(result types.Result) types.Result {
    38  	return filterVulns(result, dbTypes.SeverityCritical)
    39  }
    40  
    41  func filterHighVulns(result types.Result) types.Result {
    42  	return filterVulns(result, dbTypes.SeverityHigh)
    43  }
    44  
    45  func filterVulns(result types.Result, severity dbTypes.Severity) types.Result {
    46  	filtered := lo.Filter(result.Vulnerabilities, func(vuln types.DetectedVulnerability, _ int) bool {
    47  		return vuln.Severity == severity.String()
    48  	})
    49  	return types.Result{
    50  		Target:          result.Target,
    51  		Class:           result.Class,
    52  		Type:            result.Type,
    53  		Vulnerabilities: filtered,
    54  	}
    55  }
    56  
    57  func filterCriticalSecrets(result types.Result) types.Result {
    58  	return filterSecrets(result, dbTypes.SeverityCritical)
    59  }
    60  
    61  func filterHighSecrets(result types.Result) types.Result {
    62  	return filterSecrets(result, dbTypes.SeverityHigh)
    63  }
    64  
    65  func filterSecrets(result types.Result, severity dbTypes.Severity) types.Result {
    66  	filtered := lo.Filter(result.Secrets, func(vuln ftypes.SecretFinding, _ int) bool {
    67  		return vuln.Severity == severity.String()
    68  	})
    69  	return types.Result{
    70  		Target:  result.Target,
    71  		Class:   result.Class,
    72  		Type:    result.Type,
    73  		Secrets: filtered,
    74  	}
    75  }