From b56e4994c77afbb1a8d4b58abea4448732608f07 Mon Sep 17 00:00:00 2001 From: chenk Date: Thu, 11 Apr 2024 12:13:50 +0300 Subject: [PATCH] fix: add policies download err msg and fallback to embeded (#2000) Signed-off-by: chenk --- pkg/policy/loader.go | 6 ++++++ pkg/policy/policy.go | 25 ++++++++++++++----------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/pkg/policy/loader.go b/pkg/policy/loader.go index edc8982bd..ab412ed9e 100644 --- a/pkg/policy/loader.go +++ b/pkg/policy/loader.go @@ -12,7 +12,9 @@ import ( mp "github.com/aquasecurity/trivy/pkg/policy" "github.com/bluele/gcache" + "github.com/go-logr/logr" "golang.org/x/xerrors" + ctrl "sigs.k8s.io/controller-runtime" ) const ( @@ -29,6 +31,7 @@ type policyLoader struct { cache gcache.Cache expiration *time.Duration options []mp.Option + logger logr.Logger } func NewPolicyLoader(pr string, cache gcache.Cache, opts ...mp.Option) Loader { @@ -38,10 +41,12 @@ func NewPolicyLoader(pr string, cache gcache.Cache, opts ...mp.Option) Loader { cache: cache, options: opts, expiration: &expiration, + logger: ctrl.Log.WithName("policyLoader"), } } func (pl *policyLoader) GetPolicies() ([]string, error) { + log := pl.logger.WithValues("Get misconfig bundle policies") var policies []string var ok bool val, err := pl.getPoliciesFromCache() @@ -51,6 +56,7 @@ func (pl *policyLoader) GetPolicies() ([]string, error) { } policies, err = pl.LoadPolicies() if err != nil { + log.V(1).Error(err, "failed to load policies") return []string{}, nil } return policies, nil diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 4e4e9a4bd..f28cc2c1e 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -200,14 +200,15 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[ if err != nil { return nil, fmt.Errorf("failed listing externalPolicies by kind: %s: %w", resourceKind, err) } - if len(policies) == 0 { - return nil, fmt.Errorf("no policies found for kind: %s", resourceKind) - } + memfs := memoryfs.New() - // add add policies to in-memory filesystem - err = createPolicyInputFS(memfs, policiesFolder, policies, regoExt) - if err != nil { - return nil, err + hasPolicies := len(policies) > 0 + if hasPolicies { + // add add policies to in-memory filesystem + err = createPolicyInputFS(memfs, policiesFolder, policies, regoExt) + if err != nil { + return nil, err + } } inputResource, err := resourceBytes(resource, inputs) if err != nil { @@ -223,7 +224,7 @@ func (p *Policies) Eval(ctx context.Context, resource client.Object, inputs ...[ if err != nil { return nil, err } - so := scannerOptions(policiesFolder, dataPaths, dataFS) + so := scannerOptions(policiesFolder, dataPaths, dataFS, hasPolicies) scanner := kubernetes.NewScanner(so...) scanResult, err := scanner.ScanFS(ctx, memfs, inputFolder) if err != nil { @@ -271,14 +272,16 @@ func (r *Policies) HasSeverity(resultSeverity severity.Severity) bool { return strings.Contains(defaultSeverity, string(resultSeverity)) } -func scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS) []options.ScannerOption { +func scannerOptions(policiesFolder string, dataPaths []string, dataFS fs.FS, hasPolicies bool) []options.ScannerOption { optionsArray := []options.ScannerOption{ - options.ScannerWithEmbeddedPolicies(false), - options.ScannerWithEmbeddedLibraries(false), options.ScannerWithPolicyDirs(policiesFolder), options.ScannerWithDataDirs(dataPaths...), options.ScannerWithDataFilesystem(dataFS), } + if !hasPolicies { + optionsArray = append(optionsArray, options.ScannerWithEmbeddedPolicies(true)) + optionsArray = append(optionsArray, options.ScannerWithEmbeddedLibraries(true)) + } return optionsArray }