Merge pull request #5 from obadiaspelembe/release/1.0.0

feat: improve lint and check commands (#4)
obadiaspelembe · Aug 20, 2023 · 229a37c · 229a37c
2 parents f113a57 + 65abd74
commit 229a37c
Show file tree

Hide file tree

Showing 20 changed files with 374 additions and 140 deletions.
diff --git a/.scripts/docker-scout.ps1 b/.scripts/docker-scout.ps1
@@ -0,0 +1,8 @@
+
+$reportFileName = "report.json"
+
+$dockerImageName = "hello-world"
+
+$command = "docker scout cves $dockerImageName --format sarif --output $reportFileName"
+
+Invoke-Expression $command
diff --git a/.scripts/exec.ps1 b/.scripts/exec.ps1
@@ -0,0 +1,6 @@
+$goExecutable = "go.exe"
+$goFile = "internal\main.go"
+
+$command = "$goExecutable run $goFile exec -r cves-report.example.json -p policy.example.yaml"
+
+Invoke-Expression $command
diff --git a/.scripts/lint.ps1 b/.scripts/lint.ps1
@@ -0,0 +1,6 @@
+$goExecutable = "go.exe"
+$goFile = "internal\main.go"
+
+$command = "$goExecutable run $goFile lint -r cves-report.example.json -p policy.example.yaml"
+
+Invoke-Expression $command
diff --git a/README.md b/README.md
@@ -1,15 +1,21 @@
 # CVES-Guard
 
-cvesguard (Short form of Docker Scout CVES Guard) is a tool to policy docker images cves vulnerabilities through a policy manifest in your pipeline. This tool helps CI/CD engineers to determine whether a Docker Image can be deployed after docker scout command execution.
+cvesguard (Short form of Docker Scout CVES Guard) is a tool to police docker images cves vulnerabilities through a policy manifest in your pipeline. This tool helps CI/CD engineers to determine whether a Docker Image can be deployed after docker scout command execution.
 
 ## How to use cvesguard
 
+cvesguard is based on docker scout command with sarif format to json. You can run the command as per example:
+
+
+```bash
+docker scout cves hello-world --format sarif --output cves-report.json
+```
 There're few commands available for cvesguard tool.
 
 ### Lint
 Validates if the policy and cves files are compliant with the schema .
 
-```
+``` bash
 cvesguard lint --policy policy.yaml --cves-report cves-report.json
 
 or
@@ -18,15 +24,15 @@ cvesguard lint -p policy.yaml -r cves-report.json
 
 ```
 
-### Apply
-Applies the specified policy in the manifest.
+### Exec policy
+Checks the specified policy in the manifest.
 
-```
-cvesguard apply --policy policy.yaml --cves-report cves-report.json
+```bash
+cvesguard exec --policy policy.yaml --cves-report cves-report.json
 
 or
 
-cvesguard apply -p policy.yaml -r cves-report.json
+cvesguard exec -p policy.yaml -r cves-report.json
 
 ```
 
@@ -40,14 +46,61 @@ policy.yaml
 
 ```
 ---
-version: v1.0.0
-name: policy-name
-kind: Vulnerability
+version: v1.0.0 
 spec:
   config:
-    critical: 4
-    high: 2
-    medium: 2
-    low: 2
+    vulnerability:
+      critical: 0
+      high: 0
+      medium: 100
+      low: 2
+    packages:
+      - name: log4j
+        action: ignore
+        severity:
+          - critical
+          - high
 ```
 
+### POLICY
+
+| Attribute| Type | Required |
+|----------|----------|----------|
+| version | Text | yes |
+| spec | [Spec](#spec) | yes |
+
+
+### Spec
+| Attribute| Type | Required |
+|----------|----------|----------| 
+| config | [Config](#config) | yes |
+
+### Config
+
+| Attribute| Type | Required |
+|----------|----------|----------| 
+| vulnerability | [Vulnerability](#vulnerability) | yes |
+| packages | List-[Package](#package) | No |
+
+### Vulnerability
+| Attribute| Type | Required |
+|----------|----------|----------|
+| critical | Number | yes | 
+| high | Number | yes | 
+| medium | Number | yes | 
+| low | Number | yes | 
+
+### Package
+| Attribute| Type | Required |
+|----------|----------|----------|
+| name | Text | yes | 
+| action | Text - Available options `allow` and `deny` | yes | 
+| severity | List - Available options `critical`, `high`, `medium` and `low` | yes | 
+
+## Contributing
+
+Contributions are welcome! Please do not hesitate to submit a Pull Request.
+
+## License
+
+This project is licensed under the MIT License.
diff --git a/cmd/apply.go b/cmd/apply.go
diff --git a/cmd/exec.go b/cmd/exec.go
@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"obadiaspelembe/cves-guard/utils"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var execCommand = &cobra.Command{
+	Use:   "exec",
+	Short: "exec policy check into cves-report",
+	Run: func(cmd *cobra.Command, args []string) {
+		if !utils.ExecPolicy(cmd.Flag("policy").Value.String(), cmd.Flag("cves-report").Value.String()) {
+			os.Exit(1)
+		}
+	},
+}
diff --git a/tests/apply_test.go → cmd/exec_test.go b/tests/apply_test.go → cmd/exec_test.go
@@ -1,12 +1,13 @@
-package tests
+package cmd
 
 import (
+	"obadiaspelembe/cves-guard/utils"
 	"testing"
+
 	"github.com/stretchr/testify/assert"
-	"obadiaspelembe/cves-guard/utils"
 )
 
-func TestApply(t *testing.T) {
-	result := utils.ApplyPolicy("policy.example.yaml", "cves-report.example.json")
+func TestCheck(t *testing.T) {
+	result := utils.ExecPolicy("policy.example.yaml", "cves-report.example.json")
 	assert.Equal(t, true, result, "Should return true")
-}
+}
diff --git a/tests/lint_test.go → cmd/lint_test.go b/tests/lint_test.go → cmd/lint_test.go
@@ -1,12 +1,13 @@
-package tests
+package cmd
 
 import (
+	"obadiaspelembe/cves-guard/utils"
 	"testing"
+
 	"github.com/stretchr/testify/assert"
-	"obadiaspelembe/cves-guard/utils"
 )
 
 func TestLintValidate(t *testing.T) {
 	result := utils.Validate("policy.example.yaml", "cves-report.example.json")
-	assert.Equal(t, false, result, "Should return false")
-}
+	assert.Equal(t, true, result, "Should return true")
+}
diff --git a/cmd/root.go b/cmd/root.go
@@ -23,16 +23,15 @@ func Execute() {
 
 	lintCommand.Flags().StringVarP(&policy, "policy", "p", "", "Policy is required")
 	lintCommand.Flags().StringVarP(&report, "cves-report", "r", "", "CVES report filename")
-
-	applyCommand.Flags().StringVarP(&policy, "policy", "p", "", "Policy is required")
-	applyCommand.Flags().StringVarP(&report, "cves-report", "r", "", "CVES report filename")
-
-	lintCommand.MarkFlagRequired("cves-report")
-	applyCommand.MarkFlagRequired("cves-report")
 
+	execCommand.Flags().StringVarP(&policy, "policy", "p", "", "Policy is required")
+	execCommand.Flags().StringVarP(&report, "cves-report", "r", "", "CVES report filename")
+
+	lintCommand.MarkFlagRequired("cves-report")
+	execCommand.MarkFlagRequired("cves-report")
 
 	rootCommand.AddCommand(lintCommand)
-	rootCommand.AddCommand(applyCommand)
+	rootCommand.AddCommand(execCommand)
 
 	if err := rootCommand.Execute(); err != nil {
 		fmt.Println(err)

diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/grahms/godantic v1.0.0 // indirect
+	github.com/grahms/godantic v1.0.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/cobra v1.7.0 // indirect

diff --git a/go.sum b/go.sum
@@ -3,6 +3,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/grahms/godantic v1.0.0 h1:uWm3Ym5Uk12iQlB0wF0bpZTeY7+ACLB8VihwkChJOlM=
 github.com/grahms/godantic v1.0.0/go.mod h1:nb4Jbhv0yUk+cFkh/sehBwSxy1EgPST9LgjRBRSrhzE=
+github.com/grahms/godantic v1.0.2 h1:CnFV08+GfEHXQ4LYdpLn6PZoakp6X6b9z+5XR4yuTRg=
+github.com/grahms/godantic v1.0.2/go.mod h1:nb4Jbhv0yUk+cFkh/sehBwSxy1EgPST9LgjRBRSrhzE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

diff --git a/internal/main.go b/internal/main.go
@@ -7,6 +7,6 @@ import (
 
 
 
-  func main() {
+func main() {
 	cmd.Execute()
 }
diff --git a/policy.example.yaml b/policy.example.yaml
@@ -1,10 +1,16 @@
 ---
-version: v1.0.0
-name: policy-name
-kind: Vulnerability
+version: v1.0.0 
 spec:
   config:
-    critical: 2
-    high: 2
-    medium: 2
-    low: 2
+    vulnerability:
+      critical: 1
+      high: 40
+      medium: 12
+      low: 10
+    packages:
+      - name: stdlib
+        action: deny
+        severity:
+          - critical
+          - high
+
diff --git a/utils/constants.go b/utils/constants.go
@@ -0,0 +1,15 @@
+package utils
+
+const (
+	SERVERITY_LOW         = "LOW"
+	SERVERITY_MEDIUM      = "MEDIUM"
+	SERVERITY_HIGH        = "HIGH"
+	SERVERITY_CRITICAL    = "CRITICAL"
+	SERVERITY_UNSPECIFIED = "UNSPECIFIED"
+
+	VULNERABILITY_SEVERITY = "Severity"
+	VULNERABILITY_PACKAGE  = "Package"
+
+	POLICY_PACKAGE_ACTIONS_DENY = "DENY"
+	POLICY_PACKAGE_ACTIONS_ALLOW = "ALLOW"
+)
diff --git a/utils/general.go b/utils/general.go
@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+)
+
+func containerStringInList(list []string, target string) bool {
+	for _, value := range list {
+		if strings.ToUpper(value) == target {
+			return true
+		}
+	}
+	return false
+}
+
+func checkPackageAction(cvesPackage CVESData, pPackage Package) bool {
+
+	packageAction := strings.ToUpper(*pPackage.Action)
+
+	if packageAction == POLICY_PACKAGE_ACTIONS_DENY {
+		pkgs := strings.Join(*pPackage.Severity, ", ")
+		pkgs = strings.ToUpper(pkgs)
+		fmt.Println("[", packageAction, "]:", " Package ", *pPackage.Name, pkgs, "severity")
+		return true
+	}
+
+	return false
+}
+
+func logVulnerability(severity string, reportSeverity int, policySeverity int) {
+	fmt.Println("[ DENY ]: ", severity, "unexpected: Found", reportSeverity, "/", policySeverity)
+}