Merge pull request #11 from aquasecurity/owenr-upload-policy-failures

Pass the policy failures to the server
aquasecurity · Dec 8, 2021 · 23b50b8 · 23b50b8
2 parents 5058727 + 4d2ffe2
commit 23b50b8
Show file tree

Hide file tree

Showing 11 changed files with 537 additions and 317 deletions.
diff --git a/cmd/aqua/main.go b/cmd/aqua/main.go
@@ -61,17 +61,21 @@ var rootCmd = &cobra.Command{
 			return err
 		}
 
-		iacResults, breakBuild := processor.ProcessResults(client, results)
+		iacResults, policyFailures := processor.ProcessResults(client, results)
 		if err != nil {
 			return err
 		}
 
-		if err := uploader.Upload(client, iacResults, tags); err != nil {
+		if err := uploader.Upload(client, iacResults, policyFailures, tags); err != nil {
 			return err
 		}
 
-		if breakBuild {
-			return fmt.Errorf("build failed to satisfy all policies")
+		if len(policyFailures) > 0 {
+			for _, failure := range policyFailures {
+				if failure.Enforced {
+					return fmt.Errorf("build failed to satisfy all policies")
+				}
+			}
 		}
 
 		return nil

diff --git a/pkg/buildClient/client.go b/pkg/buildClient/client.go
@@ -13,7 +13,7 @@ import (
 )
 
 type Client interface {
-	Upload([]*buildsecurity.Result, map[string]string) error
+	Upload([]*buildsecurity.Result, []*buildsecurity.PolicyFailure, map[string]string) error
 	GetPoliciesForRepository() ([]*buildsecurity.Policy, error)
 	GetOrCreateRepository() (string, error)
 }

diff --git a/pkg/buildClient/upload.go b/pkg/buildClient/upload.go
@@ -9,7 +9,8 @@ import (
 	"github.com/aquasecurity/trivy-plugin-aqua/pkg/proto/buildsecurity"
 )
 
-func (bc *TwirpClient) Upload(results []*buildsecurity.Result, tags map[string]string) error {
+func (bc *TwirpClient) Upload(results []*buildsecurity.Result, policyFailures []*buildsecurity.PolicyFailure,
+	tags map[string]string) error {
 	client := buildsecurity.NewBuildSecurityProtobufClient(bc.aquaUrl, &http.Client{})
 	ctx := context.Background()
 
@@ -28,13 +29,14 @@ func (bc *TwirpClient) Upload(results []*buildsecurity.Result, tags map[string]s
 	buildSystem := metadata.GetBuildSystem()
 
 	createScanReq := &buildsecurity.CreateScanReq{
-		RepositoryID: bc.repoId,
-		Results:      results,
-		User:         gitUser,
-		Branch:       branch,
-		Commit:       commitId,
-		System:       buildSystem,
-		Tags:         tags,
+		RepositoryID:   bc.repoId,
+		Results:        results,
+		PolicyFailures: policyFailures,
+		User:           gitUser,
+		Branch:         branch,
+		Commit:         commitId,
+		System:         buildSystem,
+		Tags:           tags,
 	}
 
 	_, err = client.CreateScan(ctx, createScanReq)

diff --git a/pkg/processor/result_processor.go b/pkg/processor/result_processor.go
@@ -14,7 +14,7 @@ import (
 
 // ProcessResults downloads the latest policies for the repository the process the results
 // while evaluating them against the policies
-func ProcessResults(client buildClient.Client, report report.Results) (results []*buildsecurity.Result, buildBreaker bool) {
+func ProcessResults(client buildClient.Client, report report.Results) (results []*buildsecurity.Result, failedPolicies []*buildsecurity.PolicyFailure) {
 	downloadedPolicies, err := client.GetPoliciesForRepository()
 	if err != nil {
 		log.Logger.Errorf("Could not download the repository policies. %w", err)
@@ -25,17 +25,19 @@ func ProcessResults(client buildClient.Client, report report.Results) (results [
 	for _, rep := range report {
 		for _, miscon := range rep.Misconfigurations {
 
-			if hasPolicies && hasPolicyMatch(miscon, downloadedPolicies) {
-				buildBreaker = true
-			}
-
 			var r buildsecurity.Result
 			resource := fmt.Sprintf("%s Resource", strings.Title(rep.Type))
 			if miscon.IacMetadata.Resource != "" {
 				resource = miscon.IacMetadata.Resource
 			}
 
-			if miscon.Status == "FAIL" {
+			if miscon.Status == types.StatusFailure {
+				if hasPolicies {
+					if failedPolicy := checkAgainstPolicies(miscon, downloadedPolicies); failedPolicy != nil {
+						failedPolicies = append(failedPolicies, failedPolicy...)
+					}
+				}
+
 				r.AVDID = miscon.ID
 				r.Title = miscon.Title
 				r.Message = miscon.Message
@@ -50,33 +52,45 @@ func ProcessResults(client buildClient.Client, report report.Results) (results [
 			}
 		}
 	}
-	return results, buildBreaker
+	return results, failedPolicies
 }
 
-func hasPolicyMatch(miscon types.DetectedMisconfiguration, policies []*buildsecurity.Policy) bool {
+func checkAgainstPolicies(miscon types.DetectedMisconfiguration, policies []*buildsecurity.Policy) (policyFailures []*buildsecurity.PolicyFailure) {
 	for _, policy := range policies {
+		var failed bool
 		controls := policy.GetControls()
 		for _, control := range controls {
 
-			if control.Global {
-				return true
+			if scanner.MatchResultSeverity(miscon.Severity) >= control.Severity && control.Severity != buildsecurity.SeverityEnum_SEVERITY_UNKNOWN {
+				failed = true
 			}
 
 			if strings.ToLower(control.Provider) == strings.ToLower(miscon.IacMetadata.Provider) && control.Service == "" {
-				return true
+				failed = true
+				break
 			}
 
 			if strings.ToLower(control.Provider) == strings.ToLower(miscon.IacMetadata.Provider) &&
 				strings.ToLower(control.Service) == strings.ToLower(miscon.IacMetadata.Service) {
-				return true
+				failed = true
+				break
 			}
 
-			for _, avdiD := range control.AVDIDs {
-				if avdiD == miscon.ID {
-					return true
+			for _, avdID := range control.AVDIDs {
+				if avdID == miscon.ID {
+					failed = true
+					break
 				}
 			}
 		}
+
+		if failed {
+			policyFailures = append(policyFailures, &buildsecurity.PolicyFailure{
+				PolicyID: policy.PolicyID,
+				Enforced: policy.Enforced,
+			})
+		}
+
 	}
-	return false
+	return policyFailures
 }
diff --git a/pkg/proto/buildsecurity.proto b/pkg/proto/buildsecurity.proto
@@ -40,8 +40,9 @@ message CreateScanReq {
   string User = 3;
   string System = 4;
   string Commit = 5;
-  repeated Result Results = 6;
-  map<string, string> Tags = 7;
+  repeated PolicyFailure PolicyFailures = 6;
+  repeated Result Results = 7;
+  map<string, string> Tags = 8;
 }
 
 message CreateScanResp {
@@ -50,14 +51,20 @@ message CreateScanResp {
 
 message Policy {
   string PolicyID = 1;
-  repeated PolicyControl Controls = 2;
+  bool Enforced = 2;
+  repeated PolicyControl Controls = 3;
 }
 
 message PolicyControl {
-  bool Global = 1;
-  string Provider = 2;
-  string Service = 3;
-  repeated string AVDIDs = 4;
+  string Provider = 1;
+  string Service = 2;
+  repeated string AVDIDs = 3;
+  SeverityEnum Severity = 4;
+}
+
+message PolicyFailure {
+  string PolicyID = 1;
+  bool Enforced = 2;
 }
 
 message Result {
@@ -73,18 +80,19 @@ message Result {
     TYPE_HCL = 6;
   }
   TypeEnum Type = 4;
-  enum SeverityEnum {
-    SEVERITY_UNKNOWN = 0;
-    SEVERITY_LOW = 1;
-    SEVERITY_MEDIUM = 2;
-    SEVERITY_HIGH = 3;
-    SEVERITY_CRITICAL = 4;
-    SEVERITY_MAX = 5;
-  }
   SeverityEnum Severity = 5;
   string Title = 6;
   string Filename = 7;
   int32 StartLine = 8;
   int32 EndLine = 9;
   string Resource = 10;
+}
+
+enum SeverityEnum {
+  SEVERITY_UNKNOWN = 0;
+  SEVERITY_LOW = 1;
+  SEVERITY_MEDIUM = 2;
+  SEVERITY_HIGH = 3;
+  SEVERITY_CRITICAL = 4;
+  SEVERITY_MAX = 5;
 }