apply annotations to root asset, instead of the job config. bump cnqu…

…ery to v9.3.1 (#881)
mondoohq · Oct 24, 2023 · 8d7d81c · 8d7d81c
1 parent 5c01060
commit 8d7d81c
Show file tree

Hide file tree

Showing 9 changed files with 194 additions and 217 deletions.
diff --git a/apps/cnspec/cmd/scan.go b/apps/cnspec/cmd/scan.go
@@ -187,7 +187,6 @@ type scanConfig struct {
  PolicyPaths []string
  PolicyNames []string
  Props map[string]string
- Annotations map[string]string
  Bundle *policy.Bundle
  runtime *providers.Runtime
 
@@ -210,11 +209,6 @@ func getCobraScanConfig(cmd *cobra.Command, runtime *providers.Runtime, cliRes *
  log.Fatal().Err(err).Msg("failed to parse props")
  }
 
- inv, err := inventoryloader.ParseOrUse(cliRes.Asset, viper.GetBool("insecure"))
- if err != nil {
- log.Fatal().Err(err).Msg("failed to parse inventory")
- }
-
  // annotations are user-added, editable labels for assets and are optional, therefore we do not need to check for err
  annotations, _ := cmd.Flags().GetStringToString("annotation")
  // merge the config and the user-provided annotations with the latter having precedence
@@ -225,6 +219,12 @@ func getCobraScanConfig(cmd *cobra.Command, runtime *providers.Runtime, cliRes *
  for k, v := range annotations {
  optAnnotations[k] = v
  }
+
+ inv, err := inventoryloader.ParseOrUse(cliRes.Asset, viper.GetBool("insecure"), optAnnotations)
+ if err != nil {
+ log.Fatal().Err(err).Msg("failed to parse inventory")
+ }
+
  conf := scanConfig{
  Features: opts.GetFeatures(),
  IsIncognito: viper.GetBool("incognito"),
@@ -234,7 +234,6 @@ func getCobraScanConfig(cmd *cobra.Command, runtime *providers.Runtime, cliRes *
  ScoreThreshold: viper.GetInt("score-threshold"),
  Props: props,
  runtime: runtime,
- Annotations: optAnnotations,
  }
 
  // if users want to get more information on available output options,
@@ -348,7 +347,6 @@ func RunScan(config *scanConfig, scannerOpts ...scan.ScannerOption) (*policy.Rep
  Bundle: config.Bundle,
  PolicyFilters: config.PolicyNames,
  Props: config.Props,
- Annotations: config.Annotations,
  })
  } else {
  res, err = scanner.Run(
@@ -358,7 +356,6 @@ func RunScan(config *scanConfig, scannerOpts ...scan.ScannerOption) (*policy.Rep
  Bundle: config.Bundle,
  PolicyFilters: config.PolicyNames,
  Props: config.Props,
- Annotations: config.Annotations,
  })
  }
 

diff --git a/apps/cnspec/cmd/serve.go b/apps/cnspec/cmd/serve.go
@@ -163,8 +163,12 @@ func getServeConfig() (*scanConfig, error) {
  }
  }
 
+ optAnnotations := opts.Annotations
+ if optAnnotations == nil {
+ optAnnotations = map[string]string{}
+ }
  var err error
- conf.Inventory, err = inventoryloader.ParseOrUse(nil, viper.GetBool("insecure"))
+ conf.Inventory, err = inventoryloader.ParseOrUse(nil, viper.GetBool("insecure"), optAnnotations)
  if err != nil {
  return nil, errors.Wrap(err, "could not load configuration")
  }

diff --git a/go.mod b/go.mod
@@ -40,7 +40,7 @@ require (
  sigs.k8s.io/yaml v1.3.0
 )
 
-require go.mondoo.com/cnquery/v9 v9.3.0
+require go.mondoo.com/cnquery/v9 v9.3.1
 
 require (
  4d63.com/gocheckcompilerdirectives v1.2.1 // indirect

diff --git a/go.sum b/go.sum
@@ -948,8 +948,8 @@ go-simpler.org/assert v0.6.0 h1:QxSrXa4oRuo/1eHMXSBFHKvJIpWABayzKldqZyugG7E=
 go-simpler.org/assert v0.6.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28=
 go-simpler.org/sloglint v0.1.2 h1:IjdhF8NPxyn0Ckn2+fuIof7ntSnVUAqBFcQRrnG9AiM=
 go-simpler.org/sloglint v0.1.2/go.mod h1:2LL+QImPfTslD5muNPydAEYmpXIj6o/WYcqnJjLi4o4=
-go.mondoo.com/cnquery/v9 v9.3.0 h1:Pem6eY7hZ/k1R3McAxA2cNefYijFWEygMSWbQ7kUJhg=
-go.mondoo.com/cnquery/v9 v9.3.0/go.mod h1:lIptJpbrsnWSWIWYlKuNKLq8tazzR9XR5zr0GDUm0V8=
+go.mondoo.com/cnquery/v9 v9.3.1 h1:P96JYBDM9kF3BQzvql2wV7rXz1NXAEzy98V56JXQiA4=
+go.mondoo.com/cnquery/v9 v9.3.1/go.mod h1:lIptJpbrsnWSWIWYlKuNKLq8tazzR9XR5zr0GDUm0V8=
 go.mondoo.com/ranger-rpc v0.5.2 h1:UrcVtMIinzfWsuSzZKibbMqcGZSARInKJi0Xs2AxXeU=
 go.mondoo.com/ranger-rpc v0.5.2/go.mod h1:y5qqdFhOnSLKnAo8lXC0FKZoKLUYgLENvneww+q+7ws=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=

diff --git a/policy/cnspec_policy.pb.go b/policy/cnspec_policy.pb.go
diff --git a/policy/scan/local_scanner.go b/policy/scan/local_scanner.go
@@ -261,9 +261,10 @@ func (s *LocalScanner) distributeJob(job *Job, ctx context.Context, upstream *up
  continue
  }
 
- // for all discovered assets, we apply mondoo-specific labels that come from the root asset
+ // for all discovered assets, we apply mondoo-specific labels and annotations that come from the root asset
  for _, a := range runtime.Provider.Connection.GetInventory().GetSpec().GetAssets() {
  a.AddMondooLabels(resolvedAsset)
+ a.AddAnnotations(resolvedAsset.GetAnnotations())
  }
  processedAssets, err := providers.ProcessAssetCandidates(runtime, runtime.Provider.Connection, upstream, "")
  if err != nil {
@@ -334,8 +335,6 @@ func (s *LocalScanner) distributeJob(job *Job, ctx context.Context, upstream *up
 
  justAssets := []*inventory.Asset{}
  for _, asset := range assets {
- // apply all annotations to the assets to be scanned
- asset.asset.AddAnnotations(job.GetAnnotations())
  asset.asset.KindString = asset.asset.GetPlatform().Kind
  for k, v := range runtimeLabels {
  if asset.asset.Labels == nil {