feat(docGen): Update defsec with trivy-* deps + use vuln-list-nvd (…

…#77) * feat(docGen): Update defsec with trivy-* deps * go mod tidy * update go to 1.20 * update a test * update .github workflows * update to use vuln-list-nvd
aquasecurity · Oct 21, 2023 · f0d3519 · f0d3519
1 parent f02235a
commit f0d3519
Show file tree

Hide file tree

Showing 12 changed files with 211 additions and 139 deletions.
diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml
@@ -10,10 +10,10 @@ jobs:
     #    runs-on: ubuntu-20.04
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.18
-        uses: actions/setup-go@v3
+      - name: Set up Go 1.20
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.18
+          go-version: '1.20'
         id: go
 
       - name: Setup Hugo
@@ -34,6 +34,13 @@ jobs:
           token: ${{ secrets.ORG_REPO_TOKEN }}
           path: avd-repo/vuln-list
 
+      - name: Checkout public vuln-list-nvd-repo
+        uses: actions/checkout@v3
+        with:
+          repository: aquasecurity/vuln-list-nvd
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+          path: avd-repo/vuln-list-nvd
+
       - name: Checkout public kube-hunter-repo
         uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -5,10 +5,10 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.18
-        uses: actions/setup-go@v1
+      - name: Set up Go 1.20
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.18
+          go-version: '1.20'
         id: go
 
       - name: Check out code into the Go module directory

diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
@@ -8,10 +8,10 @@ jobs:
     #    runs-on: ubuntu-20.04
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.18
-        uses: actions/setup-go@v3
+      - name: Set up Go 1.20
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.18
+          go-version: '1.20'
         id: go
 
       - name: Setup Hugo
@@ -32,6 +32,13 @@ jobs:
           token: ${{ secrets.ORG_REPO_TOKEN }}
           path: avd-repo/vuln-list
 
+      - name: Checkout public vuln-list-nvd-repo
+        uses: actions/checkout@v3
+        with:
+          repository: aquasecurity/vuln-list-nvd
+          token: ${{ secrets.ORG_REPO_TOKEN }}
+          path: avd-repo/vuln-list-nvd
+
       - name: Checkout public kube-hunter-repo
         uses: actions/checkout@v3
         with:

diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@ http.access.log
 http.error.log
 generator
 vuln-list
+vuln-list-nvd
 kube-hunter-repo
 .idea
 .DS_Store

diff --git a/Makefile b/Makefile
@@ -14,6 +14,7 @@ md-clean:
 md-clone-all:
 	# git clone [email protected]:aquasecurity/avd.git avd-repo/
 	git clone [email protected]:aquasecurity/vuln-list.git avd-repo/vuln-list
+	git clone [email protected]:aquasecurity/vuln-list-nvd.git avd-repo/vuln-list-nvd
 	git clone [email protected]:aquasecurity/kube-hunter.git avd-repo/kube-hunter-repo
 	git clone [email protected]:aquasecurity/kube-bench.git avd-repo/kube-bench-repo
 	git clone [email protected]:aquasecurity/chain-bench.git avd-repo/chain-bench-repo
@@ -24,6 +25,7 @@ md-clone-all:
 
 update-all-repos:
 	cd avd-repo/vuln-list && git pull
+	cd avd-repo/vuln-list-nvd && git pull
 	cd avd-repo/kube-hunter-repo && git pull
 	cd avd-repo/kube-bench-repo && git pull
 	cd avd-repo/chain-bench-repo && git pull

diff --git a/docGen/cspm_test.go b/docGen/cspm_test.go
@@ -20,5 +20,6 @@ func TestGenerateCloudtSploitPages(t *testing.T) {
 	require.NoError(t, err)
 
 	want, _ := ioutil.ReadFile("../goldens/cloudsploit/acm-certificate-validation.avd.md")
+
 	assert.Equal(t, string(want), string(got))
 }
diff --git a/docGen/defsec.go b/docGen/defsec.go
@@ -16,9 +16,9 @@ import (
 	"gopkg.in/yaml.v3"
 
 	"github.com/aquasecurity/defsec/pkg/framework"
-	_ "github.com/aquasecurity/defsec/pkg/rego"
-	"github.com/aquasecurity/defsec/pkg/rules"
 	"github.com/aquasecurity/defsec/pkg/scan"
+	_ "github.com/aquasecurity/trivy-iac/pkg/rego"
+	"github.com/aquasecurity/trivy-policies/pkg/rules"
 )
 
 type DefsecComplianceSpec struct {
@@ -54,7 +54,7 @@ var registeredRulesSummaries = make(map[string]string)
 
 func init() {
 	for _, rule := range rules.GetRegistered(framework.ALL) {
-		registeredRulesSummaries[rule.Rule().AVDID] = rule.Rule().Summary
+		registeredRulesSummaries[rule.GetRule().AVDID] = rule.GetRule().Summary
 	}
 }
 
@@ -143,13 +143,13 @@ func generateDefsecComplianceSpecPage(spec DefsecComplianceSpec, contentDir stri
 func generateDefsecPages(remediationDir, contentDir string) {
 	for _, r := range rules.GetRegistered(framework.ALL) {
 
-		avdId := r.Rule().AVDID
-		topLevelID := strings.ToLower(r.Rule().Provider.ConstName())
-		branchID := r.Rule().Service
+		avdId := r.GetRule().AVDID
+		topLevelID := strings.ToLower(r.GetRule().Provider.ConstName())
+		branchID := r.GetRule().Service
 		branchID = util.RemapCategory(branchID)
 
 		log.Printf("Getting remediation markdown for %s", avdId)
-		remediationDir := filepath.Join(remediationDir, strings.ToLower(r.Rule().Provider.ConstName()), strings.ReplaceAll(r.Rule().Service, "-", ""), avdId)
+		remediationDir := filepath.Join(remediationDir, strings.ToLower(r.GetRule().Provider.ConstName()), strings.ReplaceAll(r.GetRule().Service, "-", ""), avdId)
 
 		remediations := make(map[string]string)
 		docsFile := filepath.Join(remediationDir, "docs.md")
@@ -186,11 +186,11 @@ func generateDefsecPages(remediationDir, contentDir string) {
 			}
 		}
 
-		if err := generateDefsecCheckPage(r.Rule(), remediations, contentDir, docsFile, branchID); err != nil {
-			log.Printf("an error occurred writing the page for %s. %v", r.Rule().AVDID, err)
+		if err := generateDefsecCheckPage(r.GetRule(), remediations, contentDir, docsFile, branchID); err != nil {
+			log.Printf("an error occurred writing the page for %s. %v", r.GetRule().AVDID, err)
 		}
 
-		providerName := r.Rule().Provider.DisplayName()
+		providerName := r.GetRule().Provider.DisplayName()
 		misConfigurationMenu.AddNode(topLevelID, providerName, contentDir, "", []string{},
 			[]menu.BreadCrumb{}, topLevelID, true)
 		misConfigurationMenu.AddNode(branchID, branchID, filepath.Join(contentDir, topLevelID),

diff --git a/docGen/go.mod b/docGen/go.mod
@@ -1,34 +1,57 @@
 module github.com/aquasecurity/avd-generator
 
-go 1.18
+go 1.20
 
 require (
 	github.com/Masterminds/semver v1.5.0
-	github.com/aquasecurity/defsec v0.91.1
+	github.com/aquasecurity/defsec v0.93.2-0.20231016232629-e1ce1b3bb3ba
 	github.com/aquasecurity/tracee v0.7.0
+	github.com/aquasecurity/trivy-iac v0.3.0
+	github.com/aquasecurity/trivy-policies v0.3.0
 	github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2
 	github.com/leekchan/gtf v0.0.0-20190214083521-5fba33c5b00b
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	github.com/umisama/go-cpe v0.0.0-20190323060751-cdd6c3c28a23
 	github.com/valyala/fastjson v1.5.3
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/cloudflare/circl v1.1.0 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pjbgf/sha1cd v0.2.3 // indirect
-	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/skeema/knownhosts v1.2.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	go.opentelemetry.io/otel v1.16.0 // indirect
+	go.opentelemetry.io/otel/metric v1.16.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.16.0 // indirect
+	go.opentelemetry.io/otel/trace v1.16.0 // indirect
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/tools v0.8.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 require (
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
@@ -38,36 +61,34 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.4.0 // indirect
-	github.com/go-git/go-git/v5 v5.5.2 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.4.1 // indirect
+	github.com/go-git/go-git/v5 v5.8.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.14.1 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/hashicorp/hcl/v2 v2.18.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/liamg/iamgo v0.0.9 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15 // indirect
-	github.com/owenrumney/squealer v1.1.1 // indirect
+	github.com/open-policy-agent/opa v0.57.0 // indirect
+	github.com/owenrumney/squealer v1.2.1 // indirect
 	github.com/parnurzeal/gorequest v0.2.16 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/yashtewari/glob-intersection v0.1.0 // indirect
-	github.com/zclconf/go-cty v1.10.0 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/zclconf/go-cty v1.13.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/exp v0.0.0-20220823124025-807a23277127
+	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect