inserting scan source

kubescape · Mar 25, 2022 · db5fdd7 · db5fdd7
1 parent 4be2104
commit db5fdd7
Show file tree

Hide file tree

Showing 23 changed files with 107 additions and 134 deletions.
diff --git a/cmd/go.mod b/cmd/go.mod
@@ -7,7 +7,7 @@ replace github.com/armosec/kubescape/core => ../core
 require (
 	github.com/armosec/k8s-interface v0.0.68
 	github.com/armosec/kubescape/core v0.0.0-00010101000000-000000000000
-	github.com/armosec/opa-utils v0.0.125
+	github.com/armosec/opa-utils v0.0.126
 	github.com/armosec/rbac-utils v0.0.14
 	github.com/google/uuid v1.3.0
 	github.com/mattn/go-isatty v0.0.14

diff --git a/cmd/go.sum b/cmd/go.sum
@@ -109,8 +109,8 @@ github.com/armosec/k8s-interface v0.0.66/go.mod h1:vwprS8qn/iowd5yf0JHpqDsLA5I8W
 github.com/armosec/k8s-interface v0.0.68 h1:6CtSakISiI47YHkxh+Va9FzZQIBkWa6g9sbiNxq1Zkk=
 github.com/armosec/k8s-interface v0.0.68/go.mod h1:PeWn41C2uenZi+xfZdyFF/zG5wXACA00htQyknDUWDE=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.125 h1:ZA7v3kvqITwazhFkvZuGP/bc/VChsYWQdrDcvyf2qsw=
-github.com/armosec/opa-utils v0.0.125/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
+github.com/armosec/opa-utils v0.0.126 h1:AVqVWdYcdaqZ8jK92nmZhVy43vh//ITBBjLA4722Vl8=
+github.com/armosec/opa-utils v0.0.126/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=

diff --git a/cmd/rootutils.go b/cmd/rootutils.go
@@ -44,7 +44,7 @@ func initLoggerLevel() {
 }
 
 func initCacheDir() {
-	if rootInfo.CacheDir == getter.DefaultLocalStore {
+	if rootInfo.CacheDir != getter.DefaultLocalStore {
 		getter.DefaultLocalStore = rootInfo.CacheDir
 	} else if cacheDir := os.Getenv("KS_CACHE_DIR"); cacheDir != "" {
 		getter.DefaultLocalStore = cacheDir

diff --git a/core/cautils/datastructures.go b/core/cautils/datastructures.go
@@ -7,7 +7,6 @@ import (
 	apis "github.com/armosec/opa-utils/reporthandling/apis"
 	"github.com/armosec/opa-utils/reporthandling/results/v1/resourcesresults"
 	reporthandlingv2 "github.com/armosec/opa-utils/reporthandling/v2"
-	v2 "github.com/armosec/opa-utils/reporthandling/v2"
 )
 
 // K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
@@ -20,16 +19,18 @@ type OPASessionObj struct {
 	Policies              []reporthandling.Framework             // list of frameworks to scan
 	AllResources          map[string]workloadinterface.IMetadata // all scanned resources, map[<rtesource ID>]<resource>
 	ResourcesResult       map[string]resourcesresults.Result     // resources scan results, map[<rtesource ID>]<resource result>
+	ResourceSource        map[string]string                      // resources sources, map[<rtesource ID>]<resource result>
 	PostureReport         *reporthandling.PostureReport          // scan results v1 - Remove
 	Report                *reporthandlingv2.PostureReport        // scan results v2 - Remove
 	Exceptions            []armotypes.PostureExceptionPolicy     // list of exceptions to apply on scan results
 	RegoInputData         RegoInputData                          // input passed to rgo for scanning. map[<control name>][<input arguments>]
 	Metadata              *reporthandlingv2.Metadata
 	InfoMap               map[string]apis.StatusInfo // Map errors of resources to StatusInfo
 	ResourceToControlsMap map[string][]string        // map[<apigroup/apiversion/resource>] = [<control_IDs>]
+	SessionID             string                     // SessionID
 }
 
-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
+func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources, scanInfo *ScanInfo) *OPASessionObj {
 	return &OPASessionObj{
 		Report:                &reporthandlingv2.PostureReport{},
 		Policies:              frameworks,
@@ -38,11 +39,13 @@ func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SRe
 		ResourcesResult:       make(map[string]resourcesresults.Result),
 		InfoMap:               make(map[string]apis.StatusInfo),
 		ResourceToControlsMap: make(map[string][]string),
+		ResourceSource:        make(map[string]string),
+		SessionID:             scanInfo.ScanID,
 		PostureReport: &reporthandling.PostureReport{
 			ClusterName:  ClusterName,
 			CustomerGUID: CustomerGUID,
 		},
-		Metadata: &v2.Metadata{},
+		Metadata: scanInfoToScanMetadata(scanInfo),
 	}
 }
 

diff --git a/core/cautils/scaninfo.go b/core/cautils/scaninfo.go
@@ -8,10 +8,12 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/core/cautils/getter"
 	"github.com/armosec/kubescape/core/cautils/logger"
 	"github.com/armosec/kubescape/core/cautils/logger/helpers"
 	"github.com/armosec/opa-utils/reporthandling"
+	reporthandlingv2 "github.com/armosec/opa-utils/reporthandling/v2"
 )
 
 const (
@@ -78,7 +80,7 @@ type ScanInfo struct {
 	Silent             bool                              // Silent mode - Do not print progress logs
 	FailThreshold      float32                           // Failure score threshold
 	Submit             bool                              // Submit results to Armo BE
-	ReportID           string                            // Report id of the current scan
+	ScanID             string                            // Report id of the current scan
 	HostSensorEnabled  BoolPtrFlag                       // Deploy ARMO K8s host scanner to collect data from certain controls
 	HostSensorYamlPath string                            // Path to hostsensor file
 	Local              bool                              // Do not submit results
@@ -187,3 +189,41 @@ func (scanInfo *ScanInfo) contains(policyName string) bool {
 	}
 	return false
 }
+
+func scanInfoToScanMetadata(scanInfo *ScanInfo) *reporthandlingv2.Metadata {
+	metadata := &reporthandlingv2.Metadata{}
+
+	metadata.ClusterMetadata.ContextName = k8sinterface.GetClusterName()
+	metadata.ScanMetadata.Format = scanInfo.Format
+	metadata.ScanMetadata.Submit = scanInfo.Submit
+
+	// TODO - Add excluded and included namespaces
+	// if len(scanInfo.ExcludedNamespaces) > 1 {
+	// 	opaSessionObj.Metadata.ScanMetadata.ExcludedNamespaces = strings.Split(scanInfo.ExcludedNamespaces[1:], ",")
+	// }
+	// if len(scanInfo.IncludeNamespaces) > 1 {
+	// 	opaSessionObj.Metadata.ScanMetadata.IncludeNamespaces = strings.Split(scanInfo.IncludeNamespaces[1:], ",")
+	// }
+
+	// scan type
+	if len(scanInfo.PolicyIdentifier) > 0 {
+		metadata.ScanMetadata.TargetType = string(scanInfo.PolicyIdentifier[0].Kind)
+	}
+	// append frameworks
+	for _, policy := range scanInfo.PolicyIdentifier {
+		metadata.ScanMetadata.TargetNames = append(metadata.ScanMetadata.TargetNames, policy.Name)
+	}
+
+	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
+	metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
+	metadata.ScanMetadata.HostScanner = scanInfo.HostSensorEnabled.GetBool()
+	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
+	metadata.ScanMetadata.ControlsInputs = scanInfo.ControlsInputs
+
+	metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Cluster
+	if scanInfo.GetScanningEnvironment() == ScanLocalFiles {
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Files
+	}
+
+	return metadata
+}
diff --git a/core/core/scan.go b/core/core/scan.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/google/uuid"
 
 	"github.com/armosec/kubescape/core/cautils"
 	"github.com/armosec/kubescape/core/cautils/getter"
@@ -31,6 +32,9 @@ type componentInterfaces struct {
 }
 
 func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
+	if scanInfo.ScanID == "" {
+		scanInfo.ScanID = uuid.NewString()
+	}
 
 	// ================== setup k8s interface object ======================================
 	var k8s *k8sinterface.KubernetesApi
@@ -86,7 +90,7 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 	// ================== setup reporter & printer objects ======================================
 
 	// reporting behavior - setup reporter
-	reportHandler := getReporter(tenantConfig, scanInfo.ReportID, scanInfo.Submit, scanInfo.FrameworkScan, len(scanInfo.InputPatterns) == 0)
+	reportHandler := getReporter(tenantConfig, scanInfo.ScanID, scanInfo.Submit, scanInfo.FrameworkScan, len(scanInfo.InputPatterns) == 0)
 
 	// setup printer
 	printerHandler := resultshandling.NewPrinter(scanInfo.Format, scanInfo.FormatVersion, scanInfo.VerboseMode)

diff --git a/core/core/submit.go b/core/core/submit.go
@@ -20,7 +20,7 @@ func (ks *Kubescape) Submit(submitInterfaces cliinterfaces.SubmitInterfaces) err
 		return err
 	}
 	// report
-	if err := submitInterfaces.Reporter.ActionSendReport(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
+	if err := submitInterfaces.Reporter.Submit(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
 		return err
 	}
 	logger.L().Success("Data has been submitted successfully")

diff --git a/core/go.mod b/core/go.mod
@@ -5,7 +5,7 @@ go 1.17
 require (
 	github.com/armosec/armoapi-go v0.0.58
 	github.com/armosec/k8s-interface v0.0.68
-	github.com/armosec/opa-utils v0.0.125
+	github.com/armosec/opa-utils v0.0.126
 	github.com/armosec/rbac-utils v0.0.14
 	github.com/armosec/utils-go v0.0.3
 	github.com/armosec/utils-k8s-go v0.0.3

diff --git a/core/go.sum b/core/go.sum
@@ -109,8 +109,8 @@ github.com/armosec/k8s-interface v0.0.66/go.mod h1:vwprS8qn/iowd5yf0JHpqDsLA5I8W
 github.com/armosec/k8s-interface v0.0.68 h1:6CtSakISiI47YHkxh+Va9FzZQIBkWa6g9sbiNxq1Zkk=
 github.com/armosec/k8s-interface v0.0.68/go.mod h1:PeWn41C2uenZi+xfZdyFF/zG5wXACA00htQyknDUWDE=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.125 h1:ZA7v3kvqITwazhFkvZuGP/bc/VChsYWQdrDcvyf2qsw=
-github.com/armosec/opa-utils v0.0.125/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
+github.com/armosec/opa-utils v0.0.126 h1:AVqVWdYcdaqZ8jK92nmZhVy43vh//ITBBjLA4722Vl8=
+github.com/armosec/opa-utils v0.0.126/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=

diff --git a/core/pkg/opaprocessor/processorhandlerutils.go b/core/pkg/opaprocessor/processorhandlerutils.go
@@ -1,10 +1,9 @@
 package opaprocessor
 
 import (
-	"fmt"
-
 	"github.com/armosec/kubescape/core/cautils"
 	"github.com/armosec/kubescape/core/cautils/logger"
+	"github.com/armosec/kubescape/core/cautils/logger/helpers"
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
@@ -90,9 +89,9 @@ func getArmoObjects(k8sResources *cautils.ArmoResources, allResources map[string
 					groupResources := k8sinterface.ResourceGroupToString(groups, version, resource)
 					for _, groupResource := range groupResources {
 						if k8sObj, ok := (*k8sResources)[groupResource]; ok {
-							if k8sObj == nil {
-								logger.L().Debug(fmt.Sprintf("resource '%s' is nil, probably failed to pull the resource", groupResource))
-							}
+							// if k8sObj == nil {
+							// 	logger.L().Debug(fmt.Sprintf("resource '%s' is nil, probably failed to pull the resource", groupResource))
+							// }
 							for i := range k8sObj {
 								k8sObjects = append(k8sObjects, allResources[k8sObj[i]])
 							}
@@ -117,7 +116,7 @@ func getKubernetesObjects(k8sResources *cautils.K8SResources, allResources map[s
 					for _, groupResource := range groupResources {
 						if k8sObj, ok := (*k8sResources)[groupResource]; ok {
 							if k8sObj == nil {
-								logger.L().Debug(fmt.Sprintf("resource '%s' is nil, probably failed to pull the resource", groupResource))
+								logger.L().Debug("skipping", helpers.String("resource", groupResource))
 							}
 							for i := range k8sObj {
 								k8sObjects = append(k8sObjects, allResources[k8sObj[i]])

diff --git a/core/pkg/policyhandler/handlenotification.go b/core/pkg/policyhandler/handlenotification.go
@@ -3,7 +3,6 @@ package policyhandler
 import (
 	"fmt"
 
-	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/core/cautils"
 	"github.com/armosec/kubescape/core/pkg/resourcehandler"
 	"github.com/armosec/opa-utils/reporthandling"
@@ -24,7 +23,8 @@ func NewPolicyHandler(resourceHandler resourcehandler.IResourceHandler) *PolicyH
 }
 
 func (policyHandler *PolicyHandler) CollectResources(notification *reporthandling.PolicyNotification, scanInfo *cautils.ScanInfo) (*cautils.OPASessionObj, error) {
-	opaSessionObj := cautils.NewOPASessionObj(nil, nil)
+	opaSessionObj := cautils.NewOPASessionObj(nil, nil, scanInfo)
+
 	// validate notification
 	// TODO
 	policyHandler.getters = &scanInfo.Getters
@@ -49,8 +49,6 @@ func (policyHandler *PolicyHandler) CollectResources(notification *reporthandlin
 func (policyHandler *PolicyHandler) getResources(notification *reporthandling.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) error {
 	opaSessionObj.Report.ClusterAPIServerInfo = policyHandler.resourceHandler.GetClusterAPIServerInfo()
 
-	scanInfoToScanMetadata(opaSessionObj, scanInfo)
-
 	resourcesMap, allResources, armoResources, err := policyHandler.resourceHandler.GetResources(opaSessionObj, &notification.Designators)
 	if err != nil {
 		return err
@@ -62,31 +60,3 @@ func (policyHandler *PolicyHandler) getResources(notification *reporthandling.Po
 
 	return nil
 }
-
-func scanInfoToScanMetadata(opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) {
-	opaSessionObj.Metadata.ClusterMetadata.ContextName = k8sinterface.GetClusterName()
-	opaSessionObj.Metadata.ScanMetadata.Format = scanInfo.Format
-	opaSessionObj.Metadata.ScanMetadata.Submit = scanInfo.Submit
-
-	// TODO - Add excluded and included namespaces
-	// if len(scanInfo.ExcludedNamespaces) > 1 {
-	// 	opaSessionObj.Metadata.ScanMetadata.ExcludedNamespaces = strings.Split(scanInfo.ExcludedNamespaces[1:], ",")
-	// }
-	// if len(scanInfo.IncludeNamespaces) > 1 {
-	// 	opaSessionObj.Metadata.ScanMetadata.IncludeNamespaces = strings.Split(scanInfo.IncludeNamespaces[1:], ",")
-	// }
-
-	// scan type
-	if len(scanInfo.PolicyIdentifier) > 0 {
-		opaSessionObj.Metadata.ScanMetadata.TargetType = string(scanInfo.PolicyIdentifier[0].Kind)
-	}
-	// append frameworks
-	for _, policy := range scanInfo.PolicyIdentifier {
-		opaSessionObj.Metadata.ScanMetadata.TargetNames = append(opaSessionObj.Metadata.ScanMetadata.TargetNames, policy.Name)
-	}
-	opaSessionObj.Metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
-	opaSessionObj.Metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
-	opaSessionObj.Metadata.ScanMetadata.HostScanner = scanInfo.HostSensorEnabled.GetBool()
-	opaSessionObj.Metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
-	opaSessionObj.Metadata.ScanMetadata.ControlsInputs = scanInfo.ControlsInputs
-}
diff --git a/core/pkg/resourcehandler/filesloader.go b/core/pkg/resourcehandler/filesloader.go
@@ -64,6 +64,7 @@ func (fileHandler *FileResourceHandler) GetResources(sessionObj *cautils.OPASess
 	if len(workloads) == 0 {
 		return nil, allResources, nil, fmt.Errorf("empty list of workloads - no workloads found")
 	}
+	sessionObj.ResourceSource = workloadIDToSource
 
 	// map all resources: map["/group/version/kind"][]<k8s workloads>
 	mappedResources := mapResources(workloads)

diff --git a/core/pkg/resultshandling/reporter/interface.go b/core/pkg/resultshandling/reporter/interface.go
@@ -3,7 +3,7 @@ package reporter
 import "github.com/armosec/kubescape/core/cautils"
 
 type IReport interface {
-	ActionSendReport(opaSessionObj *cautils.OPASessionObj) error
+	Submit(opaSessionObj *cautils.OPASessionObj) error
 	SetCustomerGUID(customerGUID string)
 	SetClusterName(clusterName string)
 	DisplayReportURL()

diff --git a/core/pkg/resultshandling/reporter/v1/reporteventreceiver.go b/core/pkg/resultshandling/reporter/v1/reporteventreceiver.go
@@ -38,7 +38,7 @@ func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceive
 	}
 }
 
-func (report *ReportEventReceiver) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {
+func (report *ReportEventReceiver) Submit(opaSessionObj *cautils.OPASessionObj) error {
 	if opaSessionObj.PostureReport == nil && opaSessionObj.Report != nil {
 		cautils.ReportV2ToV1(opaSessionObj)
 	}

diff --git a/core/pkg/resultshandling/reporter/v2/mockreporter.go b/core/pkg/resultshandling/reporter/v2/mockreporter.go
@@ -21,7 +21,7 @@ func NewReportMock(query, message string) *ReportMock {
 		message: message,
 	}
 }
-func (reportMock *ReportMock) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {
+func (reportMock *ReportMock) Submit(opaSessionObj *cautils.OPASessionObj) error {
 	return nil
 }