update(query): application of function 'get_nested_values_info' to k8…

…s queries (Checkmarx#4960)
Dipesh-Reen · Mar 10, 2022 · 819ab21 · 819ab21
1 parent 4219c70
commit 819ab21
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 16 deletions.
diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego
@@ -736,3 +736,10 @@ get_nested_values_info(object, array_vals) = return_value {
 		"searchKey": get_search_key(arr)
 	}
 }
+
+remove_last_point(searchKey) = sk {
+  endswith(searchKey, ".")
+  sk = substring(searchKey, 0, count(searchKey) -1)
+} else = sk {
+   sk := searchKey
+}
diff --git a/assets/queries/k8s/containers_run_with_low_uid/query.rego b/assets/queries/k8s/containers_run_with_low_uid/query.rego
@@ -21,8 +21,9 @@ checkUser(specInfo, container, containerType, document, metadata) = result {
 
 # pod defines runAsUser and container inherits this setting
 checkUser(specInfo, container, containerType, document, metadata) = result {
-	containerCtx := object.get(container, "securityContext", {})
-	not common_lib.valid_key(containerCtx, "runAsUser")
+
+	nested_info := common_lib.get_nested_values_info(container, ["securityContext", "runAsUser"])
+	nested_info.valid == false
 
 	uid := specInfo.spec.securityContext.runAsUser
 	to_number(uid) < 10000
@@ -38,15 +39,15 @@ checkUser(specInfo, container, containerType, document, metadata) = result {
 
 # neither pod nor container define runAsUser
 checkUser(specInfo, container, containerType, document, metadata) = result {
-	specCtx := object.get(specInfo.spec, "securityContext", {})
-	not common_lib.valid_key(specCtx, "runAsUser")
+	nested_info := common_lib.get_nested_values_info(specInfo.spec, ["securityContext", "runAsUser"])
+	nested_info.valid == false
 
-	containerCtx := object.get(container, "securityContext", {})
-	not common_lib.valid_key(containerCtx, "runAsUser")
+	nested_info2 := common_lib.get_nested_values_info(container, ["securityContext", "runAsUser"])
+	nested_info2.valid == false
 
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext", [metadata.name, specInfo.path, containerType, container.name]),
+		"searchKey": common_lib.remove_last_point(sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.%s", [metadata.name, specInfo.path, containerType, container.name, nested_info2.searchKey])),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.runAsUser should be defined", [metadata.name, specInfo.path, containerType, container.name]),
 		"keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.runAsUser is undefined", [metadata.name, specInfo.path, containerType, container.name]),

diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/query.rego b/assets/queries/k8s/seccomp_profile_is_not_configured/query.rego
@@ -21,8 +21,8 @@ checkSeccompProfile(specInfo, container, containerType, document, metadata) = re
 
 # pod defines seccompProfile.type and container inherits this setting
 checkSeccompProfile(specInfo, container, containerType, document, metadata) = result {
-	containerCtx := object.get(container.securityContext, "seccompProfile", {})
-	not common_lib.valid_key(containerCtx, "type")
+	nested_info := common_lib.get_nested_values_info(container.securityContext, ["seccompProfile", "type"])
+	nested_info.valid == false
 
 	profile := specInfo.spec.securityContext.seccompProfile.type
 	not any([profile == "RuntimeDefault", profile == "Localhost"])
@@ -38,17 +38,15 @@ checkSeccompProfile(specInfo, container, containerType, document, metadata) = re
 
 # neither pod nor container define seccompProfile.type
 checkSeccompProfile(specInfo, container, containerType, document, metadata) = result {
-	specCtx := object.get(specInfo.spec, "securityContext", {})
-	specSeccompCtx := object.get(specCtx, "seccompProfile", {})
-	not common_lib.valid_key(specSeccompCtx, "type")
+	nested_info := common_lib.get_nested_values_info(specInfo.spec, ["securityContext", "seccompProfile", "type"])
+	nested_info.valid == false
 
-	common_lib.valid_key(container, "securityContext")
-	containerSeccompCtx := object.get(container.securityContext, "seccompProfile", {})
-	not common_lib.valid_key(containerSeccompCtx, "type")
+	nested_info2 := common_lib.get_nested_values_info(container.securityContext, ["seccompProfile", "type"])
+	nested_info2.valid == false
 
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext", [metadata.name, specInfo.path, containerType, container.name]),
+		"searchKey": common_lib.remove_last_point(sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.%s", [metadata.name, specInfo.path, containerType, container.name, nested_info2.searchKey])),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.seccompProfile.type should be defined", [metadata.name, specInfo.path, containerType, container.name]),
 		"keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.seccompProfile.type is undefined", [metadata.name, specInfo.path, containerType, container.name]),