feat(knative): add knative security query and k8's pod queries intero…

…perability (Checkmarx#5692)

* stage

* stage

* stage

* stage

* stage

* Add Knative Query and K8s Pod refac

* add exception for k8s sample validator

* fix package lock

* update kind pod check

* update policy

* change

.github/scripts/metrics/get_metrics.py

@@ -13,7 +13,7 @@
     'openapi': os.path.join(queries_basepath, 'openAPI', '**', '*'),
     'crossplane': os.path.join(queries_basepath, 'crossplane', '*'),
     'k8s': os.path.join(queries_basepath, 'k8s', '*'),
-    #'knative': os.path.join(queries_basepath, 'knative', '*'),
+    'knative': os.path.join(queries_basepath, 'knative', '*'),
     'common': os.path.join(queries_basepath, 'common', '*'),
     'dockerfile': os.path.join(queries_basepath, 'dockerfile', '*'),
     'terraform': os.path.join(queries_basepath, 'terraform', '**', '*'),

.github/workflows/validate-k8s-samples.yml

@@ -28,6 +28,6 @@ jobs:
         run: |
           python3 -u .github/scripts/samples-linters/validate-syntax.py \
             "assets/queries/k8s/**/test/*.yaml" \
-            --extra ' --skip-kinds CustomResourceDefinition,KubeletConfiguration,Policy,EncryptionConfiguration,KubeSchedulerConfiguration,SecretProviderClass' \
+            --extra ' --skip-kinds CustomResourceDefinition,KubeletConfiguration,Policy,EncryptionConfiguration,KubeSchedulerConfiguration,SecretProviderClass,Service,Configuration,ContainerSource,Revision' \
             --linter .bin/kubeval \
             --skip '.github/scripts/samples-linters/ignore-list/k8s' -v

assets/libraries/k8s.rego

@@ -24,14 +24,14 @@ hasFlag(container, flag) {
 	common_lib.inArray(container.args, flag)
 }
 
-startWithFlag(container, flag){
+startWithFlag(container, flag) {
 	startsWithArray(container.command, flag)
 } else {
 	startsWithArray(container.args, flag)
 }
 
 startsWithArray(arr, item) {
-    startswith(arr[_], item)
+	startswith(arr[_], item)
 }
 
 hasFlagWithValue(container, flag, value) {
@@ -51,27 +51,27 @@ hasValue(values, value) {
 	splittedValues[_] == value
 }
 
-startAndEndWithFlag(container, flag, ext){
-	startWithAndEndWithArray(container.command, flag,ext)
+startAndEndWithFlag(container, flag, ext) {
+	startWithAndEndWithArray(container.command, flag, ext)
 } else {
 	startWithAndEndWithArray(container.args, flag, ext)
 }
 
 startWithAndEndWithArray(arr, item, ext) {
-    startswith(arr[_], item)
-    endswith(arr[_], ext)
+	startswith(arr[_], item)
+	endswith(arr[_], ext)
 }
 
 hasFlagEqualOrGreaterThanValue(container, flag, value) {
 	command := container.command
 	startswith(command[a], flag)
 	flag_value := split(command[a], "=")[1]
-	to_number(flag_value)>= value
+	to_number(flag_value) >= value
 } else {
 	args := container.args
 	startswith(args[a], flag)
 	flag_value := split(args[a], "=")[1]
-	to_number(flag_value)>= value
+	to_number(flag_value) >= value
 }
 
 hasFlagBetweenValues(container, flag, higher, lower) {
@@ -90,3 +90,13 @@ betweenValues(value, higher, lower) {
 	to_number(value) > higher
 	to_number(value) < lower
 }
+
+# Valid K8s/Knative Kinds that support podSpec or PodSpecTemplate
+# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podspec-v1-core
+valid_pod_spec_kind_list = [
+	"Pod",
+	"Configuration",
+	"Service",
+	"Revision",
+	"ContainerSource",
+]

assets/libraries/knative.rego

@@ -0,0 +1,3 @@
+package generic.knative
+
+import data.generic.common as common_lib

assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive3.yaml

@@ -0,0 +1,57 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: dummy
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: []
+      restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Configuration
+metadata:
+  name: dummy-config
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: []
+      restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Revision
+metadata:
+  name: dummy-rev
+  namespace: knative-sequence
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: []
+  restartPolicy: OnFailure
+---
+apiVersion: sources.knative.dev/v1
+kind: ContainerSource
+metadata:
+  name: dummy-cs
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: []
+      restartPolicy: OnFailure

assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json

@@ -10,5 +10,29 @@
 		"severity": "LOW",
 		"line": 11,
         "fileName": "positive2.yaml"
+	},
+	{
+		"queryName": "Audit Log Maxage Not Properly Set",
+		"severity": "LOW",
+		"line": 12,
+        "fileName": "positive3.yaml"
+	},
+	{
+		"queryName": "Audit Log Maxage Not Properly Set",
+		"severity": "LOW",
+		"line": 27,
+        "fileName": "positive3.yaml"
+	},
+	{
+		"queryName": "Audit Log Maxage Not Properly Set",
+		"severity": "LOW",
+		"line": 40,
+        "fileName": "positive3.yaml"
+	},
+	{
+		"queryName": "Audit Log Maxage Not Properly Set",
+		"severity": "LOW",
+		"line": 55,
+        "fileName": "positive3.yaml"
 	}
 ]

assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive3.yaml

@@ -0,0 +1,57 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: dummy
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+      - name: command-demo-container
+        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+        command: ["kube-apiserver"]
+        args: ["--audit-log-maxbackup=5"]
+    restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Configuration
+metadata:
+  name: dummy-config
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: ["--audit-log-maxbackup=5"]
+      restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Revision
+metadata:
+  name: dummy-rev
+  namespace: knative-sequence
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--audit-log-maxbackup=5"]
+  restartPolicy: OnFailure
+---
+apiVersion: sources.knative.dev/v1
+kind: ContainerSource
+metadata:
+  name: dummy-cs
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: ["--audit-log-maxbackup=5"]
+      restartPolicy: OnFailure

assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json

@@ -1,14 +1,38 @@
 [
-	{
-		"queryName": "Audit Log Maxbackup Not Properly Set",
-		"severity": "LOW",
-		"line": 11,
-        "fileName": "positive1.yaml"
-	},
-	{
-		"queryName": "Audit Log Maxbackup Not Properly Set",
-		"severity": "LOW",
-		"line": 11,
-        "fileName": "positive2.yaml"
-	}
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 11,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 11,
+    "fileName": "positive2.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 12,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 27,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 40,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxbackup Not Properly Set",
+    "severity": "LOW",
+    "line": 55,
+    "fileName": "positive3.yaml"
+  }
 ]

assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive3.yaml

@@ -0,0 +1,57 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: dummy
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+      - name: command-demo-container
+        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+        command: ["kube-apiserver"]
+        args: ["--audit-log-maxsize=50"]
+    restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Configuration
+metadata:
+  name: dummy-config
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: ["--audit-log-maxsize=50"]
+      restartPolicy: OnFailure
+---
+apiVersion: serving.knative.dev/v1
+kind: Revision
+metadata:
+  name: dummy-rev
+  namespace: knative-sequence
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--audit-log-maxsize=50"]
+  restartPolicy: OnFailure
+---
+apiVersion: sources.knative.dev/v1
+kind: ContainerSource
+metadata:
+  name: dummy-cs
+  namespace: knative-sequence
+spec:
+  template:
+    spec:
+      containers:
+        - name: command-demo-container
+          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+          command: ["kube-apiserver"]
+          args: ["--audit-log-maxsize=50"]
+      restartPolicy: OnFailure

assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json

@@ -1,14 +1,38 @@
 [
-	{
-		"queryName": "Audit Log Maxsize Not Properly Set",
-		"severity": "LOW",
-		"line": 11,
-        "fileName": "positive1.yaml"
-	},
-	{
-		"queryName": "Audit Log Maxsize Not Properly Set",
-		"severity": "LOW",
-		"line": 11,
-        "fileName": "positive2.yaml"
-	}
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 11,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 11,
+    "fileName": "positive2.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 12,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 27,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 40,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "Audit Log Maxsize Not Properly Set",
+    "severity": "LOW",
+    "line": 55,
+    "fileName": "positive3.yaml"
+  }
 ]