fix: CLOUD-1530 remove support for old controls format

changes/unreleased/Removed-20230530-141448.yaml

@@ -0,0 +1,3 @@
+kind: Removed
+body: support for old controls format
+time: 2023-05-30T14:14:48.842054-04:00

pkg/policy/base.go

@@ -43,6 +43,7 @@ const resourcesRuleName = "resources"
 const resourceTypeRuleName = "resource_type"
 const inputTypeRuleName = "input_type"
 const multipleResourceType = "MULTIPLE"
+const defaultKind = "vulnerability"
 
 // SupportedInputTypes contains all of the input types that this package officially
 // supports.
@@ -139,53 +140,19 @@ var remediationKeys = map[string]string{
 }
 
 type Metadata struct {
-	ID           string                         `json:"id"`
-	Title        string                         `json:"title"`
-	Description  string                         `json:"description"`
-	Platform     []string                       `json:"platform"`
-	Remediation  map[string]string              `json:"remediation"`
-	References   map[string][]MetadataReference `json:"references"`
-	Category     string                         `json:"category"`
-	Labels       []string                       `json:"labels,omitempty"`
-	ServiceGroup string                         `json:"service_group"`
-	Controls     []string                       `json:"controls"`
-	Severity     string                         `json:"severity"`
-	Product      []string                       `json:"product"`
-	Kind         string                         `json:"kind"`
-}
-
-// Auxiliary parsing type.
-type metadataCompat struct {
-	ID           string                         `rego:"id"`
-	Title        string                         `rego:"title"`
-	Description  string                         `rego:"description"`
-	Platform     []string                       `rego:"platform"`
-	Remediation  map[string]string              `rego:"remediation"`
-	References   map[string][]MetadataReference `rego:"references"`
-	Category     string                         `rego:"category"`
-	Labels       []string                       `rego:"labels"`
-	ServiceGroup string                         `rego:"service_group"`
-	Controls     interface{}                    `rego:"controls"`
-	Severity     string                         `rego:"severity"`
-	Product      []string                       `rego:"product"`
-	Kind         string                         `rego:"kind"`
-}
-
-func (compat metadataCompat) ToMetadata() (meta Metadata, err error) {
-	meta.ID = compat.ID
-	meta.Title = compat.Title
-	meta.Description = compat.Description
-	meta.Platform = compat.Platform
-	meta.Remediation = compat.Remediation
-	meta.References = compat.References
-	meta.Category = compat.Category
-	meta.Labels = compat.Labels
-	meta.ServiceGroup = compat.ServiceGroup
-	meta.Controls, err = models.ParseControls(compat.Controls)
-	meta.Severity = compat.Severity
-	meta.Product = compat.Product
-	meta.Kind = compat.Kind
-	return
+	ID           string                         `json:"id" rego:"id"`
+	Title        string                         `json:"title" rego:"title"`
+	Description  string                         `json:"description" rego:"description"`
+	Platform     []string                       `json:"platform" rego:"platform"`
+	Remediation  map[string]string              `json:"remediation" rego:"remediation"`
+	References   map[string][]MetadataReference `json:"references" rego:"references"`
+	Category     string                         `json:"category" rego:"category"`
+	Labels       []string                       `json:"labels,omitempty" rego:"labels"`
+	ServiceGroup string                         `json:"service_group" rego:"service_group"`
+	Controls     []string                       `json:"controls" rego:"controls"`
+	Severity     string                         `json:"severity" rego:"severity"`
+	Product      []string                       `json:"product" rego:"product"`
+	Kind         string                         `json:"kind" rego:"kind"`
 }
 
 func (m Metadata) RemediationFor(inputType string) string {
@@ -348,26 +315,17 @@ func (p *BasePolicy) Metadata(
 		return *p.cachedMetadata, nil
 	}
 	m := Metadata{}
-	if p.metadataRule.name == "" {
-		p.cachedMetadata = &m
-		return m, nil
-	}
 	switch p.metadataRule.name {
 	case "metadata":
 		if err := state.Query(
 			ctx,
 			rego.Query{Query: p.metadataRule.query()},
 			func(val ast.Value) error {
-				compat := metadataCompat{}
-				err := rego.Bind(val, &compat)
+				err := rego.Bind(val, &m)
 				if err != nil {
 					return err
 				}
-				if compat.Kind == "" {
-					compat.Kind = "vulnerability"
-				}
-				m, err = compat.ToMetadata()
-				return err
+				return nil
 			},
 		); err != nil {
 			return m, err
@@ -397,10 +355,13 @@ func (p *BasePolicy) Metadata(
 		); err != nil {
 			return m, err
 		}
-
+	case "": // noop when no metadata rule is defined
 	default:
 		return m, fmt.Errorf("Unrecognized metadata rule: %s", p.metadataRule.name)
 	}
+	if m.Kind == "" {
+		m.Kind = defaultKind
+	}
 	p.cachedMetadata = &m
 	return m, nil
 }

test/examples.json

@@ -684,6 +684,7 @@
           "package": "data.rules.snyk_001.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -829,6 +830,7 @@
           "package": "data.rules.snyk_002.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -908,6 +910,7 @@
           "package": "data.rules.snyk_003.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -1073,6 +1076,7 @@
           "package": "data.rules.snyk_004.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -1312,6 +1316,7 @@
           "package": "data.rules.snyk_005.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -1555,6 +1560,7 @@
           "package": "data.rules.snyk_005b.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -1798,6 +1804,7 @@
           "package": "data.rules.snyk_006.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -1869,11 +1876,6 @@
           "rule_bundle": {
             "source": "data"
           },
-          "description": "This is rule 7, it uses an old control format",
-          "controls": [
-            "Simpsons_v1.0.0_Homer",
-            "Simpsons_v1.0.0_Marge"
-          ],
           "resource_types": [
             "aws_cloudtrail"
           ],
@@ -1915,6 +1917,7 @@
           "package": "data.rules.snyk_008.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },
@@ -2051,6 +2054,7 @@
           "package": "data.rules.snyk_009.tf"
         },
         {
+          "kind": "vulnerability",
           "rule_bundle": {
             "source": "data"
           },