Skip to content

Commit

Permalink
Vulnerability leeway rule data violation
Browse files Browse the repository at this point in the history
  • Loading branch information
zregvart committed Oct 16, 2024
1 parent 81f1c2c commit 7c0a915
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 0 deletions.
24 changes: 24 additions & 0 deletions policy/release/cve/cve.rego
Original file line number Diff line number Diff line change
Expand Up @@ -408,3 +408,27 @@ _rule_data_errors contains msg if {
)[1]
msg := sprintf("Rule data %s has unexpected format: %s", [key, violation.error])
}

_rule_data_errors contains msg if {
value := lib.rule_data("cve_leeway")
leeway_days := {
"type": "integer",
"minimum": 0,
}
some violation in json.match_schema(
value,
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"critical": leeway_days,
"high": leeway_days,
"medium": leeway_days,
"low": leeway_days,
"unknown": leeway_days,
},
"additionalProperties": false,
},
)[1]
msg := sprintf("Rule data cve_leeway has unexpected format: %s", [violation.error])
}
40 changes: 40 additions & 0 deletions policy/release/cve/cve_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -788,6 +788,46 @@ test_warning_leeway_with_full_report if {
with lib_time.effective_current_time_ns as time.parse_rfc3339_ns("2022-04-05T00:00:00Z")
}

test_leeway_rule_data_check if {
d := {"cve_leeway": {
# wrong key
"blooper": 1,
# wrong type
"critical": "one",
# negative number
"high": -10,
# all good
"medium": 10,
}}

expected := {
{
"code": "cve.rule_data_provided",
"msg": "Rule data cve_leeway has unexpected format: (Root): Additional property blooper is not allowed",
},
{
"code": "cve.rule_data_provided",
"msg": "Rule data cve_leeway has unexpected format: critical: Invalid type. Expected: integer, given: string",
},
{
"code": "cve.rule_data_provided",
"msg": "Rule data cve_leeway has unexpected format: high: Must be greater than or equal to 0",
},
}

attestations := [lib_test.att_mock_helper_ref(
cve._result_name,
{
"vulnerabilities": _dummy_counts_zero_high,
"unpatched_vulnerabilities": _dummy_counts_zero_high,
},
"clair-scan",
_bundle,
)]
lib.assert_equal_results(cve.deny, expected) with input.attestations as attestations
with data.rule_data as d
}

_fingerprints(a, b) := [v | some n in numbers.range(a, b); v := sprintf("%d", [n])]

_vulns(fingerprits, template) := {v |
Expand Down

0 comments on commit 7c0a915

Please sign in to comment.