trim unique list, update k8sinterface version

kubescape · Oct 18, 2021 · e0767a8 · e0767a8
1 parent 1bb08c0
commit e0767a8
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 23 deletions.
diff --git a/exceptions/exceptionprocessor.go b/exceptions/exceptionprocessor.go
@@ -4,6 +4,7 @@ import (
 	"regexp"
 
 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/opa-utils/reporthandling"
 
 	"github.com/armosec/armoapi-go/armotypes"
@@ -87,7 +88,7 @@ func alertObjectToWorkloads(obj *reporthandling.AlertObject) []k8sinterface.IWor
 	resource := []k8sinterface.IWorkload{}
 
 	for i := range obj.K8SApiObjects {
-		r := k8sinterface.NewWorkloadObj(obj.K8SApiObjects[i])
+		r := workloadinterface.NewWorkloadObj(obj.K8SApiObjects[i])
 		if r == nil {
 			continue
 		}

diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/armosec/armoapi-go v0.0.7
-	github.com/armosec/k8s-interface v0.0.2
+	github.com/armosec/k8s-interface v0.0.5
 	github.com/francoispqt/gojay v1.2.13
 	github.com/open-policy-agent/opa v0.33.1
 	github.com/stretchr/testify v1.7.0
@@ -24,7 +24,6 @@ require (
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/armosec/utils-go v0.0.3 // indirect
 	github.com/armosec/utils-k8s-go v0.0.1 // indirect
-	github.com/aws/aws-sdk-go v1.41.1 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/docker v20.10.9+incompatible // indirect
@@ -42,7 +41,6 @@ require (
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.11 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
@@ -57,9 +55,6 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
 	golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect
 	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect

diff --git a/go.sum b/go.sum
@@ -84,18 +84,16 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
 github.com/armosec/armoapi-go v0.0.7 h1:SN13+iYrIkxgatU+MwuWnSlhxP1G7rZP7dC8us2I7v0=
 github.com/armosec/armoapi-go v0.0.7/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/k8s-interface v0.0.2 h1:Xw7HbQLNO9DN4NlD486VgXPwVpMFFxxwTlrVkcpsn5M=
-github.com/armosec/k8s-interface v0.0.2/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
+github.com/armosec/k8s-interface v0.0.5 h1:DWQXZNMSsYQeLQ6xpB21ueFMR9oFnz28iWQTNn31TAk=
+github.com/armosec/k8s-interface v0.0.5/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-k8s-go v0.0.1 h1:Ay3y7fW+4+FjVc0+obOWm8YsnEvM31vPAVoKTyTAFRk=
 github.com/armosec/utils-k8s-go v0.0.1/go.mod h1:qrU4pmY2iZsOb39Eltpm0sTTNM3E4pmeyWx4dgDUC2U=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go v1.41.1 h1:TR9j7i73tzV8ELPMc0LkImSRLljRJ+gQeArKBC7IfVE=
 github.com/aws/aws-sdk-go v1.41.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -353,9 +351,7 @@ github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -623,7 +619,6 @@ go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.1.11-0.20210813005559-691160354723 h1:sHOAIxRGBp443oHZIPB+HsUGaksVCXVQENPxwTfQdH4=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=

diff --git a/reporthandling/datastructuresmethods_test.go b/reporthandling/datastructuresmethods_test.go
@@ -31,7 +31,7 @@ func TestControlsResults(t *testing.T) {
 
 	SetUniqueResourcesCounter(framework)
 	assert.Equal(t, 24, framework.GetNumberOfFailedResources(), "framework.GetNumberOfFailedResources")
-	assert.Equal(t, 37, framework.GetNumberOfWarningResources(), "framework.GetNumberOfWarningResources")
+	assert.Equal(t, 31, framework.GetNumberOfWarningResources(), "framework.GetNumberOfWarningResources")
 
 	for _, control := range framework.ControlReports {
 		switch control.ControlID {

diff --git a/reporthandling/resultshandling.go b/reporthandling/resultshandling.go
@@ -4,7 +4,8 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+
 	"github.com/open-policy-agent/opa/rego"
 )
 
@@ -29,8 +30,9 @@ func SetUniqueResourcesCounter(frameworkReport *FrameworkReport) {
 
 			// Get
 			uniqueAll := GetUniqueResources(frameworkReport.ControlReports[c].RuleReports[r].GetAllResources())
-			uniqueWarning := GetUniqueResources(frameworkReport.ControlReports[c].RuleReports[r].GetWarnignResources())
 			uniqueFailed := GetUniqueResources(frameworkReport.ControlReports[c].RuleReports[r].GetFailedResources())
+			uniqueWarning := GetUniqueResources(frameworkReport.ControlReports[c].RuleReports[r].GetWarnignResources())
+			uniqueWarning = TrimUniqueResources(uniqueWarning, uniqueFailed)
 
 			// Set
 			frameworkReport.ControlReports[c].RuleReports[r].SetNumberOfResources(len(uniqueAll))
@@ -43,8 +45,9 @@ func SetUniqueResourcesCounter(frameworkReport *FrameworkReport) {
 			uniqueFailedControls = append(uniqueFailedControls, uniqueFailed...)
 		}
 		uniqueAllControls = GetUniqueResources(uniqueAllControls)
-		uniqueWarningControls = GetUniqueResources(uniqueWarningControls)
 		uniqueFailedControls = GetUniqueResources(uniqueFailedControls)
+		uniqueWarningControls = GetUniqueResources(uniqueWarningControls)
+		uniqueWarningControls = TrimUniqueResources(uniqueWarningControls, uniqueFailedControls)
 
 		// Set
 		frameworkReport.ControlReports[c].SetNumberOfResources(len(uniqueAllControls))
@@ -61,20 +64,22 @@ func SetUniqueResourcesCounter(frameworkReport *FrameworkReport) {
 	uniqueAllFramework = GetUniqueResources(uniqueAllFramework)
 	uniqueWarningFramework = GetUniqueResources(uniqueWarningFramework)
 	uniqueFailedFramework = GetUniqueResources(uniqueFailedFramework)
+	uniqueWarningFramework = TrimUniqueResources(uniqueWarningFramework, uniqueFailedFramework)
 
 	// Set
 	frameworkReport.SetNumberOfResources(len(uniqueAllFramework))
 	frameworkReport.SetNumberOfWarningResources(len(uniqueWarningFramework))
 	frameworkReport.SetNumberOfFailedResources(len(uniqueFailedFramework))
 }
 
+// GetUniqueResources the list of resources can contain duplications, this function removes the resource duplication based on workloadinterface.GetID
 func GetUniqueResources(k8sResources []map[string]interface{}) []map[string]interface{} {
 	uniqueRuleResponses := map[string]bool{}
 
 	lenK8sResources := len(k8sResources)
 	for i := 0; i < lenK8sResources; i++ {
-		workload := k8sinterface.NewWorkloadObj(k8sResources[i])
-		resourceID := fmt.Sprintf("%s/%s/%s/%s", workload.GetApiVersion(), workload.GetNamespace(), workload.GetKind(), workload.GetName())
+		workload := workloadinterface.NewWorkloadObj(k8sResources[i])
+		resourceID := workload.GetID()
 		if found := uniqueRuleResponses[resourceID]; found {
 			// resource found -> remove from slice
 			k8sResources = removeFromSlice(k8sResources, i)
@@ -87,6 +92,32 @@ func GetUniqueResources(k8sResources []map[string]interface{}) []map[string]inte
 	return k8sResources
 }
 
+// TrimUniqueResources trim the list, this wil trim in case the same resource appears in the warning list and in the failed list
+func TrimUniqueResources(origin, trimFrom []map[string]interface{}) []map[string]interface{} {
+	if len(origin) == 0 || len(trimFrom) == 0 { // if there is nothing to trim
+		return origin
+	}
+	uniqueResources := map[string]bool{}
+
+	for i := range trimFrom {
+		workload := workloadinterface.NewWorkloadObj(trimFrom[i])
+		workload.GetVersion()
+		uniqueResources[workload.GetID()] = true
+	}
+
+	lenOrigin := len(origin)
+	for i := 0; i < lenOrigin; i++ {
+		workload := workloadinterface.NewWorkloadObj(origin[i])
+		if found := uniqueResources[workload.GetID()]; found {
+			// resource found -> remove from slice
+			origin = removeFromSlice(origin, i)
+			lenOrigin -= 1
+			i -= 1
+		}
+	}
+	return origin
+}
+
 func removeFromSlice(k8sResources []map[string]interface{}, i int) []map[string]interface{} {
 	if i != len(k8sResources)-1 {
 		k8sResources[i] = k8sResources[len(k8sResources)-1]

diff --git a/score/score.go b/score/score.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/armosec/k8s-interface/workloadinterface"
 	appsv1 "k8s.io/api/apps/v1"
 
 	// corev1 "k8s.io/api/core/v1"
@@ -63,7 +64,7 @@ func (su *ScoreUtil) resourceRules(resources []map[string]interface{}) float32 {
 
 	for _, v := range resources {
 		var score float32 = 0
-		wl := k8sinterface.NewWorkloadObj(v)
+		wl := workloadinterface.NewWorkloadObj(v)
 		kind := ""
 		if wl != nil {
 			kind = strings.ToLower(wl.GetKind())

diff --git a/score/score_mocks.go b/score/score_mocks.go
@@ -5,7 +5,8 @@ import (
 	"os"
 	"strings"
 
-	k8sinterface "github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+
 	"github.com/armosec/opa-utils/reporthandling"
 )
 
@@ -30,7 +31,7 @@ func getResouceByType(desiredType string) map[string]interface{} {
 		return nil
 	}
 	for _, v := range rsrcs {
-		wl := k8sinterface.NewWorkloadObj(v)
+		wl := workloadinterface.NewWorkloadObj(v)
 		if wl != nil {
 			if strings.ToLower(wl.GetKind()) == desiredType {
 				return v