[Bug] [CLI] PSS report does not show properties with control details (#9785)

* add properties in pss report Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove tests Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix lint Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore: move chainsaw config at the root of the repo (#9768) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump svenstaro/upload-release-action from 2.7.0 to 2.9.0 (#9767) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.7.0 to 2.9.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](1beeb572c1...04733e069f) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fill properties field in test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unwanted folders Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remote gitpod file Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove unnecessary podSecurity chainsaw test (#9791) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove unnecessary validation check for podSecurity rule (#9790) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update versions (#9783) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore: add tests for exceptions in the CLI (#9781) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/sdk/metric (#9799) Bumps [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc (#9797) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump codecov/codecov-action from 4.0.1 to 4.0.2 (#9794) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](e0b68c6749...0cfda1dd0a) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus (#9796) Bumps [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) from 0.45.2 to 0.46.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.45.2...example/prometheus/v0.46.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace (#9795) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * changes Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#9798) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump codecov/codecov-action from 4.0.2 to 4.1.0 (#9811) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](0cfda1dd0a...54bcd8715e) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#9809) Bumps [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.48.0 to 0.49.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.48.0...zpages/v0.49.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 (#9810) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.19.0 to 0.20.0. - [Commits](https://github.com/golang/crypto/compare/v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix lint Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix(globalcontext): old WaitGroup not stopping (#9813) * fix(globalcontext): old waitgroup not stopping Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): add AGE Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * feat(globalcontext): add lastRefreshTime Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(globalcontext): unhandled intormer run exception Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): comment wording Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): codegen Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(globalcontext): linter Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> --------- Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add empty declaration of properties Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add changes Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: add podSecurity validation checks for exceptions (#9817) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#9825) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#9821) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#9823) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump kyverno/action-install-chainsaw from 0.1.6 to 0.1.7 (#9832) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](204730d723...3bf0752f44) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#9831) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](84384bd6e7...062f259268) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#9830) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * [Bug] [CLI] Restore warn-exit-code functionality for apply command (#9828) * Restore warn-exite-code functionality for apply command Signed-off-by: Matt Veitas <mveitas@gmail.com> * Nove error handling Signed-off-by: Matt Veitas <mveitas@gmail.com> * Uncomment println statement Signed-off-by: Matt Veitas <mveitas@gmail.com> * Fixing linting Signed-off-by: Matt Veitas <mveitas@gmail.com> * Adding conformance tets for cli apply command with warn-exit-code Signed-off-by: Matt Veitas <mveitas@gmail.com> * Update path to kubectl-kyverno binary Signed-off-by: Matt Veitas <mveitas@gmail.com> * Add prepare-cli as needed dependency Signed-off-by: Matt Veitas <mveitas@gmail.com> * feat: install kubectl-kyverno in standard conformance tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update chainsaw config Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: move CLI chainsaw tests to a separate action Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: CLI path Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: name Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add chainsaw flag '--no-cluster' Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: CLI name Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: Matt Veitas <mveitas@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#9822) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove comment and shift line 91 Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * added rseperate function for adding properties in result Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for pss report Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove comments Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove duplicate chainsaw tests for PSA (#9835) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify policy Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify policy in test_dta Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * docs: Add new adopter to ADOPTERS.md (#9841) Signed-off-by: Younsung Lee <cysl@kakao.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: use gcr crane opts while fetching image descriptors (#9838) Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: add missing unit tests for podSecurity.hostpathVolume check (#9845) * fix: add missing unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update pinned lib Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: uncomment code Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: release CRDs manifests (#9849) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#9842) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix name access for policy types Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify pkg report Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify name Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add bindings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Revert "add bindings" This reverts commit c616c11d9bb4dd0554104025fcfb9cf9e25dc02d. Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert add bindings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update chainsaw Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Revert "update name" This reverts commit 84de45b4ce1c5f94d8cbd0a66e893c7907f4a600. Signed-off-by: Jim Bugwadia <jim@nirmata.com> * simplify results Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Matt Veitas <mveitas@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Signed-off-by: Younsung Lee <cysl@kakao.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Matt Veitas <mveitas@gmail.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Younsung Lee <cysl@kakao.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-03-08 03:24:00 +05:30 · 2024-03-08 03:24:00 +05:30 · 26df05d8c1
commit 26df05d8c1
parent 2656e62c4d
5 changed files with 156 additions and 112 deletions
--- a/.chainsaw.yaml
+++ b/.chainsaw.yaml
@ -1,7 +1,7 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Configuration
 metadata:
-  name: congiguration
+  name: configuration
 spec:
  timeouts:
    assert: 90s
--- a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
@ -0,0 +1,23 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: psa
+spec:
+  background: true
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
+  validationFailureAction: Audit
--- a/cmd/cli/kubectl-kyverno/report/report.go
+++ b/cmd/cli/kubectl-kyverno/report/report.go
@ -1,9 +1,7 @@
 package report

 import (
-	"github.com/kyverno/kyverno/api/kyverno"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
 	corev1 "k8s.io/api/core/v1"
@ -13,47 +11,26 @@ import (

 func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult {
 	policy := engineResponse.Policy()
+	policyType := policy.GetType()
 	policyName := cache.MetaObjectToName(policy.MetaObject()).String()
+	resource := engineResponse.Resource
+	resorceRef := &corev1.ObjectReference{
+		Kind:            resource.GetKind(),
+		Name:            resource.GetName(),
+		Namespace:       resource.GetNamespace(),
+		UID:             resource.GetUID(),
+		APIVersion:      resource.GetAPIVersion(),
+		ResourceVersion: resource.GetResourceVersion(),
+	}
+
+	result := reportutils.ToPolicyReportResult(policyType, policyName, ruleResponse, policy.GetAnnotations(), resorceRef)
+	if result.Result == policyreportv1alpha2.StatusFail {
 		audit := engineResponse.GetValidationFailureAction().Audit()
-	scored := annotations.Scored(policy.GetAnnotations())
-	category := annotations.Category(policy.GetAnnotations())
-	severity := annotations.Severity(policy.GetAnnotations())
-	result := policyreportv1alpha2.PolicyReportResult{
-		Policy: policyName,
-		Resources: []corev1.ObjectReference{
-			{
-				Kind:       engineResponse.Resource.GetKind(),
-				Namespace:  engineResponse.Resource.GetNamespace(),
-				APIVersion: engineResponse.Resource.GetAPIVersion(),
-				Name:       engineResponse.Resource.GetName(),
-				UID:        engineResponse.Resource.GetUID(),
-			},
-		},
-		Scored:   scored,
-		Category: category,
-		Severity: severity,
-	}
-	if ruleResponse.Status() == engineapi.RuleStatusSkip {
-		result.Result = policyreportv1alpha2.StatusSkip
-	} else if ruleResponse.Status() == engineapi.RuleStatusError {
-		result.Result = policyreportv1alpha2.StatusError
-	} else if ruleResponse.Status() == engineapi.RuleStatusPass {
-		result.Result = policyreportv1alpha2.StatusPass
-	} else if ruleResponse.Status() == engineapi.RuleStatusFail {
-		if !scored || (audit && auditWarn) {
+		if audit && auditWarn {
 			result.Result = policyreportv1alpha2.StatusWarn
-		} else {
-			result.Result = policyreportv1alpha2.StatusFail
 		}
-	} else {
-		result.Result = policyreportv1alpha2.StatusError
 	}
-	if policy.GetType() == engineapi.KyvernoPolicyType {
-		result.Rule = ruleResponse.Name()
-	}
-	result.Message = ruleResponse.Message()
-	result.Source = kyverno.ValueKyvernoApp
-	result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()}
+
 	return result
 }

--- a/cmd/cli/kubectl-kyverno/report/report_test.go
+++ b/cmd/cli/kubectl-kyverno/report/report_test.go
@ -5,7 +5,6 @@ import (
 	"testing"

 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	report "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"gotest.tools/assert"
@ -120,7 +119,7 @@ func TestMergeClusterReport(t *testing.T) {
 	clustered := []policyreportv1alpha2.ClusterPolicyReport{{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterPolicyReport",
-			APIVersion: report.SchemeGroupVersion.String(),
+			APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "cpolr-4",
@ -128,13 +127,13 @@ func TestMergeClusterReport(t *testing.T) {
 		Results: []policyreportv1alpha2.PolicyReportResult{
 			{
 				Policy: "cpolr-4",
-				Result: report.StatusFail,
+				Result: policyreportv1alpha2.StatusFail,
 			},
 		},
 	}, {
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterPolicyReport",
-			APIVersion: report.SchemeGroupVersion.String(),
+			APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "cpolr-5",
@ -142,19 +141,19 @@ func TestMergeClusterReport(t *testing.T) {
 		Results: []policyreportv1alpha2.PolicyReportResult{
 			{
 				Policy: "cpolr-5",
-				Result: report.StatusFail,
+				Result: policyreportv1alpha2.StatusFail,
 			},
 		},
 	}}
 	expectedResults := []policyreportv1alpha2.PolicyReportResult{{
 		Policy: "cpolr-4",
-		Result: report.StatusFail,
+		Result: policyreportv1alpha2.StatusFail,
 	}, {
 		Policy: "cpolr-5",
-		Result: report.StatusFail,
+		Result: policyreportv1alpha2.StatusFail,
 	}}
 	cpolr := MergeClusterReports(clustered)
-	assert.Equal(t, cpolr.APIVersion, report.SchemeGroupVersion.String())
+	assert.Equal(t, cpolr.APIVersion, policyreportv1alpha2.SchemeGroupVersion.String())
 	assert.Equal(t, cpolr.Kind, "ClusterPolicyReport")
 	assert.DeepEqual(t, cpolr.Results, expectedResults)
 	assert.Equal(t, cpolr.Summary.Pass, 0)
@ -261,7 +260,7 @@ func TestComputePolicyReportResult(t *testing.T) {
 			Source:    "kyverno",
 			Policy:    "pod-requirements",
 			Rule:      "xxx",
-			Result:    policyreportv1alpha2.StatusError,
+			Result:    policyreportv1alpha2.StatusWarn,
 			Resources: []corev1.ObjectReference{{}},
 			Message:   "test",
 			Scored:    true,
@ -280,6 +279,46 @@ func TestComputePolicyReportResult(t *testing.T) {
 	}
 }

+func TestPSSComputePolicyReportResult(t *testing.T) {
+	policies, _, _, err := policy.Load(nil, "", "../_testdata/policies/restricted.yaml")
+	assert.NilError(t, err)
+	assert.Equal(t, len(policies), 1)
+	policy := policies[0]
+	tests := []struct {
+		name           string
+		auditWarn      bool
+		engineResponse engineapi.EngineResponse
+		ruleResponse   engineapi.RuleResponse
+		want           policyreportv1alpha2.PolicyReportResult
+	}{{
+		name:           "fail",
+		auditWarn:      false,
+		engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
+		ruleResponse:   *engineapi.RuleFail("xxx", engineapi.Mutation, "test"),
+		want: policyreportv1alpha2.PolicyReportResult{
+			Source:     "kyverno",
+			Policy:     "psa",
+			Rule:       "xxx",
+			Result:     policyreportv1alpha2.StatusFail,
+			Resources:  []corev1.ObjectReference{{}},
+			Message:    "test",
+			Scored:     true,
+			Category:   "Pod Security Standards (Restricted)",
+			Severity:   policyreportv1alpha2.SeverityMedium,
+			Properties: nil,
+		},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse)
+			got.Timestamp = metav1.Timestamp{}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestComputePolicyReportResultsPerPolicy(t *testing.T) {
 	tests := []struct {
 		name            string
--- a/pkg/utils/report/results.go
+++ b/pkg/utils/report/results.go
@ -12,6 +12,7 @@ import (
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/cache"
 )
@ -86,16 +87,18 @@ func SeverityFromString(severity string) policyreportv1alpha2.PolicySeverity {
 	return ""
 }

-func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
-	pol := response.Policy()
-	var results []policyreportv1alpha2.PolicyReportResult
-	if pol.GetType() == engineapi.KyvernoPolicyType {
-		key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
-		for _, ruleResult := range response.PolicyResponse.Rules {
-			annotations := pol.GetAnnotations()
+func addProperty(k, v string, result *policyreportv1alpha2.PolicyReportResult) {
+	if result.Properties == nil {
+		result.Properties = map[string]string{}
+	}
+
+	result.Properties[k] = v
+}
+
+func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ruleResult engineapi.RuleResponse, annotations map[string]string, resource *corev1.ObjectReference) policyreportv1alpha2.PolicyReportResult {
 	result := policyreportv1alpha2.PolicyReportResult{
 		Source:  kyverno.ValueKyvernoApp,
-				Policy:  key,
+		Policy:  policyName,
 		Rule:    ruleResult.Name(),
 		Message: ruleResult.Message(),
 		Result:  toPolicyResult(ruleResult.Status()),
@ -106,13 +109,19 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
 		Category: annotations[kyverno.AnnotationPolicyCategory],
 		Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
 	}
-			if ruleResult.Exception() != nil {
-				result.Properties = map[string]string{
-					"exception": ruleResult.Exception().Name,
+	if result.Result == "fail" && !result.Scored {
+		result.Result = "warn"
 	}
+	if resource != nil {
+		result.Resources = []corev1.ObjectReference{
+			*resource,
+		}
+	}
+	if ruleResult.Exception() != nil {
+		addProperty("exception", ruleResult.Exception().Name, &result)
 	}
 	pss := ruleResult.PodSecurityChecks()
-			if pss != nil {
+	if pss != nil && len(pss.Checks) > 0 {
 		var controls []string
 		for _, check := range pss.Checks {
 			if !check.CheckResult.Allowed {
@ -121,37 +130,33 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
 		}
 		if len(controls) > 0 {
 			sort.Strings(controls)
-					result.Properties = map[string]string{
-						"standard": string(pss.Level),
-						"version":  pss.Version,
-						"controls": strings.Join(controls, ","),
+			addProperty("standard", string(pss.Level), &result)
+			addProperty("version", pss.Version, &result)
+			addProperty("controls", strings.Join(controls, ","), &result)
 		}
 	}
-			}
-			if result.Result == "fail" && !result.Scored {
-				result.Result = "warn"
-			}
-			results = append(results, result)
-		}
-	} else {
-		for _, ruleResult := range response.PolicyResponse.Rules {
-			result := policyreportv1alpha2.PolicyReportResult{
-				Source:  "ValidatingAdmissionPolicy",
-				Policy:  ruleResult.Name(),
-				Message: ruleResult.Message(),
-				Result:  toPolicyResult(ruleResult.Status()),
-				Timestamp: metav1.Timestamp{
-					Seconds: time.Now().Unix(),
-				},
-			}
+	if policyType == engineapi.ValidatingAdmissionPolicyType {
+		result.Source = "ValidatingAdmissionPolicy"
+		result.Policy = ruleResult.Name()
 		if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
-				result.Properties = map[string]string{
-					"binding": ruleResult.ValidatingAdmissionPolicyBinding().Name,
+			addProperty("binding", ruleResult.ValidatingAdmissionPolicyBinding().Name, &result)
 		}
 	}
+	return result
+}
+
+func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
+	pol := response.Policy()
+	policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
+	policyType := pol.GetType()
+	annotations := pol.GetAnnotations()
+
+	var results []policyreportv1alpha2.PolicyReportResult
+	for _, ruleResult := range response.PolicyResponse.Rules {
+		result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
 		results = append(results, result)
 	}
-	}
+
 	return results
 }