fix(query): Extend net_raw_capabilities_not_being_dropped k8s rule to cover further resource kinds #4884
Conversation
… cover further resource kinds
|
Scan submitted to Checkmarx |
There was a problem hiding this comment.
Hi, @Churro!
First of all, sorry for the delay in reviewing some of your PRs. And thank you so much for your contributions to KICS!
Your approach (check whether securityContext.capabilities.drop is defined into one rule) is very impressive! 🚀
However, due to how the KICS searchKey is defined, the searchKey points wrongly with your approach. For example, take a look at the positive1.yaml.
In the master, there is a result in line 13. In this PR, the result points to line 18. That happens because KICS interprets "." in the searchKey as a "breaking line" and it will search for the key(s) in the file.
In this case, although there is no securityContext defined in the container named as payment2 (line 13) the searchKey is pointing to line 18 because the searchKey tells KICS to search for securityContext.capabilities.
As a solution for that, we built the function get_nested_values_info that receives two inputs: object and array_vals. This function verifies if the array_vals are nested in the object. It will return an object with two fields: valid (returns if the array_vals are nested in the object (array_vals should be sorted) and searchKey returns the searchKey possible.
For example:
object := {"elem1": {"elem2": "elem3"}}
array_vals := ["elem2", "elem3", "elem4"]
return_value := {"valid": false, "searchKey": "elem2.elem3"}
Can you apply the function get_nested_values_info, please? 😊 You can find more examples of the application here. (Please merge the branch with the master)
P.S. The other PRs with the same approach should also apply the function get_nested_values_info
assets/queries/k8s/net_raw_capabilities_not_being_dropped/query.rego
Outdated
Show resolved
Hide resolved
…y.rego Co-authored-by: Rafaela Soares <[email protected]>
…y.rego Co-authored-by: Rafaela Soares <[email protected]>
|
Hi @rafaela-soares, I have now applied your suggestions and merged with master. From an engineering perspective, however, I'd like to question the introduction of the My suggestion would be to refine the
I would expect the What do you think about it? I may be wrong but is it probably related to the fact that matching is based mainly on the Levensthein distance (helper.go), so as long as there is a longer "approximate" match in the search hierarchy, it is picked?
The effect becomes visible if we take the sample snippet of your screenshot and profile it with my original query (eval time: 0,371931ms) and the one you suggested with $ opa eval -d query_me.rego -d ../../../libraries/common.rego -d ../../../libraries/k8s.rego -i sample.json \
--profile --format=pretty 'data.Cx'
+----------+----------+----------+---------------+
| TIME | NUM EVAL | NUM REDO | LOCATION |
+----------+----------+----------+---------------+
| 36.658µs | 20 | 20 | query.rego:43 |
| 33.66µs | 20 | 20 | query.rego:40 |
| 32.229µs | 20 | 20 | query.rego:42 |
| 27.17µs | 1 | 1 | query.rego:28 |
| 21.29µs | 1 | 1 | data.Cx |
| 20.599µs | 8 | 0 | query.rego:36 |
| 15.84µs | 8 | 8 | query.rego:34 |
| 12.19µs | 4 | 4 | query.rego:38 |
| 11.94µs | 8 | 8 | query.rego:35 |
| 11.32µs | 3 | 6 | query.rego:13 |
+----------+----------+----------+---------------+$ opa eval -d query_nested.rego -d ../../../libraries/common.rego -d ../../../libraries/k8s.rego -i sample.json \
--profile --format=pretty 'data.Cx'
+-----------+----------+----------+------------------------------------+
| TIME | NUM EVAL | NUM REDO | LOCATION |
+-----------+----------+----------+------------------------------------+
| 442.537µs | 264 | 203 | ../../../libraries/common.rego:730 |
| 129.307µs | 78 | 132 | ../../../libraries/common.rego:729 |
| 109.327µs | 20 | 20 | query_nested.rego:42 |
| 64.598µs | 28 | 28 | query_nested.rego:39 |
| 34.43µs | 20 | 20 | query_nested.rego:41 |
| 32.68µs | 17 | 18 | ../../../libraries/common.rego:29 |
| 29.488µs | 8 | 8 | query_nested.rego:34 |
| 22.989µs | 1 | 1 | data.Cx |
| 22.569µs | 4 | 4 | ../../../libraries/common.rego:737 |
| 20.97µs | 7 | 6 | ../../../libraries/common.rego:714 |
+-----------+----------+----------+------------------------------------+This may be seem negligible with this tiny sample snippet but with large manifests and when run in combination with all other queries, it will make a difference. // Update: Ok, to be honest, not really 😄 - execution time for this rule raised from 230µs to 18ms for a manifest of 100kb. That's not noticeable in practice but is also not "nothing"... |
|
Hi, @Churro thank you for the observation, you are correct. We want to add your pull requests to the next version that is releasing this Wednesday, as they are a major help in improving our Kubernetes queries, so please feel free to choose whether you want to keep the function "get_nested_values_info" or try to make use of the searchLine. Again, thank you for the help in improving our Kubernetes queries |
|
Cx-SAST SummaryTotal of 5 vulnerabilities Violation SummaryNo policy violation found |
|
Hi @joaoReigota1, thank you for the hint on Please let me know in case something is still missing to get this ready for v1.5.4. |
…lities would be the best option
Proposed Changes
securityContext.capabilities.dropis defined into one rulesecurityContextorsecurityContext.capabilitiesare undefined, it is now immediately highlighted thatsecurityContext.capabilities.dropis missingI submit this contribution under the Apache-2.0 license.