feat(misconf): add helm-api-version and helm-kube-version flag (aquas…

…ecurity#6332)

Co-authored-by: Simar <[email protected]>

docs/docs/references/configuration/cli/trivy_aws.md

@@ -76,6 +76,8 @@ trivy aws [flags]
       --endpoint string                   AWS Endpoint override
       --exit-code int                     specify exit code when any security issues are found
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_config.md

@@ -20,6 +20,8 @@ trivy config [flags] DIR
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -35,6 +35,8 @@ trivy filesystem [flags] PATH
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_image.md

@@ -51,6 +51,8 @@ trivy image [flags] IMAGE_NAME
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -46,6 +46,8 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,cyclonedx) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_repository.md

@@ -35,6 +35,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -38,6 +38,8 @@ trivy rootfs [flags] ROOTDIR
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_vm.md

@@ -35,6 +35,8 @@ trivy vm [flags] VM_IMAGE
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/config-file.md

@@ -279,35 +279,39 @@ misconfiguration:
     - terraform
 
   # helm value override configurations
-  # set individual values
   helm:
+    # set individual values
     set:
       - securityContext.runAsUser=10001
 
-  # set values with file
-  helm:
+    # set values with file
     values:
       - overrides.yaml
 
-  # set specific values from specific files
-  helm:
+    # set specific values from specific files
     set-file:
       - image=dev-overrides.yaml
 
-  # set as string and preserve type
-  helm:
+    # set as string and preserve type
     set-string:
       - name=true
 
+    # Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
+    api-versions:
+      - policy/v1/PodDisruptionBudget
+      - apps/v1/Deployment
+
+    # Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
+    kube-version: "v1.21.0"
+
   # terraform tfvars overrrides
   terraform:
     vars:
       - dev-terraform.tfvars
       - common-terraform.tfvars
 
-  # Same as '--tf-exclude-downloaded-modules'
-  # Default is false
-  terraform:
+    # Same as '--tf-exclude-downloaded-modules'
+    # Default is false
     exclude-downloaded-modules: false
 ```
 

pkg/commands/artifact/run.go

@@ -603,6 +603,8 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			HelmValueFiles:           opts.HelmValueFiles,
 			HelmFileValues:           opts.HelmFileValues,
 			HelmStringValues:         opts.HelmStringValues,
+			HelmAPIVersions:          opts.HelmAPIVersions,
+			HelmKubeVersion:          opts.HelmKubeVersion,
 			TerraformTFVars:          opts.TerraformTFVars,
 			CloudFormationParamVars:  opts.CloudFormationParamVars,
 			K8sVersion:               opts.K8sVersion,

pkg/flag/misconf_flags.go

@@ -45,6 +45,16 @@ var (
 		ConfigName: "misconfiguration.helm.set-string",
 		Usage:      "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
 	}
+	HelmAPIVersionsFlag = Flag[[]string]{
+		Name:       "helm-api-versions",
+		ConfigName: "misconfiguration.helm.api-versions",
+		Usage:      "Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)",
+	}
+	HelmKubeVersionFlag = Flag[string]{
+		Name:       "helm-kube-version",
+		ConfigName: "misconfiguration.helm.kube-version",
+		Usage:      "Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.",
+	}
 	TfVarsFlag = Flag[[]string]{
 		Name:       "tf-vars",
 		ConfigName: "misconfiguration.terraform.vars",
@@ -86,6 +96,8 @@ type MisconfFlagGroup struct {
 	HelmValueFiles             *Flag[[]string]
 	HelmFileValues             *Flag[[]string]
 	HelmStringValues           *Flag[[]string]
+	HelmAPIVersions            *Flag[[]string]
+	HelmKubeVersion            *Flag[string]
 	TerraformTFVars            *Flag[[]string]
 	CloudformationParamVars    *Flag[[]string]
 	TerraformExcludeDownloaded *Flag[bool]
@@ -102,6 +114,8 @@ type MisconfOptions struct {
 	HelmValueFiles          []string
 	HelmFileValues          []string
 	HelmStringValues        []string
+	HelmAPIVersions         []string
+	HelmKubeVersion         string
 	TerraformTFVars         []string
 	CloudFormationParamVars []string
 	TfExcludeDownloaded     bool
@@ -118,6 +132,8 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		HelmFileValues:             HelmSetFileFlag.Clone(),
 		HelmStringValues:           HelmSetStringFlag.Clone(),
 		HelmValueFiles:             HelmValuesFileFlag.Clone(),
+		HelmAPIVersions:            HelmAPIVersionsFlag.Clone(),
+		HelmKubeVersion:            HelmKubeVersionFlag.Clone(),
 		TerraformTFVars:            TfVarsFlag.Clone(),
 		CloudformationParamVars:    CfParamsFlag.Clone(),
 		TerraformExcludeDownloaded: TerraformExcludeDownloaded.Clone(),
@@ -138,6 +154,8 @@ func (f *MisconfFlagGroup) Flags() []Flagger {
 		f.HelmValueFiles,
 		f.HelmFileValues,
 		f.HelmStringValues,
+		f.HelmAPIVersions,
+		f.HelmKubeVersion,
 		f.TerraformTFVars,
 		f.TerraformExcludeDownloaded,
 		f.CloudformationParamVars,
@@ -158,6 +176,8 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		HelmValueFiles:          f.HelmValueFiles.Value(),
 		HelmFileValues:          f.HelmFileValues.Value(),
 		HelmStringValues:        f.HelmStringValues.Value(),
+		HelmAPIVersions:         f.HelmAPIVersions.Value(),
+		HelmKubeVersion:         f.HelmKubeVersion.Value(),
 		TerraformTFVars:         f.TerraformTFVars.Value(),
 		CloudFormationParamVars: f.CloudformationParamVars.Value(),
 		TfExcludeDownloaded:     f.TerraformExcludeDownloaded.Value(),

pkg/iac/scanners/helm/options.go

@@ -49,3 +49,11 @@ func ScannerWithAPIVersions(values ...string) options.ScannerOption {
 		}
 	}
 }
+
+func ScannerWithKubeVersion(values string) options.ScannerOption {
+	return func(s options.ConfigurableScanner) {
+		if helmScanner, ok := s.(ConfigurableHelmScanner); ok {
+			helmScanner.AddParserOptions(parser.OptionWithKubeVersion(values))
+		}
+	}
+}

pkg/iac/scanners/helm/parser/option.go

@@ -9,6 +9,7 @@ type ConfigurableHelmParser interface {
 	SetFileValues(...string)
 	SetStringValues(...string)
 	SetAPIVersions(...string)
+	SetKubeVersion(string)
 }
 
 func OptionWithValuesFile(paths ...string) options.ParserOption {
@@ -50,3 +51,11 @@ func OptionWithAPIVersions(values ...string) options.ParserOption {
 		}
 	}
 }
+
+func OptionWithKubeVersion(value string) options.ParserOption {
+	return func(p options.ConfigurableParser) {
+		if helmParser, ok := p.(ConfigurableHelmParser); ok {
+			helmParser.SetKubeVersion(value)
+		}
+	}
+}

pkg/iac/scanners/helm/parser/parser.go

@@ -17,6 +17,7 @@ import (
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/releaseutil"
 
@@ -40,6 +41,7 @@ type Parser struct {
 	fileValues   []string
 	stringValues []string
 	apiVersions  []string
+	kubeVersion  string
 }
 
 type ChartFile struct {
@@ -75,7 +77,11 @@ func (p *Parser) SetAPIVersions(values ...string) {
 	p.apiVersions = values
 }
 
-func New(path string, opts ...options.ParserOption) *Parser {
+func (p *Parser) SetKubeVersion(value string) {
+	p.kubeVersion = value
+}
+
+func New(path string, opts ...options.ParserOption) (*Parser, error) {
 
 	client := action.NewInstall(&action.Configuration{})
 	client.DryRun = true     // don't do anything
@@ -95,7 +101,16 @@ func New(path string, opts ...options.ParserOption) *Parser {
 		p.helmClient.APIVersions = p.apiVersions
 	}
 
-	return p
+	if p.kubeVersion != "" {
+		kubeVersion, err := chartutil.ParseKubeVersion(p.kubeVersion)
+		if err != nil {
+			return nil, err
+		}
+
+		p.helmClient.KubeVersion = kubeVersion
+	}
+
+	return p, nil
 }
 
 func (p *Parser) ParseFS(ctx context.Context, target fs.FS, path string) error {

pkg/iac/scanners/helm/parser/parser_test.go

@@ -12,7 +12,8 @@ import (
 
 func TestParseFS(t *testing.T) {
 	t.Run("source chart is located next to an same archived chart", func(t *testing.T) {
-		p := New(".")
+		p, err := New(".")
+		require.NoError(t, err)
 		require.NoError(t, p.ParseFS(context.TODO(), os.DirFS(filepath.Join("testdata", "chart-and-archived-chart")), "."))
 
 		expectedFiles := []string{

pkg/iac/scanners/helm/scanner.go

@@ -170,7 +170,10 @@ func (s *Scanner) ScanFS(ctx context.Context, target fs.FS, path string) (scan.R
 }
 
 func (s *Scanner) getScanResults(path string, ctx context.Context, target fs.FS) (results []scan.Result, err error) {
-	helmParser := parser.New(path, s.parserOptions...)
+	helmParser, err := parser.New(path, s.parserOptions...)
+	if err != nil {
+		return nil, err
+	}
 
 	if err := helmParser.ParseFS(ctx, target, path); err != nil {
 		return nil, err