v1.0.X-core

(WIP) core/update (#169) + Core Binaries update + Enhanced Logging and Reporting + Log Standard Definition + Webhook Log & Event Type Parity + Bulk Mode
xfhg · Oct 2, 2024 · f0f5200 · f0f5200
2 parents 09b0505 + 481e11b
commit f0f5200
Show file tree

Hide file tree

Showing 31 changed files with 1,314 additions and 11,557 deletions.
diff --git a/Makefile b/Makefile
@@ -81,12 +81,14 @@ $(PLATFORMS):
 # Docker build commands for specific platforms
 define DOCKER_BUILD_PLATFORM
 docker-build-$(1):
-	$(MAKE) build-$(1)
 	$(eval GOOS := $(word 1, $(subst /, ,$(1))))
 	$(eval GOARCH := $(word 2, $(subst /, ,$(1))))
 	$(eval GOARM := $(word 3, $(subst /, ,$(1))))
 	$(eval BIN_SUFFIX := $(if $(GOARM),-v$(GOARM),))
 	$(eval OUTPUT_NAME := $(BINARY_NAME)-$(GOOS)-$(GOARCH)$(BIN_SUFFIX)$(if $(filter windows,$(GOOS)),.exe,))
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) $(if $(GOARM),GOARM=$(GOARM),) \
+		$(GOBUILD) $(BUILD_FLAGS) -tags container -o release/$(OUTPUT_NAME) .
+	$(MAKE) compress-binary BINARY_NAME=$(OUTPUT_NAME)
 	docker buildx build --platform $(GOOS)/$(GOARCH)$(if $(GOARM),/v$(GOARM),) \
 		--build-arg BINARY=release/$(OUTPUT_NAME) \
 		-t $(DOCKER_IMAGE):$(GOOS)-$(GOARCH)$(BIN_SUFFIX) \

diff --git a/cmd/api.go b/cmd/api.go
@@ -26,7 +26,7 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 	// Apply authentication
 	if err := applyAuth(req, policy.API.Auth); err != nil {
 		log.Error().Err(err).Msg("error applying authentication")
-		return fmt.Errorf("error applying authentication: %w", err)
+		return handlePolicyError(policy, fmt.Errorf("error applying authentication: %w", err))
 	}
 
 	// Set request body if method is POST
@@ -38,7 +38,8 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 	resp, err := req.Execute(policy.API.Method, policy.API.Endpoint)
 	if err != nil {
 		log.Error().Err(err).Msg("error making API request")
-		return fmt.Errorf("error making API request: %w", err)
+		return handlePolicyError(policy, fmt.Errorf("error making API request: %w", err))
+
 	}
 
 	// check for accepted policy.API.ResponseType and map to schema type is defined , or use regex
@@ -50,7 +51,7 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 		return processWithRegex(policy, resp.Body(), rgPath)
 	}
 
-	return fmt.Errorf("no processing method specified for policy %s", policy.ID)
+	return handlePolicyError(policy, fmt.Errorf("no processing method specified for policy %s", policy.ID))
 }
 
 func applyAuth(req *resty.Request, auth map[string]string) error {
@@ -67,9 +68,12 @@ func applyAuth(req *resty.Request, auth map[string]string) error {
 	case "bearer":
 		token := os.Getenv(auth["token_env"])
 		req.SetHeader("Authorization", "Bearer "+token)
-	case "api_key":
+	case "header":
 		key := os.Getenv(auth["key_env"])
 		req.SetHeader(auth["header"], key)
+	case "authorization":
+		key := fmt.Sprintf("%s %s", auth["prefix"], os.Getenv(auth["key_env"]))
+		req.SetHeader("Authorization", key)
 	default:
 		return fmt.Errorf("unsupported authentication type: %s", authType)
 	}
@@ -168,6 +172,7 @@ func processWithRegex(policy Policy, data []byte, rgPath string) error {
 		sarifOutputFile = fmt.Sprintf("%s.sarif", NormalizeFilename(policy.ID))
 
 	}
+
 	log.Debug().Msgf("Policy %s processed. SARIF report written to: %s ", policy.ID, sarifOutputFile)
 
 	if matchesFound {
@@ -219,3 +224,27 @@ func executeAssureForAPI(policy Policy, rgPath, filePath string) (bool, error) {
 
 	return matchesFound, nil
 }
+
+func handlePolicyError(policy Policy, err error) error {
+	issues := []string{err.Error()}
+	sarifReport, sarifErr := GenerateAPISARIFReport(policy, policy.API.Endpoint, false, issues)
+	if sarifErr != nil {
+		log.Error().Err(sarifErr).Msg("error generating SARIF report for policy error")
+		return fmt.Errorf("error generating SARIF report for policy error: %w", sarifErr)
+	}
+
+	var sarifOutputFile string
+	if policy.RunID != "" {
+		sarifOutputFile = fmt.Sprintf("%s.sarif", policy.RunID)
+	} else {
+		sarifOutputFile = fmt.Sprintf("%s.sarif", NormalizeFilename(policy.ID))
+	}
+
+	if writeErr := writeSARIFReport(sarifOutputFile, sarifReport); writeErr != nil {
+		log.Error().Err(writeErr).Msg("error writing SARIF report for policy error")
+		return fmt.Errorf("error writing SARIF report for policy error: %w", writeErr)
+	}
+
+	log.Debug().Msgf("Policy %s failed. SARIF report written to: %s", policy.ID, sarifOutputFile)
+	return err
+}
diff --git a/cmd/audit.go b/cmd/audit.go
@@ -18,11 +18,11 @@ type Performance struct {
 }
 
 var (
-	targetDir        string
-	tagsAny          string
-	tagsAll          string
-	envDetection     bool
-	debugOutput      bool
+	targetDir    string
+	tagsAny      string
+	tagsAll      string
+	envDetection bool
+
 	rgPath           string
 	gossPath         string
 	policyFile       string
@@ -44,7 +44,7 @@ func init() {
 	runAuditPerfCmd.Flags().StringVar(&tagsAll, "tags-all", "", "Filter policies that match all of the provided tags (comma-separated)")
 	runAuditPerfCmd.Flags().StringVarP(&environment, "environment", "e", "", "Filter policies that match the specified environment")
 	runAuditPerfCmd.Flags().BoolVar(&envDetection, "env-detection", false, "Enable environment detection if no environment is specified")
-	runAuditPerfCmd.Flags().BoolVar(&debugOutput, "debug", false, "Enable debug verbose output")
+
 	runAuditPerfCmd.Flags().StringVarP(&policyFile, "policy", "p", "", "Policy <FILEPATH> or <URL>")
 	runAuditPerfCmd.Flags().StringVar(&policyFileSHA256, "checksum", "", "Policy SHA256 expected checksum")
 }

diff --git a/cmd/container_linux_amd64.go b/cmd/container_linux_amd64.go
@@ -0,0 +1,64 @@
+//go:build linux && amd64 && container
+// +build linux,amd64,container
+
+package cmd
+
+import (
+	"embed"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+//go:embed goss/goss-linux-amd64
+var embeddedFiles embed.FS
+
+func prepareEmbeddedExecutables() (string, string, error) {
+	tempDir, err := os.MkdirTemp("", "temp_exec")
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create temp dir: %w", err)
+	}
+
+	rgPath, err := findSystemRg()
+	if err != nil {
+		return "", "", err
+	}
+
+	gossPath, err := extractExecutable(tempDir, "goss/goss-linux-amd64")
+	if err != nil {
+		return "", "", err
+	}
+
+	return rgPath, gossPath, nil
+}
+
+func findSystemRg() (string, error) {
+	rgPath, err := exec.LookPath("rg")
+	if err != nil {
+		return "", fmt.Errorf("failed to find 'rg' in system PATH: %w", err)
+	}
+	return rgPath, nil
+}
+
+func extractExecutable(tempDir, executableName string) (string, error) {
+	executableFolder := filepath.Dir(executableName)
+	err := os.MkdirAll(filepath.Join(tempDir, executableFolder), 0755)
+	if err != nil {
+		return "", fmt.Errorf("failed to create folder structure: %w", err)
+	}
+
+	executablePath := filepath.Join(tempDir, executableName)
+
+	data, err := embeddedFiles.ReadFile(executableName)
+	if err != nil {
+		return "", fmt.Errorf("failed to read embedded file: %w", err)
+	}
+
+	err = os.WriteFile(executablePath, data, 0755)
+	if err != nil {
+		return "", fmt.Errorf("failed to write executable to temp path: %w", err)
+	}
+
+	return executablePath, nil
+}
diff --git a/cmd/container_linux_arm64.go b/cmd/container_linux_arm64.go
@@ -0,0 +1,64 @@
+//go:build linux && arm64 && container
+// +build linux,arm64,container
+
+package cmd
+
+import (
+	"embed"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+//go:embed goss/goss-linux-arm64
+var embeddedFiles embed.FS
+
+func prepareEmbeddedExecutables() (string, string, error) {
+	tempDir, err := os.MkdirTemp("", "temp_exec")
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create temp dir: %w", err)
+	}
+
+	rgPath, err := findSystemRg()
+	if err != nil {
+		return "", "", err
+	}
+
+	gossPath, err := extractExecutable(tempDir, "goss/goss-linux-arm64")
+	if err != nil {
+		return "", "", err
+	}
+
+	return rgPath, gossPath, nil
+}
+
+func findSystemRg() (string, error) {
+	rgPath, err := exec.LookPath("rg")
+	if err != nil {
+		return "", fmt.Errorf("failed to find 'rg' in system PATH: %w", err)
+	}
+	return rgPath, nil
+}
+
+func extractExecutable(tempDir, executableName string) (string, error) {
+	executableFolder := filepath.Dir(executableName)
+	err := os.MkdirAll(filepath.Join(tempDir, executableFolder), 0755)
+	if err != nil {
+		return "", fmt.Errorf("failed to create folder structure: %w", err)
+	}
+
+	executablePath := filepath.Join(tempDir, executableName)
+
+	data, err := embeddedFiles.ReadFile(executableName)
+	if err != nil {
+		return "", fmt.Errorf("failed to read embedded file: %w", err)
+	}
+
+	err = os.WriteFile(executablePath, data, 0755)
+	if err != nil {
+		return "", fmt.Errorf("failed to write executable to temp path: %w", err)
+	}
+
+	return executablePath, nil
+}
diff --git a/cmd/embed_linux_amd64.go b/cmd/embed_linux_amd64.go
@@ -1,5 +1,5 @@
-//go:build linux && amd64
-// +build linux,amd64
+//go:build linux && amd64 && !container
+// +build linux,amd64,!container
 
 package cmd
 

diff --git a/cmd/embed_linux_arm64.go b/cmd/embed_linux_arm64.go
@@ -1,5 +1,5 @@
-//go:build linux && arm64
-// +build linux,arm64
+//go:build linux && arm64 && !container
+// +build linux,arm64,!container
 
 package cmd
 

diff --git a/cmd/goss/0.4.7 → cmd/goss/0.4.9 b/cmd/goss/0.4.7 → cmd/goss/0.4.9
diff --git a/cmd/goss/goss-darwin-amd64 b/cmd/goss/goss-darwin-amd64
diff --git a/cmd/goss/goss-darwin-arm64 b/cmd/goss/goss-darwin-arm64
diff --git a/cmd/goss/goss-linux-amd64 b/cmd/goss/goss-linux-amd64
diff --git a/cmd/goss/goss-linux-arm b/cmd/goss/goss-linux-arm
diff --git a/cmd/goss/goss-linux-arm64 b/cmd/goss/goss-linux-arm64
diff --git a/cmd/goss/goss-windows-amd64.exe b/cmd/goss/goss-windows-amd64.exe