misconf: Add helm api-version and kube-version flag

aquasecurity · Mar 16, 2024 · 2fd3ba7 · 2fd3ba7
1 parent 71da44f
commit 2fd3ba7
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 0 deletions.
diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
@@ -603,6 +603,8 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			HelmValueFiles:           opts.HelmValueFiles,
 			HelmFileValues:           opts.HelmFileValues,
 			HelmStringValues:         opts.HelmStringValues,
+			HelmAPIVersions:          opts.HelmAPIVersions,
+			HelmKubeVersion:          opts.HelmKubeVersion,
 			TerraformTFVars:          opts.TerraformTFVars,
 			CloudFormationParamVars:  opts.CloudFormationParamVars,
 			K8sVersion:               opts.K8sVersion,

diff --git a/...ependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum b/...ependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum
@@ -50,6 +50,7 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=

diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go
@@ -45,6 +45,16 @@ var (
 		ConfigName: "misconfiguration.helm.set-string",
 		Usage:      "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
 	}
+	HelmAPIVersionsFlag = Flag[[]string]{
+		Name:       "helm-api-versions",
+		ConfigName: "misconfiguration.helm.api-versions",
+		Usage:      "specify Helm Kubernetes api-version used for Capabilities.APIVersions (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)",
+	}
+	HelmKubeVersionFlag = Flag[string]{
+		Name:       "helm-kube-version",
+		ConfigName: "misconfiguration.helm.kube-version",
+		Usage:      "specify Helm kubernetes version",
+	}
 	TfVarsFlag = Flag[[]string]{
 		Name:       "tf-vars",
 		ConfigName: "misconfiguration.terraform.vars",
@@ -86,6 +96,8 @@ type MisconfFlagGroup struct {
 	HelmValueFiles             *Flag[[]string]
 	HelmFileValues             *Flag[[]string]
 	HelmStringValues           *Flag[[]string]
+	HelmAPIVersions            *Flag[[]string]
+	HelmKubeVersion            *Flag[string]
 	TerraformTFVars            *Flag[[]string]
 	CloudformationParamVars    *Flag[[]string]
 	TerraformExcludeDownloaded *Flag[bool]
@@ -102,6 +114,8 @@ type MisconfOptions struct {
 	HelmValueFiles          []string
 	HelmFileValues          []string
 	HelmStringValues        []string
+	HelmAPIVersions         []string
+	HelmKubeVersion         string
 	TerraformTFVars         []string
 	CloudFormationParamVars []string
 	TfExcludeDownloaded     bool
@@ -118,6 +132,8 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		HelmFileValues:             HelmSetFileFlag.Clone(),
 		HelmStringValues:           HelmSetStringFlag.Clone(),
 		HelmValueFiles:             HelmValuesFileFlag.Clone(),
+		HelmAPIVersions:            HelmAPIVersionsFlag.Clone(),
+		HelmKubeVersion:            HelmKubeVersionFlag.Clone(),
 		TerraformTFVars:            TfVarsFlag.Clone(),
 		CloudformationParamVars:    CfParamsFlag.Clone(),
 		TerraformExcludeDownloaded: TerraformExcludeDownloaded.Clone(),
@@ -138,6 +154,8 @@ func (f *MisconfFlagGroup) Flags() []Flagger {
 		f.HelmValueFiles,
 		f.HelmFileValues,
 		f.HelmStringValues,
+		f.HelmAPIVersions,
+		f.HelmKubeVersion,
 		f.TerraformTFVars,
 		f.TerraformExcludeDownloaded,
 		f.CloudformationParamVars,
@@ -158,6 +176,8 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		HelmValueFiles:          f.HelmValueFiles.Value(),
 		HelmFileValues:          f.HelmFileValues.Value(),
 		HelmStringValues:        f.HelmStringValues.Value(),
+		HelmAPIVersions:         f.HelmAPIVersions.Value(),
+		HelmKubeVersion:         f.HelmKubeVersion.Value(),
 		TerraformTFVars:         f.TerraformTFVars.Value(),
 		CloudFormationParamVars: f.CloudformationParamVars.Value(),
 		TfExcludeDownloaded:     f.TerraformExcludeDownloaded.Value(),

diff --git a/pkg/iac/scanners/helm/options.go b/pkg/iac/scanners/helm/options.go
@@ -49,3 +49,11 @@ func ScannerWithAPIVersions(values ...string) options.ScannerOption {
 		}
 	}
 }
+
+func ScannerWithKubeVersion(values string) options.ScannerOption {
+	return func(s options.ConfigurableScanner) {
+		if helmScanner, ok := s.(ConfigurableHelmScanner); ok {
+			helmScanner.AddParserOptions(parser.OptionWithKubeVersion(values))
+		}
+	}
+}
diff --git a/pkg/iac/scanners/helm/parser/option.go b/pkg/iac/scanners/helm/parser/option.go
@@ -9,6 +9,7 @@ type ConfigurableHelmParser interface {
 	SetFileValues(...string)
 	SetStringValues(...string)
 	SetAPIVersions(...string)
+	SetKubeVersion(string)
 }
 
 func OptionWithValuesFile(paths ...string) options.ParserOption {
@@ -50,3 +51,11 @@ func OptionWithAPIVersions(values ...string) options.ParserOption {
 		}
 	}
 }
+
+func OptionWithKubeVersion(value string) options.ParserOption {
+	return func(p options.ConfigurableParser) {
+		if helmParser, ok := p.(ConfigurableHelmParser); ok {
+			helmParser.SetKubeVersion(value)
+		}
+	}
+}
diff --git a/pkg/iac/scanners/helm/parser/parser.go b/pkg/iac/scanners/helm/parser/parser.go
@@ -18,6 +18,7 @@ import (
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/releaseutil"
 
@@ -41,6 +42,7 @@ type Parser struct {
 	fileValues   []string
 	stringValues []string
 	apiVersions  []string
+	kubeVersion  *chartutil.KubeVersion
 }
 
 type ChartFile struct {
@@ -76,6 +78,10 @@ func (p *Parser) SetAPIVersions(values ...string) {
 	p.apiVersions = values
 }
 
+func (p *Parser) SetKubeVersion(value string) {
+	p.kubeVersion, _ = chartutil.ParseKubeVersion(value)
+}
+
 func New(path string, opts ...options.ParserOption) *Parser {
 
 	client := action.NewInstall(&action.Configuration{})
@@ -96,6 +102,10 @@ func New(path string, opts ...options.ParserOption) *Parser {
 		p.helmClient.APIVersions = p.apiVersions
 	}
 
+	if p.kubeVersion != nil {
+		p.helmClient.KubeVersion = p.kubeVersion
+	}
+
 	return p
 }
 

diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -59,6 +59,8 @@ type ScannerOption struct {
 	HelmValueFiles          []string
 	HelmFileValues          []string
 	HelmStringValues        []string
+	HelmAPIVersions         []string
+	HelmKubeVersion         string
 	TerraformTFVars         []string
 	CloudFormationParamVars []string
 	TfExcludeDownloaded     bool
@@ -332,6 +334,14 @@ func addHelmOpts(opts []options.ScannerOption, scannerOption ScannerOption) []op
 		opts = append(opts, helm2.ScannerWithStringValues(scannerOption.HelmStringValues...))
 	}
 
+	if len(scannerOption.HelmAPIVersions) > 0 {
+		opts = append(opts, helm2.ScannerWithAPIVersions(scannerOption.HelmAPIVersions...))
+	}
+
+	if scannerOption.HelmKubeVersion != "" {
+		opts = append(opts, helm2.ScannerWithKubeVersion(scannerOption.HelmKubeVersion))
+	}
+
 	return opts
 }