fix: k8s summary separate infra and user finding results

Signed-off-by: chenk <[email protected]>
chen-keinan · Feb 13, 2024 · 198bda3 · 198bda3
1 parent c107e1a
commit 198bda3
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 53 deletions.
diff --git a/pkg/k8s/report/report.go b/pkg/k8s/report/report.go
@@ -22,6 +22,7 @@ const (
 
 	workloadComponent = "workload"
 	infraComponent    = "infra"
+	infraNamespace    = "kube-system"
 )
 
 type Option struct {
@@ -134,26 +135,22 @@ type reports struct {
 // - infra checks report
 func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, components []string) []reports {
 
-	var workloadMisconfig, infraMisconfig, rbacAssessment, workloadVulnerabilities, workloadResource []Resource
+	var workloadMisconfig, infraMisconfig, rbacAssessment, workloadVulnerabilities, infraVulnerabilities, workloadResource []Resource
 	for _, resource := range k8sReport.Resources {
 		if vulnerabilitiesOrSecretResource(resource) {
-			workloadVulnerabilities = append(workloadVulnerabilities, resource)
+			if resource.Namespace != infraNamespace && len(resource.Namespace) > 0 {
+				workloadVulnerabilities = append(workloadVulnerabilities, resource)
+			} else {
+				infraVulnerabilities = append(infraVulnerabilities, resource)
+			}
 			continue
 		}
 
 		switch {
 		case scanners.Enabled(types.RBACScanner) && rbacResource(resource):
 			rbacAssessment = append(rbacAssessment, resource)
 		case infraResource(resource):
-			workload, infra := splitInfraAndWorkloadResources(resource)
-
-			if slices.Contains(components, infraComponent) {
-				infraMisconfig = append(infraMisconfig, infra)
-			}
-
-			if slices.Contains(components, workloadComponent) {
-				workloadMisconfig = append(workloadMisconfig, workload)
-			}
+			infraMisconfig = append(infraMisconfig, resource)
 
 		case scanners.Enabled(types.MisconfigScanner) && !rbacResource(resource):
 			if slices.Contains(components, workloadComponent) {
@@ -195,9 +192,9 @@ func SeparateMisconfigReports(k8sReport Report, scanners types.Scanners, compone
 		})
 	}
 
-	if scanners.Enabled(types.MisconfigScanner) &&
-		slices.Contains(components, infraComponent) &&
-		len(infraMisconfig) > 0 {
+	infraMisconfig = append(infraMisconfig, infraVulnerabilities...)
+	if shouldAddWorkloadReport(scanners) && slices.Contains(components, infraComponent) &&
+		len(infraMisconfig) > 0 && len(infraVulnerabilities) > 0 {
 
 		r = append(r, reports{
 			Report: Report{
@@ -218,7 +215,7 @@ func rbacResource(misConfig Resource) bool {
 }
 
 func infraResource(misConfig Resource) bool {
-	return (misConfig.Kind == "Pod" && misConfig.Namespace == "kube-system") || misConfig.Kind == "NodeInfo"
+	return (misConfig.Namespace == infraNamespace) || misConfig.Kind == "NodeInfo" || len(misConfig.Namespace) == 0
 }
 
 func CreateResource(artifact *artifacts.Artifact, report types.Report, err error) Resource {
@@ -269,43 +266,6 @@ func (r Report) PrintErrors() {
 	}
 }
 
-func splitInfraAndWorkloadResources(misconfig Resource) (Resource, Resource) {
-	workload := copyResource(misconfig)
-	infra := copyResource(misconfig)
-
-	workloadResults := make(types.Results, 0)
-	infraResults := make(types.Results, 0)
-
-	for _, result := range misconfig.Results {
-		var workloadMisconfigs, infraMisconfigs []types.DetectedMisconfiguration
-
-		for _, m := range result.Misconfigurations {
-			if strings.HasPrefix(m.ID, "KCV") {
-				infraMisconfigs = append(infraMisconfigs, m)
-				continue
-			}
-
-			workloadMisconfigs = append(workloadMisconfigs, m)
-		}
-
-		if len(workloadMisconfigs) > 0 {
-			workloadResults = append(workloadResults, copyResult(result, workloadMisconfigs))
-		}
-
-		if len(infraMisconfigs) > 0 {
-			infraResults = append(infraResults, copyResult(result, infraMisconfigs))
-		}
-	}
-
-	workload.Results = workloadResults
-	workload.Report.Results = workloadResults
-
-	infra.Results = infraResults
-	infra.Report.Results = infraResults
-
-	return workload, infra
-}
-
 func copyResource(r Resource) Resource {
 	return Resource{
 		Namespace: r.Namespace,

diff --git a/pkg/k8s/report/table.go b/pkg/k8s/report/table.go
@@ -41,7 +41,11 @@ func RoleColumns() []string {
 }
 
 func InfraColumns() []string {
-	return []string{InfraAssessmentColumn}
+	return []string{
+		VulnerabilitiesColumn,
+		MisconfigurationsColumn,
+		SecretsColumn,
+	}
 }
 
 func (tw TableWriter) Write(ctx context.Context, report Report) error {