Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expected=logic.ExplicitlyAllowedImage, got=string error with Image Assurance Policy #228

Open
ParthibanSG opened this issue Jan 5, 2023 · 4 comments
Open

expected=logic.ExplicitlyAllowedImage, got=string error with Image Assurance Policy #228

ParthibanSG opened this issue Jan 5, 2023 · 4 comments

Comments

@ParthibanSG
Copy link

ParthibanSG commented Jan 5, 2023
edited
Loading

Hi Team,

I am trying to create image assurance policy after the recent bug fix via #222 and using the latest provider 0.8.19

I am facing below error for the logical conditioning which comes for AllowedImages, SCAPFiles

I did create the image assurance policy in UI and enabling SCAPFiles and selecting the SCAPFile from the dropdown list. Then, I tried to get the YAML via terraform import for the policy created via UI and it doesn't show the definition of the SCAPFile selected from UI.

╷
│ Error: failed creating  Assurance Policy. status: 400 Bad Request. error message: Failed reading policy body: code=400, message=Unmarshal type error: expectede error: expected=logic.ExplicitlyAllowedImage, got=string, field=allowed_images, offset=33, internal=json: cannot unmarshal string into Go strcePolicy.allowed_uct field AssurancePolicy.allowed_images of type logic.ExplicitlyAllowedImage
│
│   with aquasec_image_assurance_policy.img["Product1"],
│   on assurancepolicy.tf line 11, in resource "aquasec_image_assurance_policy" "img":
│   11: resource "aquasec_image_assurance_policy" "img" {
│
╵

It would be better to provide a sample for the assurance policies to understand it better for usage.

Thanks
@yossig-aquasec
Copy link
Contributor

Hi @ParthibanSG , can you please share yours tf file?

@ParthibanSG
Copy link
Author

ParthibanSG commented Jan 9, 2023
edited
Loading

@yossig-aquasec

Below is my TF code and it is a direct abstract of default policy with few modifications for the AllowedImages and SCAPFiles. For SCAPFiles, I created a new OVAL script and provide the name as reference and same error as well...

resource "aquasec_image_assurance_policy" "img1" {
  allowed_images                       = [
    "Hello-World",
  ]
  application_scopes                   = [
       "Global",
   ]
  audit_on_failure                     = true
  auto_scan_configured                 = false
  auto_scan_enabled                    = false
  blacklist_permissions                = [
    "delete"
  ]
  blacklist_permissions_enabled        = true
  blacklisted_licenses                 = [
    "LGPL","GPL",
  ]
  blacklisted_licenses_enabled         = true
  block_failed                         = true
  control_exclude_no_fix               = true
  custom_checks_enabled                = false
  custom_severity_enabled              = true
  cves_black_list                      = [
    "CVE-2022-6754",
  ]
  cves_black_list_enabled              = true
  cves_white_list                      = [
      "CVE-2022-6755",
  ]
  cves_white_list_enabled              = true
  cvss_severity                        = "low"
  cvss_severity_enabled                = true
  cvss_severity_exclude_no_fix         = true
  description                          = "Testing IMG Policy"
  disallow_malware                     = true
  docker_cis_enabled                   = true
  dta_enabled                          = true
  enabled                              = true
  enforce                              = true
  enforce_after_days                   = 10
  enforce_excessive_permissions        = true
  exceptional_monitored_malware_paths  = [
    "/iab","/etc",
  ]
  fail_cicd                            = true
  forbidden_labels_enabled             = false
  force_microenforcer                  = true
  function_integrity_enabled           = true
  ignore_recently_published_vln        = true
  ignore_risk_resources_enabled        = true
  ignored_risk_resources               = [
    "abc",
  ]
  images                               = [
    "Hello-World","TestImage"
  ]
  kube_cis_enabled                     = true
  labels                               = [
    "Test","XYZ",
  ]
  malware_action                       = "delete"
  maximum_score                        = 1
  maximum_score_enabled                = true
  maximum_score_exclude_no_fix         = true
  monitored_malware_paths              = [
    "/bin","/usr",
  ]
  name                                 = "TestIMG"
  only_none_root_users                 = true
  packages_black_list_enabled          = false
  packages_white_list_enabled          = false
  partial_results_image_fail           = true
  read_only                            = false
  registries                           = [
    "testaqua.azurecr.io",
  ]
  required_labels_enabled              = false
  scan_nfs_mounts                      = true
  scan_sensitive_data                  = true
  scap_enabled                         = true
  scap_files                           = [
   "TestingOval (custom)",
  ]
  trusted_base_images_enabled          = false
  whitelisted_licenses                 = [
    "BSD"
  ]
  whitelisted_licenses_enabled         = true
  scope {
    expression = "v1"

    variables {
            attribute = "image.name"
            value     = "*"
        }
    }
}

Error Log:

aquasec_image_assurance_policy.img1: Modifying... [id=TestIMG]
╷
│ Error: failed modifying  Assurance Policy. status: 400 Bad Request. error message: Failed reading policy body: code=400, message=Unmarshal type error: expected=logic.UserScript, got=string, field=scap_files, offset=2147, internal=json: cannot unmarshal string into Go struct field AssurancePolicy.scap_files of type logic.UserScript
│
│   with aquasec_image_assurance_policy.img1,
│   on main.tf line 15, in resource "aquasec_image_assurance_policy" "img1":
│   15: resource "aquasec_image_assurance_policy" "img1" {

I do have few questions on the assurance policy since I see few field definitions were missing. Please correct me if I am wrong or let me know the corresponding snippet for usage as I don't find fields related to below in the AquaSec Terraform document

Image and Function Assurance:

OS Package Manager
Vulnerability Exploitability
Ignore vulnerabilities found in base image

Host Assurance:

Linux CIS
OpenShift Hardening
Malware -> Scan Windows registry hives
Malware -> Enable In-memory scan

@yossig-aquasec
Copy link
Contributor

Hi @ParthibanSG , regard the image assurance we saw the bug, and regarding the function and host will check and update you.

@ParthibanSG
Copy link
Author

@yossig-aquasec We also noticed below functionalities are not supported as well if we enable below controls...

Note: These are subcontrols under the main control where currently we can enable only main control (blocked_files) but not subcontrols below to it...

Container Runtime Policy / File Block

  • Excluded Paths
  • Block files Processes
  • Exclude Block files Processes
  • Block files from users
  • Exclude Block files from users

Container Runtime Policy / Package Block

  • Excluded Paths
  • Block files Processes
  • Exclude Block packages Processes
  • Block files packages from users
  • Exclude Block packages from users

Container Runtime Policy / Read-only directories and files

  • Processes
  • Excluded Processes
  • Users
  • Excluded Users

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ParthibanSG @yossig-aquasec