tenable · patilpankaj212 · Aug 10, 2021 · Jun 26, 2021 · Jun 30, 2021 · Jul 5, 2021
@@ -47,7 +47,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/zclconf/go-cty v1.8.3
 	go.uber.org/zap v1.16.0
-	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
+	golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069
 	golang.org/x/tools v0.1.5 // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b

@@ -1725,11 +1725,10 @@ golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069 h1:siQdpVirKtzPhKl3lZWozZraCFObP8S1v6PRp0bLrtU=
+golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf h1:MZ2shdL+ZM/XzY3ZGOnh4Nlpnxz5GSOhOmtHo3iPU6M=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

@@ -0,0 +1,149 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package k8sv1
+
+import (
+	"encoding/json"
+
+	"github.com/accurics/terrascan/pkg/iac-providers/output"
+	"github.com/accurics/terrascan/pkg/utils"
+	yamltojson "github.com/ghodss/yaml"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	k8sappsv1 "k8s.io/api/apps/v1"
+	k8sbatchv1 "k8s.io/api/batch/v1"
+	k8sbatchv1beta1 "k8s.io/api/batch/v1beta1"
+	k8scorev1 "k8s.io/api/core/v1"
+)
+
+func (k *K8sV1) extractContainerImages(kind string, doc *utils.IacDocument) ([]output.ContainerNameAndImage, []output.ContainerNameAndImage, error) {
+	var containerImages = make([]output.ContainerNameAndImage, 0)
+	var initContainerImages = make([]output.ContainerNameAndImage, 0)
+	var data []byte
+	var err error
+
+	if doc.Data == nil {
+		return containerImages, initContainerImages, errors.Errorf("document does not have any resource data for unmarshalling")
+	}
+
+	if doc.Type == utils.YAMLDoc {
+		data, err = yamltojson.YAMLToJSON(doc.Data)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		data = doc.Data
+	}
+
+	switch kind {
+	case "Pod":
+		pod := k8scorev1.Pod{}
+		err = json.Unmarshal(data, &pod)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling pod: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(pod.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(pod.Spec.InitContainers)...)
+
+	case "Deployment":
+		deployment := k8sappsv1.Deployment{}
+		err = json.Unmarshal(data, &deployment)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling deployment: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(deployment.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(deployment.Spec.Template.Spec.InitContainers)...)
+
+	case "ReplicationController":
+		rc := k8scorev1.ReplicationController{}
+		err = json.Unmarshal(data, &rc)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling replicationcontroller: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(rc.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(rc.Spec.Template.Spec.InitContainers)...)
+
+	case "Job":
+		job := k8sbatchv1.Job{}
+		err = json.Unmarshal(data, &job)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling job: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(job.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(job.Spec.Template.Spec.InitContainers)...)
+
+	case "CronJob":
+		cronjob := k8sbatchv1beta1.CronJob{}
+		err = json.Unmarshal(data, &cronjob)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling cronjob: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(cronjob.Spec.JobTemplate.Spec.Template.Spec.InitContainers)...)
+	case "StatefulSet":
+		ss := k8sappsv1.StatefulSet{}
+		err = json.Unmarshal(data, &ss)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling statefulset: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(ss.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(ss.Spec.Template.Spec.InitContainers)...)
+	case "ReplicaSet":
+		rs := k8sappsv1.ReplicaSet{}
+		err = json.Unmarshal(data, &rs)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling replicaset: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(rs.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(rs.Spec.Template.Spec.InitContainers)...)
+	case "DaemonSet":
+		ds := k8sappsv1.DaemonSet{}
+		err = json.Unmarshal(data, &ds)
+		if err != nil {
+			err := errors.Errorf("error unmarshalling daemonset: %v", err)
+			zap.S().Errorf(err.Error())
+			return nil, nil, err
+		}
+		containerImages = append(containerImages, readContainers(ds.Spec.Template.Spec.Containers)...)
+		initContainerImages = append(initContainerImages, readContainers(ds.Spec.Template.Spec.InitContainers)...)
+	default:
+		zap.S().Debugf("the container image extraction for kubernetes workload of kind %s is not supported.", kind)
+	}
+	return containerImages, initContainerImages, nil
+}
+
+//readContainers prepares list of containers and init containers from k8scorev1.Container object
+func readContainers(containers []k8scorev1.Container) (containerImages []output.ContainerNameAndImage) {
+	for _, container := range containers {
+		containerImages = append(containerImages, output.ContainerNameAndImage{Name: container.Name, Image: container.Image})
+	}
+	return
+}
@@ -0,0 +1,182 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package k8sv1
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/accurics/terrascan/pkg/iac-providers/kubernetes/v1/testdata"
+	"github.com/accurics/terrascan/pkg/iac-providers/output"
+	"github.com/accurics/terrascan/pkg/utils"
+)
+
+func TestK8sV1ExtractContainerImages(t *testing.T) {
+	type args struct {
+		doc  *utils.IacDocument
+		kind string
+	}
+	tests := []struct {
+		name                       string
+		k                          *K8sV1
+		args                       args
+		wantContainerImageList     []output.ContainerNameAndImage
+		wantInitContainerImageList []output.ContainerNameAndImage
+		wantErr                    bool
+	}{
+		{
+			name: "empty document object",
+			args: args{
+				doc:  &utils.IacDocument{},
+				kind: "CRD",
+			},
+			wantErr:                    true,
+			wantContainerImageList:     []output.ContainerNameAndImage{},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "pod json document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "json",
+					Data: testdata.PodJSONTemplate,
+				},
+				kind: "Pod",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "healthz", Image: "k8s.gcr.io/exechealthz-amd64:1.2"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "pod yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.PodYAMLTemplate,
+				},
+				kind: "Pod",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "myapp-container", Image: "nginx"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{{Name: "myapp-container", Image: "busybox"}},
+		},
+		{
+			name: "cronjob yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.CronJobYAMLTemplate,
+				},
+				kind: "CronJob",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "hello", Image: "busybox"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "job yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.JobYAMLTemplate,
+				},
+				kind: "Job",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "c", Image: "gcr.io/terrascan/job-wq-1"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "deployment yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.DeploymentYAMLTemplate,
+				},
+				kind: "Deployment",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "nginx", Image: "nginx:1.14.2"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{{Name: "init", Image: "busybox"}},
+		},
+		{
+			name: "daemonset yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.DaemonSetYAMLTemplate,
+				},
+				kind: "DaemonSet",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "fluentd-elasticsearch", Image: "quay.io/fluentd_elasticsearch/fluentd:v2.5.2"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "replicaset yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.ReplicaSetYAMLTemplate,
+				},
+				kind: "ReplicaSet",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "php-redis", Image: "gcr.io/google_samples/gb-frontend:v3"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+		{
+			name: "replicationcontroller yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.ReplicationControllerTemplate,
+				},
+				kind: "ReplicationController",
+			},
+			wantContainerImageList: []output.ContainerNameAndImage{
+				{Name: "nginx", Image: "nginx:latest"},
+				{Name: "sidecar1", Image: "sidecar-image-1"},
+				{Name: "sidecar2", Image: "sidecar-image-2"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{
+				{Name: "init1", Image: "init-image-1"},
+				{Name: "init2", Image: "init-image-2"},
+				{Name: "init3", Image: "init-image-3"}},
+		},
+		{
+			name: "statefulSet yaml document object",
+			args: args{
+				doc: &utils.IacDocument{
+					Type: "yaml",
+					Data: testdata.StatefulSetTemplate,
+				},
+				kind: "StatefulSet",
+			},
+			wantContainerImageList:     []output.ContainerNameAndImage{{Name: "nginx", Image: "k8s.gcr.io/nginx-slim:0.8"}},
+			wantInitContainerImageList: []output.ContainerNameAndImage{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			k := &K8sV1{}
+			gotContainerImageList, gotInitContainerImageList, err := k.extractContainerImages(tt.args.kind, tt.args.doc)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("K8sV1.extractContainerImages() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(gotContainerImageList, tt.wantContainerImageList) {
+				t.Errorf("K8sV1.extractResource() got = %v, want %v", gotContainerImageList, tt.wantContainerImageList)
+			}
+			if !reflect.DeepEqual(gotInitContainerImageList, tt.wantInitContainerImageList) {
+				t.Errorf("K8sV1.extractResource() got InitContainerImageList = %v, want %v", gotInitContainerImageList, tt.wantInitContainerImageList)
+			}
+		})
+	}
+}
@@ -1,3 +1,19 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
 package k8sv1
 
 import (

@@ -1,3 +1,19 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
 package k8sv1
 
 import (