refactor(deps): Merge trivy-iac into Trivy

[simar7]

Description

Merges current state of trivy-iac into Trivy.

Related issues

• Close refactor(misconf): Merging trivy-iac into Trivy #5626

Required PRs to be reviewed before

• refactor(deps): Merge defsec into Trivy #6006

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[simar7]

Note: I've left out avd_docs and cmd/avd_generator from this PR. They still remain in trivy-iac repo. Should we move them here or elsewhere? What about avd-generator repo, as per this PR? aquasecurity/avd-generator#79

[simar7]

@knqyf263 and @nikpivkin I understand that this PR is quite big so please take your time to review.

Besides the new files being added, most of the changes are actually using the new files (rather than the trivy-iac package).

Please let me know if I can do anything to help you review this PR. I've also broken the merge of misconfig scanning into this PR and the defsec changes, in this PR.

[knqyf263]

Can we make a new directory iac under pkg and put detection, scanners and adapters there? We should be going to reorganize the structure in the future, but a dedicated directory helps us set the owners for now.

extrafs can be located under pkg directly as it is like a common utility.

[simar7]

Can we make a new directory iac under pkg and put detection, scanners and adapters there? We should be going to reorganize the structure in the future, but a dedicated directory helps us set the owners for now.

extrafs can be located under pkg directly as it is like a common utility.

Thanks that's a great point about code owners. I've updated it.

[knqyf263]

There are many tests about checks, like test/testdata/dockerfile/DS001. Since logic and checks are separated, I feel like Trivy should not have the tests for checks. What do you think?

[simar7]

There are many tests about checks, like test/testdata/dockerfile/DS001. Since logic and checks are separated, I feel like Trivy should not have the tests for checks. What do you think?

Yeah that's a valid point. They should be moved. I've moved them into the checks repo: aquasecurity/trivy-checks#70

[knqyf263]

There are several files under test/. Are they integration tests? It looks unit tests to me.

[knqyf263]

Is it a unit test? If so, the file should be next to the relevant Go file.

[simar7]

Yeah they really are just terraform functional tests. I've relocated them under the terraform directory. Also deleted another test which was not relevant rules_test.go.

[knqyf263]

Thanks! I guess those tests were added for tfsec. When creating defsec, they were just copied from tfsec.

[knqyf263]

@simar7 I've already merged the PR, but I'm curious why we still have a defsec dependency.

trivy/go.mod

Line 16 in 4b4b625

github.com/aquasecurity/defsec v0.94.2-0.20240119001230-c2d65f49dfeb

I thought defsec was split into trivy-iac and trivy-policies.

[simar7]

@simar7 I've already merged the PR, but I'm curious why we still have a defsec dependency.

trivy/go.mod

Line 16 in 4b4b625

github.com/aquasecurity/defsec v0.94.2-0.20240119001230-c2d65f49dfeb

I thought defsec was split into trivy-iac and trivy-policies.

Yes because last time the merge was too big to review so we split it up. The second PR is here that merges remaining pieces from defsec into Trivy. It was stacked on top of this PR but since this merged first, I will recreate it and ask for a review.