Add packages support for security policy #189
Conversation
…ng face and oci and remove unsupported types
…ge_type and package_versions with pack and unpack and also added rules for diff
…d general creation
| @@ -17,37 +17,28 @@ import ( | |||
|
|
|||
| var validPackageTypes = []string{ | |||
| "alpine", | |||
| "bower", | |||
| //"bower", | |||
There was a problem hiding this comment.
Let's delete these commented out lines.
There was a problem hiding this comment.
We need to generate updated documentation. You can do this by:
make docThere was a problem hiding this comment.
Is this list the same as the one for security policy? We may need 2 separate lists if they aren't the same.
There was a problem hiding this comment.
Is this list the same as the one for security policy? We may need 2 separate lists if they aren't the same.
Lists should be the same according to product.
Currently, the commented-out package types are for some reason not supported in v2/policies API (Product could not give me an answer as to why). We can include them for future support or remove them and create separate lists for both APIs. Also might consider moving validPackageTypes to another file if both APIs are using it.
There was a problem hiding this comment.
I think having 2 separate lists is best for now until we know for sure they are same list.
| } | ||
| } | ||
| } | ||
| }` |
There was a problem hiding this comment.
I think the tests for invalid attributes combos are missing, i.e. logic from the custom diff func.
| @@ -188,6 +188,9 @@ Optional: | |||
| - `fix_version_dependant` (Boolean) Default value is `false`. Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled. | |||
| - `malicious_package` (Boolean) Default value is `false`. Generating a violation on a malicious package. | |||
| - `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low` | |||
| - `package_name` (String) The package name to create a rule for | |||
| - `package_type` (String) The package type to create a rule for | |||
| - `package_versions` (Set of String) package versions to apply the rule on can be (,) for any version or a open range (1,4) or closed [1,4] or one version [1] | |||
There was a problem hiding this comment.
a open range -> an open range
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
| Elem: &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| ValidateDiagFunc: validation.ToDiagFunc( | ||
| validation.StringMatch(regexp.MustCompile(`((^(\(|\[)((\d+\.)?(\d+\.)?(\*|\d+)|(\s*))\,((\d+\.)?(\d+\.)?(\*|\d+)|(\s*))(\)|\])$|^\[(\d+\.)?(\d+\.)?(\*|\d+)\]$))`), "invalid Range, must be one of the follows: Any Version: (,) or Speciific Version: [1.2], [3] or Range: (1,), [,1.2.3], (4.5.0,6.5.2]"), |
There was a problem hiding this comment.
Sorry, just spotted Speciific typo 😄
dortam888
force-pushed
the
add_packages_suuport_for_security_policy
branch
from
37cfb94
to
3454bbb
Compare
Added package_name, package_type, and package_versions which are available from Xray 3.87.5 to security policy criteria.