perf(misconf): retrieve check metadata from annotations once #8478
Conversation
Signed-off-by: nikpivkin <[email protected]>
pkg/iac/rego/embed.go
Outdated
| log.Warn("Failed to retrieve metadata", | ||
| log.String("package", module.Package.String()), log.Err(err)) | ||
| continue | ||
| } else if metadata == nil { |
There was a problem hiding this comment.
can we add a sad test case for these two code paths?
There was a problem hiding this comment.
I have removed these changes as they are unnecessary.
| if !metadata.Deprecated { | ||
| regoCheckIDs.Append(metadata.AVDID) | ||
| } |
There was a problem hiding this comment.
this is interesting, should we add a linter check to ensure a variable gets flagged if it's only set and never used?
pkg/iac/rego/embed.go
Outdated
| Filtered(paths, func(abspath string, info fs.FileInfo, _ int) bool { | ||
| return isNotRegoFile(info) || isOptionalChecks(abspath) | ||
| }) |
There was a problem hiding this comment.
can we add some test cases where .Filtered() can return true, IOW files that are not valid rego?
There was a problem hiding this comment.
Added tests de66947
There was a problem hiding this comment.
I put the old way of loading back in, since we use the slash as a path separator regardless of OS, and OPA uses the filepath package which is OS dependent.
| func isOptionalChecks(path string) bool { | ||
| return strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), filepath.Join("advanced", "optional")) |
There was a problem hiding this comment.
Is this still needed after the recent k8s checks re-org?
There was a problem hiding this comment.
Let's look at this in another PR when updating trivy-checks? For now, trivy works with the old trivy-checks structure.
pkg/iac/rego/load.go
Outdated
| } | ||
| } | ||
|
|
||
| // moduleHasLegacyMetadataFormat checks if the module has an legacy metadata format. |
There was a problem hiding this comment.
| // moduleHasLegacyMetadataFormat checks if the module has an legacy metadata format. | |
| // moduleHasLegacyMetadataFormat checks if the module has a legacy metadata format. |
pkg/iac/rego/load.go
Outdated
| }) | ||
| } | ||
|
|
||
| // moduleHasLegacyInputFormat checks if the module has an legacy input format. |
There was a problem hiding this comment.
| // moduleHasLegacyInputFormat checks if the module has an legacy input format. | |
| // moduleHasLegacyInputFormat checks if the module has a legacy input format. |
pkg/iac/rego/load.go
Outdated
|
|
||
| if len(metadata.InputOptions.Selectors) == 0 && !metadata.Library { | ||
| s.logger.Warn( | ||
| "Module has no input selectors - it will be loaded for all inputs!", |
There was a problem hiding this comment.
I recall reading somewhere on the Golang website about Go best practices for logging avoiding exclamation marks but I can't find it now.
| "Module has no input selectors - it will be loaded for all inputs!", | |
| "Module has no input selectors - it will be loaded for all inputs", |
It also talked about case but my memory fails me as to what the recommendation was.
| @@ -276,6 +285,38 @@ func (m StaticMetadata) ToRule() scan.Rule { | |||
| } | |||
| } | |||
|
|
|||
| func MetadataFromAnnotations(module *ast.Module) (*StaticMetadata, error) { | |||
There was a problem hiding this comment.
I see that it is tested with higher level tests but I feel we can write some tests for these function in isolation as it seems to critical and potentially re-usable as it's exported.
There was a problem hiding this comment.
Added tests eb72e1d
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
github-merge-queue
bot
removed this pull request from the merge queue due to a conflict with the base branch
nikpivkin
force-pushed
the
perf/metadata
branch
from
9052fe0 to
d389029
Compare
Description
Right now, Trivy retrieves the static metadata of a check each time it is run. This PR retrieves static metadata from annotations after checks are loaded. For dynamic metadata that is specified in the legacy way via the
___rego_metadata__rule, the behavior has not changed, as they can use input data.Also for checks that use the
__rego_metadata__and__rego_input__rules, a warning is issued that this is a deprecated way of specifying metadata and input options and it is recommended to use annotations.Checklist