refactor(misconf): make Rego scanner independent of config type

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/rego/build.go

@@ -13,16 +13,15 @@ import (
 	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
-func BuildSchemaSetFromPolicies(policies map[string]*ast.Module, paths []string, fsys fs.FS, customSchemas map[string][]byte) (*ast.SchemaSet, bool, error) {
+func BuildSchemaSetFromPolicies(policies map[string]*ast.Module, paths []string, fsys fs.FS, customSchemas map[string][]byte) (*ast.SchemaSet, error) {
 	schemaSet := ast.NewSchemaSet()
 	schemaSet.Put(ast.MustParseRef("schema.input"), make(map[string]any)) // for backwards compat only
-	var customFound bool
 
 	for _, policy := range policies {
 		for _, annotation := range policy.Annotations {
 			for _, ss := range annotation.Schemas {
 				schemaName, err := ss.Schema.Ptr()
-				if err != nil || schemaName == "input" {
+				if err != nil || schemaName == "input" { // for backwards compat only
 					continue
 				}
 
@@ -38,27 +37,26 @@ func BuildSchemaSetFromPolicies(policies map[string]*ast.Module, paths []string,
 				} else {
 					b, err := findSchemaInFS(paths, fsys, schemaName)
 					if err != nil {
-						return schemaSet, true, err
+						return nil, err
 					}
 
 					if b == nil {
-						return nil, false, fmt.Errorf("could not find schema %q", schemaName)
+						return nil, fmt.Errorf("could not find schema %q", schemaName)
 					}
 
 					schema = b
 				}
 
 				var rawSchema any
 				if err := util.UnmarshalJSON(schema, &rawSchema); err != nil {
-					return schemaSet, false, fmt.Errorf("could not parse schema %q: %w", schemaName, err)
+					return schemaSet, fmt.Errorf("could not parse schema %q: %w", schemaName, err)
 				}
-				customFound = true
 				schemaSet.Put(ss.Schema, rawSchema)
 			}
 		}
 	}
 
-	return schemaSet, customFound, nil
+	return schemaSet, nil
 }
 
 // findSchemaInFS tries to find the schema anywhere in the specified FS

pkg/iac/rego/embed.go

@@ -36,7 +36,7 @@ var LoadAndRegister = sync.OnceFunc(func() {
 func RegisterRegoRules(modules map[string]*ast.Module) {
 	ctx := context.TODO()
 
-	schemaSet, _, _ := BuildSchemaSetFromPolicies(modules, nil, nil, make(map[string][]byte))
+	schemaSet, _ := BuildSchemaSetFromPolicies(modules, nil, nil, make(map[string][]byte))
 
 	compiler := ast.NewCompiler().
 		WithSchemas(schemaSet).

pkg/iac/rego/load.go

@@ -233,13 +233,10 @@ func (s *Scanner) prunePoliciesWithError(compiler *ast.Compiler) error {
 
 func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
 
-	schemaSet, custom, err := BuildSchemaSetFromPolicies(s.policies, paths, srcFS, s.customSchemas)
+	schemaSet, err := BuildSchemaSetFromPolicies(s.policies, paths, srcFS, s.customSchemas)
 	if err != nil {
 		return err
 	}
-	if custom {
-		s.inputSchema = nil // discard auto detected input schema in favor of check defined schema
-	}
 
 	compiler := ast.NewCompiler().
 		WithUseTypeCheckAnnotations(true).
@@ -259,18 +256,6 @@ func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
 	if err := s.filterModules(retriever); err != nil {
 		return err
 	}
-	if s.inputSchema != nil {
-		schemaSet := ast.NewSchemaSet()
-		schemaSet.Put(ast.MustParseRef("schema.input"), s.inputSchema)
-		compiler.WithSchemas(schemaSet)
-		compiler.Compile(s.policies)
-		if compiler.Failed() {
-			if err := s.prunePoliciesWithError(compiler); err != nil {
-				return err
-			}
-			return s.compilePolicies(srcFS, paths)
-		}
-	}
 	s.compiler = compiler
 	s.retriever = retriever
 	return nil
@@ -307,12 +292,7 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
 			continue
 		}
 
-		for _, selector := range meta.InputOptions.Selectors {
-			if selector.Type == string(s.sourceType) {
-				filtered[name] = module
-				break
-			}
-		}
+		filtered[name] = module
 	}
 
 	s.policies = filtered

pkg/iac/rego/load_test.go

@@ -15,7 +15,6 @@ import (
 
 	checks "github.com/aquasecurity/trivy-checks"
 	"github.com/aquasecurity/trivy/pkg/iac/rego"
-	"github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 )
 
@@ -30,7 +29,6 @@ func Test_RegoScanning_WithSomeInvalidPolicies(t *testing.T) {
 		var debugBuf bytes.Buffer
 		slog.SetDefault(log.New(log.NewHandler(&debugBuf, nil)))
 		scanner := rego.NewScanner(
-			types.SourceDockerfile,
 			rego.WithRegoErrorLimits(0),
 			rego.WithPolicyDirs("."),
 		)
@@ -44,7 +42,6 @@ func Test_RegoScanning_WithSomeInvalidPolicies(t *testing.T) {
 		var debugBuf bytes.Buffer
 		slog.SetDefault(log.New(log.NewHandler(&debugBuf, nil)))
 		scanner := rego.NewScanner(
-			types.SourceDockerfile,
 			rego.WithRegoErrorLimits(1),
 			rego.WithPolicyDirs("."),
 		)
@@ -65,7 +62,6 @@ deny {
     input.evil == "foo bar"
 }`
 		scanner := rego.NewScanner(
-			types.SourceJSON,
 			rego.WithPolicyDirs("."),
 			rego.WithPolicyReader(strings.NewReader(check)),
 		)
@@ -84,7 +80,6 @@ deny {
     input.evil == "foo bar"
 }`
 		scanner := rego.NewScanner(
-			types.SourceJSON,
 			rego.WithPolicyDirs("."),
 			rego.WithPolicyReader(strings.NewReader(check)),
 		)
@@ -106,14 +101,12 @@ deny {
     input.evil == "foo bar"
 }`
 		scanner := rego.NewScanner(
-			types.SourceJSON,
 			rego.WithPolicyDirs("."),
 			rego.WithPolicyReader(strings.NewReader(check)),
 		)
 		err := scanner.LoadPolicies(fstest.MapFS{})
 		require.NoError(t, err)
 	})
-
 }
 
 func Test_FallbackToEmbedded(t *testing.T) {
@@ -195,7 +188,6 @@ deny {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			scanner := rego.NewScanner(
-				types.SourceDockerfile,
 				rego.WithRegoErrorLimits(0),
 				rego.WithEmbeddedPolicies(false),
 				rego.WithPolicyDirs("."),
@@ -255,7 +247,6 @@ deny {
 	}
 
 	scanner := rego.NewScanner(
-		types.SourceDockerfile,
 		rego.WithEmbeddedPolicies(false),
 		rego.WithPolicyDirs("."),
 	)

pkg/iac/rego/scanner.go

@@ -16,7 +16,6 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
-	"github.com/aquasecurity/trivy/pkg/iac/rego/schemas"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
@@ -56,8 +55,6 @@ type Scanner struct {
 	dataFS                   fs.FS
 	dataDirs                 []string
 	frameworks               []framework.Framework
-	inputSchema              any // unmarshalled into this from a json schema document
-	sourceType               types.Source
 	includeDeprecatedChecks  bool
 	includeEmbeddedPolicies  bool
 	includeEmbeddedLibraries bool
@@ -88,17 +85,11 @@ type DynamicMetadata struct {
 	EndLine   int
 }
 
-func NewScanner(source types.Source, opts ...options.ScannerOption) *Scanner {
+func NewScanner(opts ...options.ScannerOption) *Scanner {
 	LoadAndRegister()
 
-	schema, ok := schemas.SchemaMap[source]
-	if !ok {
-		schema = schemas.Anything
-	}
-
 	s := &Scanner{
 		regoErrorLimit:   ast.CompileErrorLimitDefault,
-		sourceType:       source,
 		ruleNamespaces:   builtinNamespaces.Clone(),
 		runtimeValues:    addRuntimeValues(),
 		logger:           log.WithPrefix("rego"),
@@ -109,12 +100,6 @@ func NewScanner(source types.Source, opts ...options.ScannerOption) *Scanner {
 	for _, opt := range opts {
 		opt(s)
 	}
-	if schema != schemas.None {
-		err := json.Unmarshal([]byte(schema), &s.inputSchema)
-		if err != nil {
-			panic(err)
-		}
-	}
 	return s
 }
 
@@ -130,12 +115,6 @@ func (s *Scanner) runQuery(ctx context.Context, query string, input ast.Value, d
 		rego.Trace(trace),
 	}
 
-	if s.inputSchema != nil {
-		schemaSet := ast.NewSchemaSet()
-		schemaSet.Put(ast.MustParseRef("schema.input"), s.inputSchema)
-		regoOptions = append(regoOptions, rego.Schemas(schemaSet))
-	}
-
 	if input != nil {
 		regoOptions = append(regoOptions, rego.ParsedInput(input))
 	}
@@ -176,7 +155,7 @@ func GetInputsContents(inputs []Input) []any {
 	return results
 }
 
-func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results, error) {
+func (s *Scanner) ScanInput(ctx context.Context, sourceType types.Source, inputs ...Input) (scan.Results, error) {
 
 	s.logger.Debug("Scanning inputs", "count", len(inputs))
 
@@ -210,11 +189,9 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
 			continue // skip deprecated checks
 		}
 
-		if isPolicyWithSubtype(s.sourceType) {
-			// skip if check isn't relevant to what is being scanned
-			if !isPolicyApplicable(staticMeta, inputs...) {
-				continue
-			}
+		// skip if check isn't relevant to what is being scanned
+		if !isPolicyApplicable(sourceType, staticMeta, inputs...) {
+			continue
 		}
 
 		if len(inputs) == 0 {
@@ -279,18 +256,28 @@ func checkSubtype(ii map[string]any, provider string, subTypes []SubType) bool {
 	return false
 }
 
-func isPolicyApplicable(staticMetadata *StaticMetadata, inputs ...Input) bool {
+func isPolicyApplicable(sourceType types.Source, staticMetadata *StaticMetadata, inputs ...Input) bool {
+	if len(staticMetadata.InputOptions.Selectors) == 0 { // check always applies if no selectors
+		return true
+	}
+
+	for _, selector := range staticMetadata.InputOptions.Selectors {
+		if selector.Type != string(sourceType) {
+			return false
+		}
+	}
+
+	if !isPolicyWithSubtype(sourceType) {
+		return true
+	}
+
 	for _, input := range inputs {
 		if ii, ok := input.Contents.(map[string]any); ok {
 			for provider := range ii {
 				if !supportedProviders.Contains(provider) {
 					continue
 				}
 
-				if len(staticMetadata.InputOptions.Selectors) == 0 { // check always applies if no selectors
-					return true
-				}
-
 				// check metadata for subtype
 				for _, s := range staticMetadata.InputOptions.Selectors {
 					if checkSubtype(ii, provider, s.Subtypes) {