search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
715 stars 62 forks source link

Not implemented: "3.2.3: Ensure packages are automatically scanned for license implications" #76

Open MartinPetkov opened 2 years ago

MartinPetkov commented 2 years ago

Description

The check "3.2.3: Ensure packages are automatically scanned for license implications" does not seem to be implemented. At https://github.com/aquasecurity/chain-bench/blob/main/internal/checks/dependencies/validate_packages/rules.rego#L16, it appears to be checking the same thing as 3.2.2, whether there are vulnerability scan tasks.

What did you expect to happen?

It checks for license scan tasks.

What happened instead?

It checks for vuln scan tasks

are_pipelines_dependencies_scanned_for_licenses {
    count({job | job := input.Pipelines[_].jobs[_]; does_job_contain_one_of_tasks(job, constsLib.pipeline_vulnerability_scan_tasks)}) == 0
}

Additional details (base image name, container registry info...):

The remediation does not really explain how to fix this. It would be more helpful if it specifically said which types of pipeline tasks it is looking for, in both the vuln scan and license scan checks.

naortalmor1 commented 2 years ago

Hi @MartinPetkov thanks for mentioning it! We'll add this check soon :)