search

mondoohq / cnspec

An open source, cloud-native security to protect everything from build to runtime
https://cnspec.io
Other
270 stars 12 forks source link

cnspec scan aws --incognito failing #770

Open vjeffrey opened 1 year ago

vjeffrey commented 1 year ago 
error: failed to compile fetched bundle: failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-user-no-inline-policies-check: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-user-no-inline-policies-check-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-flow-logs-enabled: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-flow-logs-enabled-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-default-security-group-closed: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-default-security-group-closed-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-group-has-users-check: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-group-has-users-check-account'

this is a registry bug

czunker commented 1 year ago

Same happens on AWS EC2 RHEL instance:

cnspec scan local
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)

  ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────    X score

Asset: //policy.api.mondoo.com/assets/2WeJXyhYBmG0UnbHy3A7e7TKm6Y
-----------------------------------------------------------------

error: failed to compile fetched bundle: failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-kubernetes-security-pod-allowprivilegeescalation: failed to compile query 'k8s.pod {
  ephemeralContainers {
    securityContext['allowPrivilegeEscalation'] != true
  }
  initContainers {
    securityContext['allowPrivilegeEscalation'] != true
  }
  containers {
    securityContext['allowPrivilegeEscalation'] != true
  }
}
': cannot find field 'pod' in k8s
....

cnspec v9.0.3

vjeffrey commented 1 year ago

i think the one you have there is a bit different @czunker -- on my error the queries are missing, they're variant queries. on yours we seem to be trying to compile queries that don't match the provider

vjeffrey commented 1 year ago

i thought that was recently fixed :/

czunker commented 1 year ago

i thought that was recently fixed :/

That's still an issue:

cnspec scan aws --incognito 
→ found a new version for 'aws' provider installed=9.0.17 latest=9.0.18
...
error: failed to compile fetched bundle: failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-user-no-inline-policies-check: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-user-no-inline-policies-check-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-group-has-users-check: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-iam-group-has-users-check-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-default-security-group-closed: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-default-security-group-closed-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-flow-logs-enabled: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-vpc-flow-logs-enabled-account'
failed to compile //registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited: cannot find dependent composed query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited-account'