fix: add ReconcileFlaggedCVERule and update global manifest

api/v1/kubescapevalidator_types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -25,28 +27,36 @@ import (
 
 // KubescapeValidatorSpec defines the desired state of KubescapeValidator
 type KubescapeValidatorSpec struct {
-	SeverityLimitRules []SeverityLimitRule `json:"severityLimitRules,omitempty" yaml:"severityLimitRules,omitempty"`
-	// Ignore CVEs
-	IgnoredVulnerabilities []string `json:"ignoredVulnerabilities,omitempty" yaml:"ignoredVulnerabilities,omitempty"`
+	SeverityLimitRule SeverityLimitRule `json:"severityLimitRule,omitempty" yaml:"severityLimitRule,omitempty"`
+	// Global Ignore CVEs
+	IgnoredCVERule []string `json:"ignoredCVERule,omitempty" yaml:"ignoredCVERule,omitempty"`
+	// Rule for Flagged CVEs
+	FlaggedCVERule []FlaggedCVE `json:"flaggedCVERule,omitempty" yaml:"flaggedCVERule,omitempty"`
+}
+
+type FlaggedCVE string
+
+func (r FlaggedCVE) Name() string {
+	return fmt.Sprintf("FLAG-%s", string(r))
 }
 
 // Increase for every rule
 func (s KubescapeValidatorSpec) ResultCount() int {
-	return len(s.SeverityLimitRules)
+	count := 1
+	return count
 }
 
 type SeverityLimitRule struct {
-	RuleName   string `json:"name"`
-	Critical   int    `json:"critical,omitempty"`
-	High       int    `json:"high,omitempty"`
-	Medium     int    `json:"medium,omitempty"`
-	Low        int    `json:"low,omitempty"`
-	Negligible int    `json:"negligible,omitempty"`
-	Unknown    int    `json:"unknown,omitempty"`
+	Critical   *int `json:"critical,omitempty"`
+	High       *int `json:"high,omitempty"`
+	Medium     *int `json:"medium,omitempty"`
+	Low        *int `json:"low,omitempty"`
+	Negligible *int `json:"negligible,omitempty"`
+	Unknown    *int `json:"unknown,omitempty"`
 }
 
 func (r SeverityLimitRule) Name() string {
-	return r.RuleName
+	return "SeverityLimitRule"
 }
 
 // KubescapeValidatorStatus defines the observed state of KubescapeValidator

config/crd/bases/validation.spectrocloud.labs_kubescapevalidators.yaml

@@ -35,31 +35,31 @@ spec:
           spec:
             description: KubescapeValidatorSpec defines the desired state of KubescapeValidator
             properties:
-              ignoredVulnerabilities:
+              flaggedCVERule:
+                description: Rule for Flagged CVEs
                 items:
                   type: string
                 type: array
-              severityLimitRules:
+              ignoredCVERule:
+                description: Global Ignore CVEs
                 items:
-                  properties:
-                    critical:
-                      type: integer
-                    high:
-                      type: integer
-                    low:
-                      type: integer
-                    medium:
-                      type: integer
-                    name:
-                      type: string
-                    negligible:
-                      type: integer
-                    unknown:
-                      type: integer
-                  required:
-                  - name
-                  type: object
+                  type: string
                 type: array
+              severityLimitRule:
+                properties:
+                  critical:
+                    type: integer
+                  high:
+                    type: integer
+                  low:
+                    type: integer
+                  medium:
+                    type: integer
+                  negligible:
+                    type: integer
+                  unknown:
+                    type: integer
+                type: object
             type: object
           status:
             description: KubescapeValidatorStatus defines the observed state of KubescapeValidator

config/samples/validation_v1_kubescapevalidator.yaml

@@ -9,10 +9,14 @@ metadata:
     app.kubernetes.io/created-by: validator-plugin-kubescape
   name: kubescapevalidator-sample
 spec:
-  severityLimitRules:
-    - name: "No Criticals"
-      critical: 0
-    - name: "No Unknowns"
-      unknown: 0
-  ignoredVulnerabilities:
-    - "CVE-2022-21698"
+  severityLimitRule:
+    critical: 0
+    unknown: 0
+
+  # Rule to flag CVEs
+  flaggedCVERule:
+    - "CVE-2022-21698"
+
+  # Global rule to ignore specified CVEs
+  ignoredCVERule:
+    - "CVE-xxxx-xxxx"

internal/controller/kubescapevalidator_controller.go

@@ -114,8 +114,22 @@ func (r *KubescapeValidatorReconciler) Reconcile(ctx context.Context, req ctrl.R
 
 	kubescapeService := validators.NewKubescapeService(r.Log, kubescape)
 
-	for _, rule := range validator.Spec.SeverityLimitRules {
-		vrr, err := kubescapeService.ReconcileSeverityRule(nn, rule, validator.Spec.IgnoredVulnerabilities)
+	manifests, err := kubescapeService.Manifests()
+	if err != nil {
+		return ctrl.Result{RequeueAfter: time.Second * 120}, errors.New("no manifests found")
+	}
+
+	// Reconcile Severity Rule
+	vrr, err := kubescapeService.ReconcileSeverityRule(nn, validator.Spec.SeverityLimitRule, validator.Spec.IgnoredCVERule, manifests)
+	if err != nil {
+		l.Error(err, "failed to reconcile Severity rule")
+	}
+	resp.AddResult(vrr, err)
+
+	// Reconcile Flagged CVE Rule
+	for _, rule := range validator.Spec.FlaggedCVERule {
+		fmt.Println("ahash")
+		vrr, err := kubescapeService.ReconcileFlaggedCVERule(nn, rule, manifests)
 		if err != nil {
 			l.Error(err, "failed to reconcile Severity rule")
 		}
@@ -154,7 +168,7 @@ func buildValidationResult(validator *kubescapevalidatorv1.KubescapeValidator) *
 		},
 		Spec: vapi.ValidationResultSpec{
 			Plugin:          constants.PluginCode,
-			ExpectedResults: validator.Spec.ResultCount(),
+			ExpectedResults: 1,
 		},
 	}
 }