Not implemented: "3.2.3: Ensure packages are automatically scanned for license implications"
MartinPetkov opened this issue · 1 comments
MartinPetkov commented
Description
The check "3.2.3: Ensure packages are automatically scanned for license implications" does not seem to be implemented. At https://github.com/aquasecurity/chain-bench/blob/main/internal/checks/dependencies/validate_packages/rules.rego#L16, it appears to be checking the same thing as 3.2.2, whether there are vulnerability scan tasks.
What did you expect to happen?
It checks for license scan tasks.
What happened instead?
It checks for vuln scan tasks
are_pipelines_dependencies_scanned_for_licenses {
count({job | job := input.Pipelines[_].jobs[_]; does_job_contain_one_of_tasks(job, constsLib.pipeline_vulnerability_scan_tasks)}) == 0
}
Additional details (base image name, container registry info...):
The remediation does not really explain how to fix this. It would be more helpful if it specifically said which types of pipeline tasks it is looking for, in both the vuln scan and license scan checks.
naortalmor1 commented
Hi @MartinPetkov thanks for mentioning it!
We'll add this check soon :)