Not implemented: "3.2.3: Ensure packages are automatically scanned for license implications"

Question

Not implemented: "3.2.3: Ensure packages are automatically scanned for license implications"

MartinPetkov opened this issue 2 years ago · 1 comments

Description

The check "3.2.3: Ensure packages are automatically scanned for license implications" does not seem to be implemented. At https://github.com/aquasecurity/chain-bench/blob/main/internal/checks/dependencies/validate_packages/rules.rego#L16, it appears to be checking the same thing as 3.2.2, whether there are vulnerability scan tasks.

What did you expect to happen?

It checks for license scan tasks.

What happened instead?

It checks for vuln scan tasks

are_pipelines_dependencies_scanned_for_licenses {
	count({job | job := input.Pipelines[_].jobs[_]; does_job_contain_one_of_tasks(job, constsLib.pipeline_vulnerability_scan_tasks)}) == 0
}

Additional details (base image name, container registry info...):

The remediation does not really explain how to fix this. It would be more helpful if it specifically said which types of pipeline tasks it is looking for, in both the vuln scan and license scan checks.

Answer 1 · 2022-08-03T14:07:33.000Z

Hi @MartinPetkov thanks for mentioning it!
We'll add this check soon :)