Merge branch 'main' into docker-k8s-tests

lib/cloud/metadata.rego

@@ -10,9 +10,18 @@ import rego.v1
 obj_by_path(obj, path) := res if {
 	occurrences := {obj_path: child_object |
 		walk(obj, [obj_path, child_object])
-		child_object.__defsec_metadata
+		has_metadata(child_object)
 		object.subset(path, obj_path)
 	}
 
 	res := occurrences[max(object.keys(occurrences))]
 } else := obj
+
+has_metadata(obj) if obj.__defsec_metadata
+
+has_metadata(obj) if {
+	obj.fskey
+	has_key(obj, "value")
+}
+
+has_key(x, k) if _ = x[k]

lib/cloud/metadata_test.rego

@@ -31,4 +31,11 @@ test_obj_by_path_skip_without_metadata if {
 	metadata.obj_by_path(obj, ["foo", "baz"]) == obj
 }
 
+test_obj_by_path_happy_iac_type if {
+	bar := {"value": 1, "fskey": "somekey"}
+	obj := with_meta({"foo": with_meta({"bar": bar})})
+
+	metadata.obj_by_path(obj, ["foo", "bar"]) == bar
+}
+
 with_meta(obj) := object.union(obj, {"__defsec_metadata": {}})

scripts/verify-bundle.go

@@ -15,7 +15,7 @@ import (
 
 var bundlePath = "bundle.tar.gz"
 var OrasPush = []string{"--artifact-type", "application/vnd.cncf.openpolicyagent.config.v1+json", fmt.Sprintf("%s:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip", bundlePath)}
-var supportedTrivyVersions = []string{"latest"} // TODO: add more versions
+var supportedTrivyVersions = []string{"latest", "canary"} // TODO: add more versions
 
 func createRegistryContainer(ctx context.Context) (testcontainers.Container, string) {
 	reqReg := testcontainers.ContainerRequest{
@@ -137,7 +137,7 @@ func LoadAndVerifyBundle() {
 		trivyC := createTrivyContainer(ctx, trivyVersion, regIP)
 		fmt.Println(debugLogsForContainer(ctx, trivyC))
 
-		if !assertInLogs(debugLogsForContainer(ctx, trivyC), `Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)`) {
+		if !assertInLogs(debugLogsForContainer(ctx, trivyC), `Tests: 1 (SUCCESSES: 0, FAILURES: 1)`) {
 			panic("asserting Trivy logs for misconfigurations failed, check Trivy log output")
 		}