Compliance ingestion for minimal reports #3302
Conversation
alexpop
force-pushed
the
ap/ingestion-4-min-reports
branch
from
2d6a117 to
efaf0fb
Compare
alexpop
force-pushed
the
ap/ingestion-4-min-reports
branch
from
efaf0fb to
7da261b
Compare
alexpop
force-pushed
the
ap/ingestion-4-min-reports
branch
from
7da261b to
4e79968
Compare
| for tKey, tValue := range control.Tags.Fields { | ||
| if newStringTag := relaxting.StringTagsFromProtoFields(tKey, tValue); newStringTag != nil { | ||
| stringTags = append(stringTags, *newStringTag) | ||
| if control.Tags != nil { |
There was a problem hiding this comment.
Made some small fixes to helper_methods.go after trying to ingest the minimal report without any changes to ingestion. Makes ingestion more resilient to malformed or malicious reports.
| @@ -577,9 +577,31 @@ def reporting | |||
| "waived" => {}, | |||
| "total" => 18 | |||
| } | |||
| }, | |||
There was a problem hiding this comment.
When we introduced tags filtering, we manually updated some reports and added tags to them. But we didn't add the tags across all profiles with the same ID. Because of this, the minimal report that is being ingested now picked up the tags from the compliance-profiles store as they were saved there when the profile was ingested first. Because of this I had to update this test.
| @@ -543,6 +543,9 @@ var ComplianceRepDate = Mapping{ | |||
| "type": "keyword", | |||
| "doc_values": false, | |||
| "ignore_above": 256 | |||
| }, | |||
| "run_time_limit": { | |||
There was a problem hiding this comment.
This is a new field the audit cookbook/inspec is going to provide when minimizing reports and reducing the start_time and run_time for each result.
| @@ -116,18 +121,8 @@ func insertInspecProfile(msg message.Compliance, profile *relaxting.ESInspecProf | |||
| "profile_id": profile.Sha256, | |||
| }).Debug("Ingesting inspec_profile") | |||
| start := time.Now() | |||
| profileExists, err := client.ProfileExists(profile.Sha256) | |||
There was a problem hiding this comment.
We used to check for profile existence for each profile coming in the report. Reports can contain one or multiple profiles. The logic has been changed and we only query once elasticsearch asking for all the profiles in the report at once with the ProfilesMissing method
| @@ -284,18 +284,21 @@ func (backend *ES2Backend) GetReports(from int32, size int32, filters map[string | |||
| reports := make([]*reportingapi.Report, 0) | |||
| if searchResult.TotalHits() > 0 && searchResult.Hits.TotalHits > 0 { | |||
| for _, hit := range searchResult.Hits.Hits { | |||
| item := ESInSpecSummary{} | |||
| item := ESInSpecReport{} | |||
There was a problem hiding this comment.
Spotted this with Rick on peer reviewing and decided to switch to the right Struct for this Unmarshalling to avoid problems in the future.
| @@ -142,6 +142,19 @@ service ProfilesService { | |||
| action: "compliance:profiles:list" | |||
| }; | |||
| }; | |||
|
|
|||
There was a problem hiding this comment.
Added docs for the /metasearch API used by this improvement
| "profiles": [ | ||
| { | ||
| "name": "nginx-baseline", |
There was a problem hiding this comment.
Converted this report into a hybrid one where one of its profiles is stripped of the metadata.
alexpop
changed the title
| } | ||
|
|
||
| func complianceProfile(in <-chan message.Compliance, client *ingestic.ESClient) <-chan message.Compliance { | ||
| //ctx := context.Background() |
There was a problem hiding this comment.
nitpick: seems like we can remove this comment line
There was a problem hiding this comment.
code looks good!
would love to get a link to the audit cookbook branch so i can test all the way thru with kitchen!
silly me! you linked the audit cb here https://github.com/chef-cookbooks/audit/compare/ap/support-metasearch -- ill test it out
|
Thank you for the reviews. Audit cookbook branch to use this is https://github.com/chef-cookbooks/audit/compare/ap/support-metasearch |
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
…tion Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
Signed-off-by: Alex Pop <[email protected]>
alexpop
force-pushed
the
ap/ingestion-4-min-reports
branch
from
4e79968 to
ecee466
Compare
|
Removed |
This change allows compliance reports to be ingested without the profile metadata attached to them, as long as the backend has the profile metadata.
A new report has been added in the tests that will be rejected during ingestion because the profile ID being used is unknown to the backend.
This report has been converted into a hybrid, where one profile has the metadata in it, another is missing it:
Fixes #3087
I did an end-to-end test of this change by using the audit cookbook code in this branch:
https://github.com/chef-cookbooks/audit/compare/ap/support-metasearch
I created an Automate instance from this code. Rebuilt
components/compliance-serviceandcomponents/automate-gateway. Imported from Compliance > Profiles > Available theDevSec Apache Baseline v2.1.0(w/ sha256 ID: 73eba2f2c12a6014cf0880c1e7d990bb783346a92d0d46284aaf785b8206cd39) profile.Ran the audit cookbook with the following profiles:
In the first run, the Audit cookbook Info logs printed:
and sent a report where the metadata of the apache-baseline profile was stripped away as the backend already has it. The report can be seen here: report-with-profiles-2-full-1-stripped.json.txt
I verified in Automate and the report was ingested correctly with the three profiles.
In the second run of the Audit cookbook with the same profiles, the report being sent had all three profiles now being stripped of the metadata information. The report can be seen here: report-with-profiles-3-stripped.json.txt