✨ policy exceptions v2

[imilchev]

We want to support a new way of defining exceptions for checks in policies. The new way is almost identical to compliance framework exceptions.

Example exception old:

policies:
  - uid: sshd-server-policy
    name: SSH Server Policy
    version: 1.0.0
    groups:
      - filters: asset.family.contains("darwin")
        checks:
          - uid: sshd-score-01
          - uid: ignored-query
          - uid: deactivate-query
  - uid : asset-policy
    groups:
      - checks:
          - uid: ignored-query
            action: 4
          - uid: deactivate-query
            action: 2
        policies:
          - uid: sshd-server-policy
queries:
  - uid: sshd-score-01
    title: Ensure SSH MaxAuthTries is set to 4 or less
    mql: true == true
  - uid: ignored-query
    title: Ignored query
    mql: asset.name == "test"
  - uid: deactivate-query
    title: Deactivate query
    mql: asset.name == "test2"

New example:

policies:
  - uid: sshd-server-policy
    name: SSH Server Policy
    version: 1.0.0
    groups:
      - filters: asset.family.contains("darwin")
        checks:
          - uid: sshd-score-01
          - uid: ignored-query
          - uid: deactivate-query
  - uid : asset-policy
    groups:   
      - checks:
          - uid: ignored-query
        type: 4
        policies:
          - uid: sshd-server-policy
      - checks:
          - uid: deactivate-query
        type: 5
        policies:
          - uid: sshd-server-policy
queries:
  - uid: sshd-score-01
    title: Ensure SSH MaxAuthTries is set to 4 or less
    mql: true == true
  - uid: ignored-query
    title: Ignored query
    mql: asset.name == "test"
  - uid: deactivate-query
    title: Deactivate query
    mql: asset.name == "test2"

[imilchev]

I don't understand why we need to change the impact for a job that already exists... I think this shouldn't be the case. If we really want to change it, then we should be calling modifyCheckJob instead of addCheckJob but I am not sure

[arlimus]

Good catch! There is a problem that we never fully explored that you are really exposing here:
What if a check is deactivate, and later re-activate?
ie: it is first added (action=unspecified/activate)
then it is deactivated (action=deactivate)
and then another top-level policy comes and wants to actually set it on AND/OR make a modification. We have assumed - so far - that the action for activate and the action for modify are almost interchangeable. However, now that the impact is getting modified, it can lead to some nasty side-effects. This happens because if we ignore a check, the impact is set to impact.Scoring = explorer.ScoringSystem_IGNORE_SCORE. So any call later on that modifies this overwrites the impact's scoring system.

Let's solve this step by step.
And the first step is where I think you are spot on: let's remove this line and keep it only for explicit modifications.

Next, I think we should (1) remove the really outdated Action field from impact (it should only be used for v7 compatibility, otherwise all actions are bound to the mquery) and (2) review the action field, because it is overloaded right now.

[imilchev]

added #949 and #950 for the follow ups. Also added automated tests for the cases used to validate whether exceptions work as expected

[czunker]

Thanks for all the tests @imilchev

Code is looking good to me. There is only one thing I currently do not understand. I'll try to test this manually.

[czunker]

I caused a panic during testing:

cnspec scan local -f policy/scan/testdata/exceptions.mql.yaml 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ using service account credentials
! Scanning with local bundles will switch into --incognito mode by default. Your results will not be sent upstream.
→ discover related assets for 1 asset(s)
panic: invalid score report

goroutine 94 [running]:
go.mondoo.com/cnspec/v9/policy/executor/internal.(*ReportingJobNodeData).consume(0xc0001a5540, {0xc000014c00, 0xc}, 0xc001467d40)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/internal/nodes.go:442 +0x19a
go.mondoo.com/cnspec/v9/policy/executor/internal.(*GraphExecutor).Execute(0xc001493680)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/internal/graph.go:137 +0x832
go.mondoo.com/cnspec/v9/policy/executor.ExecuteResolvedPolicy({0x17e3e80, 0xc000fde1c0}, {0x17e6de0?, 0xc000eb11a0}, {0xc0004c9700, 0x3a}, 0xc000bcfc40?, {0xc001004408, 0x2, 0x8}, ...)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/graph.go:47 +0x479
go.mondoo.com/cnspec/v9/policy/scan.(*localAssetScanner).runPolicy(0xc001387d48)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:996 +0x509
go.mondoo.com/cnspec/v9/policy/scan.(*localAssetScanner).run(0xc001387d48)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:777 +0x33
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).runMotorizedAsset.func1(0x17e3e80?, 0xc000a3a1c0?)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:628 +0x217
go.mondoo.com/cnspec/v9/internal/datalakes/inmemory.WithDb({0x17e3e80?, 0xc000a3a1c0?}, 0x7fdfc97d7a68?, 0xc000bcfdf8)
	/home/christian/workspace/mondoo/github.com/cnspec/internal/datalakes/inmemory/inmemory.go:52 +0x42
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).runMotorizedAsset(0xc00100e0f0?, 0x15d0478?)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:604 +0x75
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).RunAssetJob(0xc0004c6850, 0xc000fe4c80)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:568 +0x3fb
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).distributeJob.func2()
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:492 +0x105
created by go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).distributeJob in goroutine 1
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:472 +0x1749

I only removed the action field from the ignored-query in above policy.

The panic does not happen with cnspec v9.7.0. So, my guess is this PR introduced/triggered it.

The panic also happens when I only change the action field from 4 to 0.

[czunker]

Thanks for all the tests @imilchev

Code is looking good to me. There is only one thing I currently do not understand. I'll try to test this manually.

I tried policy groups with "IGNORED" and "DISABLED", that changes the score as expected. But, from the code I don't understand why this happens.

[czunker]

I caused a panic during testing:

cnspec scan local -f policy/scan/testdata/exceptions.mql.yaml 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ using service account credentials
! Scanning with local bundles will switch into --incognito mode by default. Your results will not be sent upstream.
→ discover related assets for 1 asset(s)
panic: invalid score report

goroutine 94 [running]:
go.mondoo.com/cnspec/v9/policy/executor/internal.(*ReportingJobNodeData).consume(0xc0001a5540, {0xc000014c00, 0xc}, 0xc001467d40)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/internal/nodes.go:442 +0x19a
go.mondoo.com/cnspec/v9/policy/executor/internal.(*GraphExecutor).Execute(0xc001493680)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/internal/graph.go:137 +0x832
go.mondoo.com/cnspec/v9/policy/executor.ExecuteResolvedPolicy({0x17e3e80, 0xc000fde1c0}, {0x17e6de0?, 0xc000eb11a0}, {0xc0004c9700, 0x3a}, 0xc000bcfc40?, {0xc001004408, 0x2, 0x8}, ...)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/executor/graph.go:47 +0x479
go.mondoo.com/cnspec/v9/policy/scan.(*localAssetScanner).runPolicy(0xc001387d48)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:996 +0x509
go.mondoo.com/cnspec/v9/policy/scan.(*localAssetScanner).run(0xc001387d48)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:777 +0x33
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).runMotorizedAsset.func1(0x17e3e80?, 0xc000a3a1c0?)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:628 +0x217
go.mondoo.com/cnspec/v9/internal/datalakes/inmemory.WithDb({0x17e3e80?, 0xc000a3a1c0?}, 0x7fdfc97d7a68?, 0xc000bcfdf8)
	/home/christian/workspace/mondoo/github.com/cnspec/internal/datalakes/inmemory/inmemory.go:52 +0x42
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).runMotorizedAsset(0xc00100e0f0?, 0x15d0478?)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:604 +0x75
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).RunAssetJob(0xc0004c6850, 0xc000fe4c80)
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:568 +0x3fb
go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).distributeJob.func2()
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:492 +0x105
created by go.mondoo.com/cnspec/v9/policy/scan.(*LocalScanner).distributeJob in goroutine 1
	/home/christian/workspace/mondoo/github.com/cnspec/policy/scan/local_scanner.go:472 +0x1749

I only removed the action field from the ignored-query in above policy.

The panic does not happen with cnspec v9.7.0. So, my guess is this PR introduced/triggered it.

The panic also happens when I only change the action field from 4 to 0.

Tried to reproduce this today, but it is gone.

[czunker]

Thanks @imilchev