Fix spelling of "beggining" throughout.

Signed-off-by: Craig Box <[email protected]>
kubescape · Oct 2, 2023 · 97a042c · 97a042c
1 parent a001a50
commit 97a042c
Show file tree

Hide file tree

Showing 18 changed files with 227 additions and 227 deletions.
diff --git a/rules/CVE-2021-25741/raw.rego b/rules/CVE-2021-25741/raw.rego
@@ -8,8 +8,8 @@ deny[msga] {
     pod := input[_]
     pod.kind == "Pod"
 	container := pod.spec.containers[i]
-	beggining_of_path := "spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 			"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]),
@@ -29,8 +29,8 @@ deny[msga] {
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	spec_template_spec_patterns[wl.kind]
     container := wl.spec.template.spec.containers[i]
-	beggining_of_path := "spec.template.spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec.template.spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 	"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
@@ -50,8 +50,8 @@ deny[msga] {
     wl := input[_]
 	wl.kind == "CronJob"
 	container = wl.spec.jobTemplate.spec.template.spec.containers[i]
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec.jobTemplate.spec.template.spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 		"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
@@ -64,8 +64,8 @@ deny[msga] {
 
 
 
-is_sub_path_container(container, i, beggining_of_path) = path {
-	path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j];  volume_mount.subPath]
+is_sub_path_container(container, i, start_of_path) = path {
+	path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[start_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j];  volume_mount.subPath]
 	count(path) > 0
 }
 

diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego
@@ -14,11 +14,11 @@ deny[msga] {
     container := pod.spec.containers[i]
 
 	# Path to send
-	beggining_of_path := "spec"
+	start_of_path := "spec"
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -28,10 +28,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -54,14 +54,14 @@ deny[msga] {
     wl := input[_]
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	spec_template_spec_patterns[wl.kind]
-	beggining_of_path := "spec.template.spec"
+	start_of_path := "spec.template.spec"
 
     pod := wl.spec.template
     container := pod.spec.containers[i]
 
     # If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -71,10 +71,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -96,14 +96,14 @@ deny[msga] {
 deny[msga] {
   	wl := input[_]
 	wl.kind == "CronJob"
-	beggining_of_path := "spec.jobTemplate.spec.template.spec"
+	start_of_path := "spec.jobTemplate.spec.template.spec"
 
 	pod := wl.spec.jobTemplate.spec.template
     container = pod.spec.containers[i]
 
    	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -113,10 +113,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -147,13 +147,13 @@ deny[msga] {
     pod.kind == "Pod"
     container := pod.spec.containers[i]
 
-	beggining_of_path := "spec."
+	start_of_path := "spec."
 
-    result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+    result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -178,13 +178,13 @@ deny[msga] {
     pod := wl.spec.template
     container := pod.spec.containers[i]
 
-	beggining_of_path := "spec.template.spec."
+	start_of_path := "spec.template.spec."
 
-    result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+    result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -208,13 +208,13 @@ deny[msga] {
     pod := wl.spec.jobTemplate.spec.template
     container = pod.spec.containers[i]
 
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
+	start_of_path := "spec.jobTemplate.spec.template.spec."
 
-   	result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+   	result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -234,15 +234,15 @@ deny[msga] {
 
 
 
-is_cap_sys_admin(container, beggining_of_path) {
+is_cap_sys_admin(container, start_of_path) {
 	capability = container.securityContext.capabilities.add[k]
     capability == "SYS_ADMIN"
 }
 
-isCAP_DAC_OVERRIDE(container, beggining_of_path, i) = path {
+isCAP_DAC_OVERRIDE(container, start_of_path, i) = path {
 	capability = container.securityContext.capabilities.add[k]
     capability == "DAC_OVERRIDE"
-    path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) 
+    path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) 
 }
 
 
@@ -294,16 +294,16 @@ is_no_Seccomp_Container(container) {
 #################################################################################
 # Workload evaluation 
 
-evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo {
-	runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path)
+evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo {
+	runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path)
 	runAsNonRootValue.value == false
 
-	runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path)
+	runAsUserValue := get_run_as_user_value(container, pod, start_of_path)
 	runAsUserValue.value == 0
 
 	alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)
 } else = alertInfo {
-    allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path)
+    allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path)
     allowPrivilegeEscalationValue.value == true
 
     alertInfo := allowPrivilegeEscalationValue
@@ -313,48 +313,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI
 #################################################################################
 
 # Checking for non-root and allowPrivilegeEscalation enabled
-get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot {
-    failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) 
+get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot {
+    failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) 
     runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true}
 } else = runAsNonRoot {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) 
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) 
     runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot,  "failed_path" : failed_path, "fixPath": [], "defined" : true}
 } else = {"value" : false,  "failed_path" : "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false} {
 	is_allow_privilege_escalation_field(container, pod)
-} else = {"value" : false,  "failed_path" : "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false}
+} else = {"value" : false,  "failed_path" : "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false}
 
-get_run_as_user_value(container, pod, beggining_of_path) = runAsUser {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) 
+get_run_as_user_value(container, pod, start_of_path) = runAsUser {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) 
     runAsUser := {"value" : container.securityContext.runAsUser,  "failed_path" : failed_path,  "fixPath": [], "defined" : true}
 } else = runAsUser {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) 
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) 
     runAsUser := {"value" : pod.spec.securityContext.runAsUser,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
-} else = {"value" : 0, "failed_path": "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{
+} else = {"value" : 0, "failed_path": "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{
 	is_allow_privilege_escalation_field(container, pod)
 } else = {"value" : 0, "failed_path": "", 
-	"fixPath": [{"path":  sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [beggining_of_path]), "value":"true"},{"path":  sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}],
+	"fixPath": [{"path":  sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [start_of_path]), "value":"true"},{"path":  sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}],
 	"defined" : false}
 
-get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path])
+get_run_as_group_value(container, pod, start_of_path) = runAsGroup {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : container.securityContext.runAsGroup,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
 } else = runAsGroup {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path])
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : pod.spec.securityContext.runAsGroup,  "failed_path" : failed_path, "fixPath":[], "defined" : true}
 } else = {"value" : 0, "failed_path": "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false}{
 	is_allow_privilege_escalation_field(container, pod)
 } else = {"value" : 0, "failed_path": "", 
-	"fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}],
+	"fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}],
  	"defined" : false
 }
 
-get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path])
+get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path])
     allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
 } else = allowPrivilegeEscalation {
-	failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path])
+	failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path])
     allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
-} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false}
+} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false}
 
 choose_first_if_defined(l1, l2) = c {
     l1.defined

diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego
@@ -84,21 +84,21 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{
 	path := no_K8s_label_or_no_K8s_label_usage(wl, "")
 }
 
-no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{
+no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	not wl.metadata.labels
-	path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}]
+	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
 }
 
-no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{
+no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	metadata := wl.metadata
 	not metadata.labels
-	path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}]
+	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
 }
 
-no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{
+no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{
 	labels := wl.metadata.labels
 	not all_kubernetes_labels(labels)
-	path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}]
+	path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}]
 }
 
 all_kubernetes_labels(labels){

diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego
@@ -6,8 +6,8 @@ deny[msga] {
     pod.kind == "Pod"
     volumes := pod.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec."
-	result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec."
+	result  := is_dangerous_volume(volume, start_of_path, i)
     podname := pod.metadata.name
 
 
@@ -31,8 +31,8 @@ deny[msga] {
 	spec_template_spec_patterns[wl.kind]
     volumes := wl.spec.template.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec.template.spec."
-    result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec.template.spec."
+    result  := is_dangerous_volume(volume, start_of_path, i)
 
 
 	msga := {
@@ -54,8 +54,8 @@ deny[msga] {
 	wl.kind == "CronJob"
     volumes := wl.spec.jobTemplate.spec.template.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
-    result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec.jobTemplate.spec.template.spec."
+    result  := is_dangerous_volume(volume, start_of_path, i)
 	msga := {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
@@ -69,7 +69,7 @@ deny[msga] {
 	}
 }
 
-is_dangerous_volume(volume, beggining_of_path, i) = path {
+is_dangerous_volume(volume, start_of_path, i) = path {
     volume.hostPath.path
-    path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)])
+    path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)])
 }