use a different rule for each deprecated component

krakend · May 30, 2024 · 846bf4b · 846bf4b
1 parent ae961b0
commit 846bf4b
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 24 deletions.
diff --git a/audit.go b/audit.go
@@ -98,7 +98,7 @@ var ruleSet = []Rule{
 	NewRule("2.2.2", SeverityHigh, "Enable CORS.", hasNoCORS),
 	NewRule("2.2.3", SeverityHigh, "Avoid passing all input headers to the backend.", hasHeadersWildcard),
 	NewRule("2.2.4", SeverityHigh, "Avoid passing all input query strings to the backend.", hasQueryStringWildcard),
-	NewRule("2.2.5", SeverityMedium, "Avoid exposing gRPC server without services declared.", hasEmptyGRPCServer),
+	NewRule("2.2.5", SeverityLow, "Avoid exposing gRPC server without services declared.", hasEmptyGRPCServer),
 
 	/*
 	   Section 3: Traffic management / rate limits
@@ -115,12 +115,10 @@ var ruleSet = []Rule{
 	   Section 4 : Telemetry
 	*/
 	NewRule("4.1.1", SeverityMedium, "Implement a telemetry system for collecting metrics for monitoring and troubleshooting.", hasNoMetrics),
-	// why is there a 4.1.2 missing ?
+	NewRule("4.1.2", SeverityMedium, "Give your configuration a name for easy identification in metric tracking.", hasTelemetryMissingName),
 	NewRule("4.1.3", SeverityHigh, "Avoid duplicating telemetry options to prevent system overload.", hasSeveralTelemetryComponents),
-	NewRule("4.1.4", SeverityMedium, "Use OpenTelemetry instead of deprecated telemetry options (instana, ganalytics, newrelic, opencensus).", hasDeprecatedTelemetry),
 	NewRule("4.2.1", SeverityMedium, "Implement a telemetry system for tracing for monitoring and troubleshooting.", hasNoTracing),
 	NewRule("4.3.1", SeverityMedium, "Use the improved logging component for better log parsing.", hasNoLogging),
-
 	/*
 	   Section 5: Endpoint level audit
 	*/
@@ -141,7 +139,13 @@ var ruleSet = []Rule{
 	NewRule("6.1.1", SeverityLow, "Ensure Async Agents do not start sequentially to avoid overloading the system (+10 agents).", hasSequentialStart),
 
 	/*
-	   Section 7: Plugin recommendations
+	   Section 7: Deprecations
 	*/
-	NewRule("7.1.1", SeverityMedium, "Do not use deprecated plugins (virtualhost, static-filesystem).", hasDeprecatedPlugins),
+	// 7.1 Plugin Deprecations:
+	NewRule("7.1.1", SeverityHigh, "Do not use deprecated plugin virtualhost.", hasDeprecatedPluginVirtualHost),
+	NewRule("7.1.2", SeverityHigh, "Do not use deprecated plugin static-filesystem.", hasDeprecatedPluginStaticFileSystem),
+	// 7.2 Component Deprecations
+	NewRule("7.2.1", SeverityHigh, "Do not use deprecated component telemetry/ganalytics.", hasDeprecatedGanalytics),
+	NewRule("7.2.2", SeverityHigh, "Do not use deprecated component telemetry/instana.", hasDeprecatedInstana),
+	NewRule("7.2.3", SeverityHigh, "Do not use deprecated component telemetry/instana.", hasDeprecatedOpenCensus),
 }
diff --git a/rules.go b/rules.go
@@ -42,20 +42,34 @@ func hasBasicAuth(s *Service) bool {
 	return false
 }
 
-func hasDeprecatedPlugins(s *Service) bool {
+func hasTelemetryMissingName(s *Service) bool {
+	// TODO: implement this check
+	return false
+}
+
+func hasDeprecatedPluginVirtualHost(s *Service) bool {
 	serverPlugins, ok := s.Components[server.Namespace]
 	if !ok {
 		return false
 	}
 	if len(serverPlugins) < 1 {
 		return false
 	}
-
-	bitset := serverPlugins[0]
-	if hasBit(bitset, parseServerPlugin("virtualhost")) {
+	if hasBit(serverPlugins[0], parseServerPlugin("virtualhost")) {
 		return true
 	}
-	if hasBit(bitset, parseServerPlugin("static-filesystem")) {
+	return false
+}
+
+func hasDeprecatedPluginStaticFileSystem(s *Service) bool {
+	serverPlugins, ok := s.Components[server.Namespace]
+	if !ok {
+		return false
+	}
+	if len(serverPlugins) < 1 {
+		return false
+	}
+	if hasBit(serverPlugins[0], parseServerPlugin("static-filesystem")) {
 		return true
 	}
 	return false
@@ -310,19 +324,19 @@ func hasNoTracing(s *Service) bool {
 	return !ok1 && !ok2 && !ok3 && !okOTEL
 }
 
-func hasDeprecatedTelemetry(s *Service) bool {
-	for _, k := range []string{
-		opencensus.Namespace,
-		// metrics.Namespace,  // TODO: should we tag this as deprecated ?
-		"telemetry/newrelic",
-		"telemetry/ganalytics",
-		"telemetry/instana",
-	} {
-		if _, ok := s.Components[k]; ok {
-			return true
-		}
-	}
-	return false
+func hasDeprecatedInstana(s *Service) bool {
+	_, ok := s.Components["telemetry/instana"]
+	return ok
+}
+
+func hasDeprecatedGanalytics(s *Service) bool {
+	_, ok := s.Components["telemetry/ganalytics"]
+	return ok
+}
+
+func hasDeprecatedOpenCensus(s *Service) bool {
+	_, ok := s.Components[opencensus.Namespace]
+	return ok
 }
 
 func hasNoLogging(s *Service) bool {