-
Notifications
You must be signed in to change notification settings - Fork 174
Expand file tree
/
Copy pathlist.go
More file actions
173 lines (124 loc) · 13 KB
/
list.go
File metadata and controls
173 lines (124 loc) · 13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
package features
//lint:file-ignore U1000 we want to introduce this feature flag unused.
var (
// SourcedAutogeneratedIntegrations enables adding a "source" to autogenerated integrations.
SourcedAutogeneratedIntegrations = registerFeature("Enable autogenerated integrations with cluster/namespace/secret source", "ROX_SOURCED_AUTOGENERATED_INTEGRATIONS", unchangeableInProd)
// StoreEventHashes stores the hashes of successfully processed objects we receive from Sensor into the database
StoreEventHashes = registerFeature("Store Event Hashes", "ROX_STORE_EVENT_HASHES", enabled, unchangeableInProd)
// ComplianceEnhancements enables APIs and UI pages for Compliance 2.0
ComplianceEnhancements = registerFeature("Compliance enhancements", "ROX_COMPLIANCE_ENHANCEMENTS", enabled)
// ClusterAwareDeploymentCheck enables roxctl deployment check to check deployments on the cluster level.
ClusterAwareDeploymentCheck = registerFeature("Enables cluster level check for the 'roxctl deployment check' command.", "ROX_CLUSTER_AWARE_DEPLOYMENT_CHECK", enabled)
// PolicyCriteriaModal enables a modal for selecting policy criteria when editing a policy
PolicyCriteriaModal = registerFeature("Enable modal to select policy criteria when editing a policy", "ROX_POLICY_CRITERIA_MODAL")
// SensorDeploymentBuildOptimization enables a performance improvement by skipping deployments processing when no dependency or spec changed
SensorDeploymentBuildOptimization = registerFeature("Enables a performance improvement by skipping deployments processing when no dependency or spec changed", "ROX_DEPLOYMENT_BUILD_OPTIMIZATION", enabled)
// VulnMgmtLegacySnooze enables APIs and UI for the legacy VM 1.0 "snooze CVE" functionality in the new VM 2.0 sections. This applies to cluster and node CVEs ONLY.
VulnMgmtLegacySnooze = registerFeature("Enables the ability to snooze Node and Platform CVEs in VM 2.0", "ROX_VULN_MGMT_LEGACY_SNOOZE")
// NodeIndexEnabled defines whether Compliance will actually run indexing code.
NodeIndexEnabled = registerFeature("Instructs Central to prefer NodeIndex (Node scanning V4) messages over NodeInventory (Node scanning V2)", "ROX_NODE_INDEX_ENABLED", enabled)
// ComplianceReporting enables support for compliance reporting.
ComplianceReporting = registerFeature("Enable support for V2 compliance reporting", "ROX_COMPLIANCE_REPORTING", enabled)
// UnqualifiedSearchRegistries enables support for unqualified search registries and short name aliases.
UnqualifiedSearchRegistries = registerFeature("Enable support for unqualified search registries and short name aliases", "ROX_UNQUALIFIED_SEARCH_REGISTRIES")
// ComplianceRemediationV2 enables the remediation feature of the compliance v2 integration.
ComplianceRemediationV2 = registerFeature("Enable Compliance Remediation feature", "ROX_COMPLIANCE_REMEDIATION", enabled)
// SensorAggregateDeploymentReferenceOptimization enables a performance improvement by aggregating deployment references when the same reference is queued for processing
SensorAggregateDeploymentReferenceOptimization = registerFeature("Enables a performance improvement by aggregating deployment references when the same reference is queued for processing", "ROX_AGGREGATE_DEPLOYMENT_REFERENCE_OPTIMIZATION")
// AttemptManifestDigest enables attempting to pull manifest digests from registries that historically did not
// support it but now appear to (ie: Nexus and RHEL).
AttemptManifestDigest = registerFeature("Enables attempts to pull manifest digests for all registry integrations", "ROX_ATTEMPT_MANIFEST_DIGEST", enabled)
// DelegateWatchedImageReprocessing when set to enabled reprocessing of watched images may be delegated to secured clusters based
// on the delegated scanning config.
DelegateWatchedImageReprocessing = registerFeature("Enables delegating scans for watched images during reprocessing", "ROX_DELEGATE_WATCHED_IMAGE_REPROCESSING", enabled)
// SensorSingleScanPerImage when set to enabled forces Sensor to allow only a single scan per image to be active at any given
// time. Will only have an affect if UnqualifiedSearchRegistries is also enabled.
// TODO(ROX-24641): Remove dependency on the UnqualifiedSearchRegistries feature so that this is enabled by default.
SensorSingleScanPerImage = registerFeature("Sensor will only allow a single active scan per image", "ROX_SENSOR_SINGLE_SCAN", enabled)
// ScanScheduleReportJobs enables support for compliance scan schedule report jobs
ScanScheduleReportJobs = registerFeature("Enables support for compliance scan schedule report jobs", "ROX_SCAN_SCHEDULE_REPORT_JOBS", enabled)
// PlatformComponents introduces the concept of platform collections and filtered views across the app.
PlatformComponents = registerFeature("Introduce the concept of platform collections and filtered views across the app", "ROX_PLATFORM_COMPONENTS", enabled)
// Display clusters page patternfly redesign.
ClustersPageMigrationUI = registerFeature("Display clusters page patternfly redesign", "ROX_CLUSTERS_PAGE_MIGRATION_UI", enabled)
// ClusterRegistrationSecrets enables support for Cluster Registration Secrets (CRS), the next-gen init-bundles.
ClusterRegistrationSecrets = registerFeature("Enable support for Cluster Registration Secrets (CRS)", "ROX_CLUSTER_REGISTRATION_SECRETS", enabled)
// SensorPullSecretsByName when set to enabled will cause Sensor to capture pull secrets by secret name and registry host instead of just
// registry host.
SensorPullSecretsByName = registerFeature("Sensor will capture pull secrets by name and registry host instead of just registry host", "ROX_SENSOR_PULL_SECRETS_BY_NAME", enabled)
// OptimizedBaselineMemory enables optimized memory usage for baseline detector through process set deduplication
OptimizedBaselineMemory = registerFeature("Enable optimized memory usage for baseline detector through process set deduplication", "ROX_OPTIMIZED_BASELINE_MEMORY")
// ExternalIPs enables storing detailed discovered external IPs
ExternalIPs = registerFeature("Central will work with discovered external IPs", "ROX_EXTERNAL_IPS", enabled)
// NetworkGraphExternalIPs enables displaying external IPs in the network graph
NetworkGraphExternalIPs = registerFeature("Display external ips in the UI", "ROX_NETWORK_GRAPH_EXTERNAL_IPS", enabled)
// NetworkGraphAggregateExternalIPs enable aggressive aggregation of external flows in the network graph.
// Will aggregate to one edge per unique port/protocol/direction instead of one edge per unique IP/port/protocol/direction.
NetworkGraphAggregateExternalIPs = registerFeature("Aggregate all external IP graph edges, showing only unique port/protocol pairs", "ROX_NETWORK_GRAPH_AGGREGATE_EXT_IPS")
// NetworkFlowBatching enables batching of network flow updates to smooth out data spikes
NetworkFlowBatching = registerFeature("Enable batching of network flow updates to smooth out data spikes", "ROX_NETFLOW_BATCHING")
// NetworkFlowCacheLimiting enables limiting the network flow cache size to prevent memory issues
NetworkFlowCacheLimiting = registerFeature("Enable limiting network flow cache size to prevent memory issues", "ROX_NETFLOW_CACHE_LIMITING")
// Flattens Image Data Model for improved accuracy and performance
FlattenImageData = registerFeature("Uses a flattened Image Data Model for improved accuracy and performance", "ROX_FLATTEN_IMAGE_DATA")
// Adds the ability to generate view-based vulnerability reports
VulnerabilityViewBasedReports = registerFeature("Adds the ability to generate view-based vulnerability reports", "ROX_VULNERABILITY_VIEW_BASED_REPORTS", enabled)
// Adds the ability to customize the regex rules for identifying platform components
CustomizablePlatformComponents = registerFeature("Adds the ability to customize the regex rules for identifying platform components", "ROX_CUSTOMIZABLE_PLATFORM_COMPONENTS", enabled)
// Provides only necessary configuration options for admission controller
AdmissionControllerConfig = registerFeature("Provides only necessary configuration options for admission controller", "ROX_ADMISSION_CONTROLLER_CONFIG", enabled)
// Locks process baselines when their deployments leave the observation period
AutoLockProcessBaselines = registerFeature("Locks process baselines when their deployments leave the observation period", "ROX_AUTO_LOCK_PROCESS_BASELINES", enabled)
// KnownExploitedVulnerabilities enables support for CISA Known Exploited Vulnerabilities (KEV) data.
//
// This must be enabled in Central and Scanner V4 Matcher to have any effect.
KnownExploitedVulnerabilities = registerFeature("Display CISA Known Exploited Vulnerabilities (KEV) data", "ROX_CISA_KEV")
// SensitiveFileActivity enables monitoring of sensitive files.
SensitiveFileActivity = registerFeature("Enable sensitive file monitoring", "ROX_SENSITIVE_FILE_ACTIVITY", enabled)
// CVEFixTimestampCriteria enables the new CVE Fix timestamp criteria
CVEFixTimestampCriteria = registerFeature("Enable grace period criteria based on CVE fix timestamp", "ROX_CVE_FIX_TIMESTAMP", enabled)
// BaseImageDetection enables base image detection and management functionality.
BaseImageDetection = registerFeature("Enable base image detection and management functionality", "ROX_BASE_IMAGE_DETECTION", enabled)
// DelegatedBaseImageScanning enables delegation of base image repository scanning to secured clusters.
DelegatedBaseImageScanning = registerFeature("Enable delegated base image scanning to secured clusters", "ROX_DELEGATED_BASE_IMAGE_SCANNING")
// OCPConsoleIntegration enables the /proxy/central API in Sensor that forwards requests to Central.
OCPConsoleIntegration = registerFeature("Enable features related to support the integration of ACS into the OpenShift console", "ROX_OCP_CONSOLE_INTEGRATION", enabled)
// SensorInternalPubSub enables the internal pubsub system in sensor
SensorInternalPubSub = registerFeature("Enables the internal PubSub system in Sensor", "ROX_SENSOR_PUBSUB", enabled)
// LabelBasedPolicyScoping enables policy scoping based on cluster and namespace labels
LabelBasedPolicyScoping = registerFeature("Enable cluster and namespace label-based policy scoping", "ROX_LABEL_BASED_POLICY_SCOPING")
)
// The following feature flags are related to Scanner V4.
var (
// ScannerV4 indicates Scanner V4 is installed and should be used as the default image scanner in Central/Sensor.
ScannerV4 = registerFeature("Enables Scanner V4 runtime functionality", "ROX_SCANNER_V4")
// ScannerV4ReIndex enables Scanner V4 manifest re-indexing.
//
// This must be set in Scanner V4 Indexer to have any effect.
ScannerV4ReIndex = registerFeature("Scanner V4 will re-index and delete unused manifests", "ROX_SCANNER_V4_REINDEX", enabled)
// ScannerV4PartialNodeJSSupport specifies if Scanner v4 should support partial indexing/vuln matching Node.js (npm) packages.
// Partial support is equivalent to StackRox Scanner (Scanner v2) support: only return packages which are affected
// by at least one vulnerability.
//
// This must be set in Scanner V4 Matcher to have any effect.
ScannerV4PartialNodeJSSupport = registerFeature("Scanner V4 will only return Node.js packages which are affected by at least one vulnerability", "ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT")
// ScannerV4RedHatCVEs enables displaying CVEs instead of RHSAs/RHEAs/RHBAs in the place of fixed vulnerabilities affected Red Hat products.
// TODO(ROX-26672): Remove this once we can show both CVEs and RHSAs in the UI + reports.
//
// This must be set in Scanner V4 Matcher to have any effect.
ScannerV4RedHatCVEs = registerFeature("Scanner V4 will output CVEs instead of RHSAs/RHBAs/RHEAs for fixed Red Hat vulnerabilities", "ROX_SCANNER_V4_RED_HAT_CVES", enabled)
// ScannerV4RedHatCSAF enables CSAF enrichment for Red Hat advisories.
//
// This must be set in Scanner V4 Matcher to have any effect.
ScannerV4RedHatCSAF = registerFeature("Scanner V4 will enrich its results with Red Hat CSAF data", "ROX_SCANNER_V4_RED_HAT_CSAF", enabled)
// ScannerV4RedHatLayers enables displaying vulnerabilities from Red Hat sources, only, for packages found in official Red Hat image layers.
ScannerV4RedHatLayers = registerFeature("Scanner V4 will output vulnerabilities from Red Hat sources, only, for packages found in official Red Hat image layers", "ROX_SCANNER_V4_RED_HAT_LAYERS_RED_HAT_VULNS_ONLY")
// ScannerV4MavenSearch enables reaching out to a Maven Search-compatible URL for improved indexing of JARs. The
// URL can be adjusted via the ROX_SCANNER_V4_MAVEN_SEARCH_URL environment variable.
//
// This must be set in Scanner V4 Indexer to have any effect.
ScannerV4MavenSearch = registerFeature("Enables Scanner V4 to reach out to ROX_SCANNER_V4_MAVEN_SEARCH_URL for additional information about Java packages", "ROX_SCANNER_V4_MAVEN_SEARCH")
VirtualMachines = registerFeature("Enables virtual machine management", "ROX_VIRTUAL_MACHINES")
// ScannerV4StoreExternalIndexReports enables storing index reports from delegated scans to Central's Scanner V4 Indexer.
ScannerV4StoreExternalIndexReports = registerFeature("Enables storing index reports from delegated scans to Central's Scanner V4 Indexer", "ROX_SCANNER_V4_STORE_EXTERNAL_INDEX_REPORTS", enabled)
)