perf(misconf): retrieve check metadata from annotations once (#8478)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/rego/embed.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io/fs"
+	"maps"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -13,7 +14,6 @@ import (
 	checks "github.com/aquasecurity/trivy-checks"
 	"github.com/aquasecurity/trivy/pkg/iac/rules"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/set"
 )
 
 var LoadAndRegister = sync.OnceFunc(func() {
@@ -26,9 +26,7 @@ var LoadAndRegister = sync.OnceFunc(func() {
 	if err != nil {
 		panic(err)
 	}
-	for name, policy := range loadedLibs {
-		modules[name] = policy
-	}
+	maps.Copy(modules, loadedLibs)
 
 	RegisterRegoRules(modules)
 })
@@ -50,7 +48,6 @@ func RegisterRegoRules(modules map[string]*ast.Module) {
 	}
 
 	retriever := NewMetadataRetriever(compiler)
-	regoCheckIDs := set.New[string]()
 
 	for _, module := range modules {
 		metadata, err := retriever.RetrieveMetadata(ctx, module)
@@ -66,10 +63,6 @@ func RegisterRegoRules(modules map[string]*ast.Module) {
 			continue
 		}
 
-		if !metadata.Deprecated {
-			regoCheckIDs.Append(metadata.AVDID)
-		}
-
 		rules.Register(metadata.ToRule())
 	}
 }
@@ -93,7 +86,7 @@ func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module
 				return nil
 			}
 
-			if strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), filepath.Join("advanced", "optional")) {
+			if isOptionalChecks(path) {
 				return fs.SkipDir
 			}
 
@@ -116,3 +109,7 @@ func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module
 	}
 	return modules, nil
 }
+
+func isOptionalChecks(path string) bool {
+	return strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), filepath.Join("advanced", "optional"))
+}

pkg/iac/rego/embed_test.go

@@ -1,19 +1,21 @@
-package rego
+package rego_test
 
 import (
 	"testing"
+	"testing/fstest"
 
 	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	checks "github.com/aquasecurity/trivy-checks"
+	"github.com/aquasecurity/trivy/pkg/iac/rego"
 	"github.com/aquasecurity/trivy/pkg/iac/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 )
 
 func Test_EmbeddedLoading(t *testing.T) {
-	LoadAndRegister()
+	rego.LoadAndRegister()
 
 	frameworkRules := rules.GetRegistered()
 	var found bool
@@ -87,19 +89,19 @@ deny[res]{
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			policies, err := LoadPoliciesFromDirs(checks.EmbeddedLibraryFileSystem, ".")
+			policies, err := rego.LoadPoliciesFromDirs(checks.EmbeddedLibraryFileSystem, ".")
 			require.NoError(t, err)
-			newRule, err := ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
+			newRule, err := rego.ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
 			require.NoError(t, err)
 
 			policies["/rules/newrule.rego"] = newRule
 			switch {
 			case tc.expectedError:
 				assert.Panics(t, func() {
-					RegisterRegoRules(policies)
+					rego.RegisterRegoRules(policies)
 				}, tc.name)
 			default:
-				RegisterRegoRules(policies)
+				rego.RegisterRegoRules(policies)
 			}
 		})
 	}
@@ -185,12 +187,12 @@ deny[res]{
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			policies := make(map[string]*ast.Module)
-			newRule, err := ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
+			newRule, err := rego.ParseRegoModule("/rules/newrule.rego", tc.inputPolicy)
 			require.NoError(t, err)
 
 			policies["/rules/newrule.rego"] = newRule
 			assert.NotPanics(t, func() {
-				RegisterRegoRules(policies)
+				rego.RegisterRegoRules(policies)
 			})
 
 			for _, rule := range rules.GetRegistered() {
@@ -201,3 +203,17 @@ deny[res]{
 		})
 	}
 }
+
+func TestLoadPoliciesFromDirs(t *testing.T) {
+	fsys := fstest.MapFS{
+		"check.rego":       &fstest.MapFile{Data: []byte(`package user.foo`)},
+		".check.rego":      &fstest.MapFile{Data: []byte(`package user.foo`)},
+		"check_test.rego":  &fstest.MapFile{Data: []byte(`package user.foo_test`)},
+		"test.yaml":        &fstest.MapFile{Data: []byte(`foo: bar`)},
+		"checks/test.rego": &fstest.MapFile{Data: []byte(`package user.checks.foo`)},
+	}
+
+	modules, err := rego.LoadPoliciesFromDirs(fsys, ".")
+	require.NoError(t, err)
+	assert.Len(t, modules, 2)
+}

pkg/iac/rego/load.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"maps"
+	"slices"
 	"strings"
 
 	"github.com/open-policy-agent/opa/v1/ast"
@@ -13,6 +15,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/set"
+	"github.com/aquasecurity/trivy/pkg/version/doc"
 )
 
 var builtinNamespaces = set.New("builtin", "defsec", "appshield")
@@ -27,6 +30,10 @@ func IsBuiltinNamespace(namespace string) bool {
 	})
 }
 
+func getModuleNamespace(module *ast.Module) string {
+	return strings.TrimPrefix(module.Package.Path.String(), "data.")
+}
+
 func IsRegoFile(name string) bool {
 	return strings.HasSuffix(name, bundle.RegoExt) && !strings.HasSuffix(name, "_test"+bundle.RegoExt)
 }
@@ -99,9 +106,7 @@ func (s *Scanner) LoadPolicies(srcFS fs.FS) error {
 		if err != nil {
 			return fmt.Errorf("failed to load rego checks from %s: %w", s.policyDirs, err)
 		}
-		for name, policy := range loaded {
-			s.policies[name] = policy
-		}
+		maps.Copy(s.policies, loaded)
 		s.logger.Debug("Checks from disk are loaded", log.Int("count", len(loaded)))
 	}
 
@@ -110,9 +115,7 @@ func (s *Scanner) LoadPolicies(srcFS fs.FS) error {
 		if err != nil {
 			return fmt.Errorf("failed to load rego checks from reader(s): %w", err)
 		}
-		for name, policy := range loaded {
-			s.policies[name] = policy
-		}
+		maps.Copy(s.policies, loaded)
 		s.logger.Debug("Checks from readers are loaded", log.Int("count", len(loaded)))
 	}
 
@@ -193,13 +196,13 @@ func (s *Scanner) findMatchedEmbeddedCheck(badPolicy *ast.Module) *ast.Module {
 		}
 	}
 
-	badPolicyMeta, err := metadataFromRegoModule(badPolicy)
+	badPolicyMeta, err := MetadataFromAnnotations(badPolicy)
 	if err != nil {
 		return nil
 	}
 
 	for _, embeddedCheck := range s.embeddedChecks {
-		meta, err := metadataFromRegoModule(embeddedCheck)
+		meta, err := MetadataFromAnnotations(embeddedCheck)
 		if err != nil {
 			continue
 		}
@@ -230,6 +233,9 @@ func (s *Scanner) prunePoliciesWithError(compiler *ast.Compiler) error {
 }
 
 func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
+	for path, module := range s.policies {
+		s.handleModulesMetadata(path, module)
+	}
 
 	schemaSet, err := BuildSchemaSetFromPolicies(s.policies, paths, srcFS, s.customSchemas)
 	if err != nil {
@@ -249,54 +255,106 @@ func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error {
 		}
 		return s.compilePolicies(srcFS, paths)
 	}
-	retriever := NewMetadataRetriever(compiler)
 
-	if err := s.filterModules(retriever); err != nil {
-		return err
+	s.retriever = NewMetadataRetriever(compiler)
+
+	if err := s.filterModules(); err != nil {
+		return fmt.Errorf("filter modules: %w", err)
 	}
 	s.compiler = compiler
-	s.retriever = retriever
 	return nil
 }
 
-func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
+func (s *Scanner) handleModulesMetadata(path string, module *ast.Module) {
+	if moduleHasLegacyInputFormat(module) {
+		s.logger.Warn(
+			"Module has legacy input format - please update to use annotations",
+			log.FilePath(module.Package.Location.File),
+			log.String("details", doc.URL("/docs/scanner/misconfiguration/custom", "input")),
+		)
+	}
+
+	if moduleHasLegacyMetadataFormat(module) {
+		s.logger.Warn(
+			"Module has legacy metadata format - please update to use annotations",
+			log.FilePath(module.Package.Location.File),
+			log.String("details", doc.URL("/docs/scanner/misconfiguration/custom", "metadata")),
+		)
+		return
+	}
+
+	metadata, err := MetadataFromAnnotations(module)
+	if err != nil {
+		s.logger.Error(
+			"Failed to retrieve metadata from annotations",
+			log.FilePath(module.Package.Location.File),
+			log.Err(err),
+		)
+		return
+	}
 
+	if metadata != nil {
+		s.moduleMetadata[path] = metadata
+	}
+}
+
+// moduleHasLegacyMetadataFormat checks if the module has a legacy metadata format.
+// Returns true if the metadata is represented as a “__rego_metadata__” rule,
+// which was used before annotations were introduced.
+func moduleHasLegacyMetadataFormat(module *ast.Module) bool {
+	return slices.ContainsFunc(module.Rules, func(rule *ast.Rule) bool {
+		return rule.Head.Name.Equal(ast.Var("__rego_metadata__"))
+	})
+}
+
+// moduleHasLegacyInputFormat checks if the module has a legacy input format.
+// Returns true if the input is represented as a “__rego_input__” rule,
+// which was used before annotations were introduced.
+func moduleHasLegacyInputFormat(module *ast.Module) bool {
+	return slices.ContainsFunc(module.Rules, func(rule *ast.Rule) bool {
+		return rule.Head.Name.Equal(ast.Var("__rego_input__"))
+	})
+}
+
+// filterModules filters the Rego modules based on metadata.
+func (s *Scanner) filterModules() error {
 	filtered := make(map[string]*ast.Module)
 	for name, module := range s.policies {
-		meta, err := retriever.RetrieveMetadata(context.TODO(), module)
+		metadata, err := s.metadataForModule(context.Background(), name, module, nil)
 		if err != nil {
-			return err
+			return fmt.Errorf("retrieve metadata for module %s: %w", name, err)
 		}
 
-		if !meta.hasAnyFramework(s.frameworks) {
-			continue
-		}
-
-		if IsBuiltinNamespace(getModuleNamespace(module)) {
-			if s.disabledCheckIDs.Contains(meta.ID) { // ignore builtin disabled checks
-				continue
-			}
-		}
-
-		if len(meta.InputOptions.Selectors) == 0 {
-			if !meta.Library {
-				s.logger.Warn(
-					"Module has no input selectors - it will be loaded for all inputs!",
-					log.FilePath(module.Package.Location.File),
-					log.String("module", name),
-				)
-			}
+		if s.isModuleApplicable(module, metadata, name) {
 			filtered[name] = module
-			continue
 		}
-
-		filtered[name] = module
 	}
 
 	s.policies = filtered
 	return nil
 }
 
+func (s *Scanner) isModuleApplicable(module *ast.Module, metadata *StaticMetadata, name string) bool {
+	if !metadata.hasAnyFramework(s.frameworks) {
+		return false
+	}
+
+	// ignore disabled built-in checks
+	if IsBuiltinNamespace(getModuleNamespace(module)) && s.disabledCheckIDs.Contains(metadata.ID) {
+		return false
+	}
+
+	if len(metadata.InputOptions.Selectors) == 0 && !metadata.Library {
+		s.logger.Warn(
+			"Module has no input selectors - it will be loaded for all inputs",
+			log.FilePath(module.Package.Location.File),
+			log.String("module", name),
+		)
+	}
+
+	return true
+}
+
 func ParseRegoModule(name, input string) (*ast.Module, error) {
 	return ast.ParseModuleWithOpts(name, input, ast.ParserOptions{
 		ProcessAnnotation: true,