chore: switch to ID from AVDID in internal and user-facing fields (#9655)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>

integration/testdata/terraform-opentofu-registry.json.golden

@@ -161,7 +161,7 @@
         },
         {
           "Type": "Terraform Security Check",
-          "ID": "s3-bucket-logging",
+          "ID": "AVD-AWS-0089",
           "AVDID": "AVD-AWS-0089",
           "Title": "S3 Bucket Logging",
           "Description": "Ensures S3 bucket logging is enabled for S3 buckets",
@@ -170,11 +170,11 @@
           "Query": "data.builtin.aws.s3.aws0089.deny",
           "Resolution": "Add a logging block to the resource to enable access logging",
           "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
           "References": [
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
-            "https://avd.aquasec.com/misconfig/s3-bucket-logging"
+            "https://avd.aquasec.com/misconfig/avd-aws-0089"
           ],
           "Status": "FAIL",
           "CauseMetadata": {

integration/testdata/terraform-remote-module-in-child.json.golden

@@ -169,7 +169,7 @@
         },
         {
           "Type": "Terraform Security Check",
-          "ID": "s3-bucket-logging",
+          "ID": "AVD-AWS-0089",
           "AVDID": "AVD-AWS-0089",
           "Title": "S3 Bucket Logging",
           "Description": "Ensures S3 bucket logging is enabled for S3 buckets",
@@ -178,11 +178,11 @@
           "Query": "data.builtin.aws.s3.aws0089.deny",
           "Resolution": "Add a logging block to the resource to enable access logging",
           "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
           "References": [
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
-            "https://avd.aquasec.com/misconfig/s3-bucket-logging"
+            "https://avd.aquasec.com/misconfig/avd-aws-0089"
           ],
           "Status": "FAIL",
           "CauseMetadata": {

integration/testdata/terraform-remote-module.json.golden

@@ -161,7 +161,7 @@
         },
         {
           "Type": "Terraform Security Check",
-          "ID": "s3-bucket-logging",
+          "ID": "AVD-AWS-0089",
           "AVDID": "AVD-AWS-0089",
           "Title": "S3 Bucket Logging",
           "Description": "Ensures S3 bucket logging is enabled for S3 buckets",
@@ -170,11 +170,11 @@
           "Query": "data.builtin.aws.s3.aws0089.deny",
           "Resolution": "Add a logging block to the resource to enable access logging",
           "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
           "References": [
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
-            "https://avd.aquasec.com/misconfig/s3-bucket-logging"
+            "https://avd.aquasec.com/misconfig/avd-aws-0089"
           ],
           "Status": "FAIL",
           "CauseMetadata": {

integration/testdata/terraform-remote-submodule.json.golden

@@ -25,7 +25,7 @@
       "Misconfigurations": [
         {
           "Type": "Terraform Security Check",
-          "ID": "aws-vpc-no-public-egress-sgr",
+          "ID": "AVD-AWS-0104",
           "AVDID": "AVD-AWS-0104",
           "Title": "A security group rule should not allow unrestricted egress to any IP address.",
           "Description": "Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.\n",
@@ -34,10 +34,10 @@
           "Query": "data.builtin.aws.ec2.aws0104.deny",
           "Resolution": "Set a more restrictive cidr range",
           "Severity": "CRITICAL",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/aws-vpc-no-public-egress-sgr",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0104",
           "References": [
             "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html",
-            "https://avd.aquasec.com/misconfig/aws-vpc-no-public-egress-sgr"
+            "https://avd.aquasec.com/misconfig/avd-aws-0104"
           ],
           "Status": "FAIL",
           "CauseMetadata": {
@@ -124,7 +124,7 @@
         },
         {
           "Type": "Terraform Security Check",
-          "ID": "aws-vpc-add-description-to-security-group-rule",
+          "ID": "AVD-AWS-0124",
           "AVDID": "AVD-AWS-0124",
           "Title": "Missing description for security group rule.",
           "Description": "Security group rules should include a description for auditing purposes.\n\nSimplifies auditing, debugging, and managing security groups.\n",
@@ -133,10 +133,10 @@
           "Query": "data.builtin.aws.ec2.aws0124.deny",
           "Resolution": "Add descriptions for all security groups rules",
           "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/aws-vpc-add-description-to-security-group-rule",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0124",
           "References": [
             "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
-            "https://avd.aquasec.com/misconfig/aws-vpc-add-description-to-security-group-rule"
+            "https://avd.aquasec.com/misconfig/avd-aws-0124"
           ],
           "Status": "FAIL",
           "CauseMetadata": {

integration/testdata/terraform-terraform-registry.json.golden

@@ -161,7 +161,7 @@
         },
         {
           "Type": "Terraform Security Check",
-          "ID": "s3-bucket-logging",
+          "ID": "AVD-AWS-0089",
           "AVDID": "AVD-AWS-0089",
           "Title": "S3 Bucket Logging",
           "Description": "Ensures S3 bucket logging is enabled for S3 buckets",
@@ -170,11 +170,11 @@
           "Query": "data.builtin.aws.s3.aws0089.deny",
           "Resolution": "Add a logging block to the resource to enable access logging",
           "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
           "References": [
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
             "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
-            "https://avd.aquasec.com/misconfig/s3-bucket-logging"
+            "https://avd.aquasec.com/misconfig/avd-aws-0089"
           ],
           "Status": "FAIL",
           "CauseMetadata": {

pkg/iac/rules/register.go

@@ -5,7 +5,7 @@ import (
 
 	"gopkg.in/yaml.v3"
 
-	"github.com/aquasecurity/trivy-checks/pkg/specs"
+	"github.com/aquasecurity/trivy-checks/pkg/compliance"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	dftypes "github.com/aquasecurity/trivy/pkg/iac/types"
@@ -94,21 +94,22 @@ func (r *registry) getSpecRules(spec string) []ruleTypes.RegisteredRule {
 	var specRules []ruleTypes.RegisteredRule
 
 	var complianceSpec dftypes.ComplianceSpec
-	specContent := specs.GetSpec(spec)
+	specContent := compliance.GetSpec(spec)
 	if err := yaml.Unmarshal([]byte(specContent), &complianceSpec); err != nil {
 		return nil
 	}
 
+	checkIDs := set.New[string]()
+	for _, csRule := range complianceSpec.Spec.Controls {
+		for _, c := range csRule.Checks {
+			checkIDs.Append(c.ID)
+		}
+	}
+
 	registered := r.getFrameworkRules(framework.ALL)
 	for _, rule := range registered {
-		for _, csRule := range complianceSpec.Spec.Controls {
-			if len(csRule.Checks) > 0 {
-				for _, c := range csRule.Checks {
-					if rule.GetRule().AVDID == c.ID {
-						specRules = append(specRules, rule)
-					}
-				}
-			}
+		if checkIDs.Contains(rule.AVDID) || checkIDs.Contains(rule.ID) {
+			specRules = append(specRules, rule)
 		}
 	}
 

pkg/iac/scan/flat.go

@@ -37,7 +37,7 @@ type FlatRange struct {
 }
 
 func (r Results) Flatten() []FlatResult {
-	var results []FlatResult
+	results := make([]FlatResult, 0, len(r))
 	for _, original := range r {
 		results = append(results, original.Flatten())
 	}
@@ -55,7 +55,6 @@ func (r *Result) Flatten() FlatResult {
 
 	return FlatResult{
 		Deprecated:      r.rule.Deprecated,
-		RuleID:          r.rule.AVDID,
 		LongID:          r.Rule().LongID(),
 		RuleSummary:     r.rule.Summary,
 		RuleProvider:    r.rule.Provider,

pkg/k8s/writer_test.go

@@ -316,7 +316,7 @@ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN`,
 Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 0 (CRITICAL: 0)
 
- (LOW): Oh no, a bad config.
+ID100 (LOW): Oh no, a bad config.
 ════════════════════════════════════════
 Your config file is not good.
 
@@ -352,7 +352,7 @@ namespace: default, deploy: orion ()
 Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (LOW: 1, CRITICAL: 0)
 
- (LOW): Oh no, a bad config.
+ID100 (LOW): Oh no, a bad config.
 ════════════════════════════════════════
 Your config file is not good.
 

pkg/misconf/scanner.go

@@ -501,13 +501,6 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s
 		flattened := result.Flatten()
 
 		query := fmt.Sprintf("data.%s.%s", result.RegoNamespace(), result.RegoRule())
-
-		// TODO: use the ID field
-		ruleID := result.Rule().AVDID
-		if result.RegoNamespace() != "" && len(result.Rule().Aliases) > 0 {
-			ruleID = result.Rule().Aliases[0]
-		}
-
 		cause := NewCauseWithCode(result, flattened)
 
 		misconfResult := types.MisconfResult{
@@ -515,7 +508,7 @@ func ResultsToMisconf(configType types.ConfigType, scannerName string, results s
 			Query:     query,
 			Message:   flattened.Description,
 			PolicyMetadata: types.PolicyMetadata{
-				ID:                 ruleID,
+				ID:                 result.Rule().ID,
 				AVDID:              result.Rule().AVDID,
 				Type:               fmt.Sprintf("%s Security Check", scannerName),
 				Title:              result.Rule().Summary,

pkg/report/table/misconfig.go

@@ -130,15 +130,15 @@ func (r *misconfigRenderer) renderSummary(misconf types.DetectedMisconfiguration
 	// ID & severity
 	switch misconf.Severity {
 	case severityCritical:
-		r.printf("%s <red><bold>(%s): ", misconf.AVDID, misconf.Severity)
+		r.printf("%s <red><bold>(%s): ", misconf.ID, misconf.Severity)
 	case severityHigh:
-		r.printf("%s <red>(%s): ", misconf.AVDID, misconf.Severity)
+		r.printf("%s <red>(%s): ", misconf.ID, misconf.Severity)
 	case severityMedium:
-		r.printf("%s <yellow>(%s): ", misconf.AVDID, misconf.Severity)
+		r.printf("%s <yellow>(%s): ", misconf.ID, misconf.Severity)
 	case severityLow:
-		r.printf("%s (%s): ", misconf.AVDID, misconf.Severity)
+		r.printf("%s (%s): ", misconf.ID, misconf.Severity)
 	default:
-		r.printf("%s <blue>(%s): ", misconf.AVDID, misconf.Severity)
+		r.printf("%s <blue>(%s): ", misconf.ID, misconf.Severity)
 	}
 
 	// heading

pkg/report/table/misconfig_test.go

@@ -31,7 +31,7 @@ func TestMisconfigRenderer(t *testing.T) {
 				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
-						ID:          "some-alias-for-a-check",
+						ID:          "XYZ-0123",
 						AVDID:       "AVD-XYZ-0123",
 						Title:       "Config file is bad",
 						Description: "Your config file is not good.",
@@ -51,7 +51,7 @@ my-file ()
 Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
-AVD-XYZ-0123 (HIGH): Oh no, a bad config.
+XYZ-0123 (HIGH): Oh no, a bad config.
 ════════════════════════════════════════
 Your config file is not good.
 
@@ -68,6 +68,7 @@ See https://google.com/search?q=bad%20config
 				MisconfSummary: &types.MisconfSummary{Successes: 0, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
+						ID:          "XYZ-0123",
 						AVDID:       "AVD-XYZ-0123",
 						Title:       "Config file is bad",
 						Description: "Your config file is not good.",
@@ -112,7 +113,7 @@ my-file ()
 Tests: 1 (SUCCESSES: 0, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
-AVD-XYZ-0123 (HIGH): Oh no, a bad config.
+XYZ-0123 (HIGH): Oh no, a bad config.
 ════════════════════════════════════════
 Your config file is not good.
 
@@ -135,6 +136,7 @@ See https://google.com/search?q=bad%20config
 				MisconfSummary: &types.MisconfSummary{Successes: 1, Failures: 1},
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
+						ID:          "XYZ-0123",
 						AVDID:       "AVD-XYZ-0123",
 						Title:       "Config file is bad",
 						Description: "Your config file is not good.",
@@ -166,6 +168,7 @@ See https://google.com/search?q=bad%20config
 						},
 					},
 					{
+						ID:          "XYZ-0456",
 						AVDID:       "AVD-XYZ-0456",
 						Title:       "Config file is bad again",
 						Description: "Your config file is still not good.",
@@ -185,7 +188,7 @@ my-file ()
 Tests: 2 (SUCCESSES: 1, FAILURES: 1)
 Failures: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
-FAIL: AVD-XYZ-0123 (HIGH): Oh no, a bad config.
+FAIL: XYZ-0123 (HIGH): Oh no, a bad config.
 ════════════════════════════════════════
 Your config file is not good.
 
@@ -199,7 +202,7 @@ See https://google.com/search?q=bad%20config
 ────────────────────────────────────────
 
 
-PASS: AVD-XYZ-0456 (MEDIUM): Oh no, a bad config AGAIN.
+PASS: XYZ-0456 (MEDIUM): Oh no, a bad config AGAIN.
 ════════════════════════════════════════
 Your config file is still not good.