Skip to content
This repository has been archived by the owner on Jun 21, 2022. It is now read-only.

Commit

Permalink
Merge pull request #336 from aquasecurity/owenr-update-tfsec-and-cfsec
Browse files Browse the repository at this point in the history
chore(deps): updating code scanning
  • Loading branch information
Owen Rumney authored Nov 30, 2021
2 parents 368c21e + 034fb19 commit 2c76718
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 30 deletions.
16 changes: 12 additions & 4 deletions config/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
misconfResult := types.MisconfResult{
Message: result.Description,
PolicyMetadata: types.PolicyMetadata{
ID: result.AVDID,
ID: result.RuleID,
Type: "Cloudformation Security Check powered by cfsec",
Title: result.RuleSummary,
Description: result.Impact,
Expand All @@ -145,14 +145,21 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
},
IacMetadata: types.IacMetadata{
Resource: result.Resource,
Provider: result.RuleProvider.DisplayName(),
Service: result.RuleService,
StartLine: result.Location.StartLine,
EndLine: result.Location.EndLine,
},
}

filePath, err := filepath.Rel(rootDir, result.Location.Filename)
filename := result.Location.Filename
if filename == "" {
filename = file.FilePath
}

filePath, err := filepath.Rel(rootDir, filename)
if err != nil {
return nil, xerrors.Errorf("filepath rel: %w", err)
return nil, xerrors.Errorf("filepath rel, root: [%s], result: [%s] %w", rootDir, file.FilePath, err)
}

misconf, ok := misConfs[filePath]
Expand Down Expand Up @@ -211,11 +218,12 @@ func (s Scanner) scanTerraformByTFSec(files []types.Config) ([]types.Misconfigur
},
IacMetadata: types.IacMetadata{
Resource: result.Resource,
Provider: result.RuleProvider.DisplayName(),
Service: result.RuleService,
StartLine: result.Location.StartLine,
EndLine: result.Location.EndLine,
},
}

filePath, err := filepath.Rel(rootDir, result.Range().Filename)
if err != nil {
return nil, xerrors.Errorf("filepath rel: %w", err)
Expand Down
60 changes: 50 additions & 10 deletions config/scanner/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -101,6 +103,8 @@ func TestScanner_ScanConfig(t *testing.T) {
References: []string{"https://cfsec.dev/docs/s3/no-public-access-with-acl/#s3", "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"},
}, IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -118,6 +122,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -137,8 +143,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 18,
EndLine: 18,
},
},
{
Expand All @@ -154,8 +162,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 19,
EndLine: 19,
},
},
{
Expand All @@ -171,7 +181,9 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
Provider: "AWS",
Service: "s3",
StartLine: 24,
EndLine: 24,
},
},
Expand All @@ -188,6 +200,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -205,6 +219,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -222,8 +238,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 21,
EndLine: 21,
},
},
},
Expand Down Expand Up @@ -253,6 +271,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -268,6 +288,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -283,6 +305,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "General",
Service: "secrets",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -298,6 +322,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "General",
Service: "secrets",
StartLine: 10,
EndLine: 14,
},
Expand All @@ -313,6 +339,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "General",
Service: "secrets",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -328,6 +356,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "General",
Service: "secrets",
StartLine: 10,
EndLine: 14,
},
Expand All @@ -344,6 +374,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "variable.enableEncryption",
Provider: "General",
Service: "secrets",
StartLine: 6,
EndLine: 8,
},
Expand All @@ -359,6 +391,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "variable.enableEncryption",
Provider: "General",
Service: "secrets",
StartLine: 6,
EndLine: 8,
},
Expand All @@ -375,14 +409,16 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Add descriptions for all security groups and rules",
Severity: "LOW",
References: []string{
"https://tfsec.dev/docs/aws/vpc/add-description-to-security-group#aws/vpc",
"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/add-description-to-security-group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
"https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
},
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -397,13 +433,15 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Set a more restrictive cidr range",
Severity: "CRITICAL",
References: []string{
"https://tfsec.dev/docs/aws/vpc/no-public-ingress-sgr#aws/vpc",
"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html",
},
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 3,
EndLine: 3,
},
Expand All @@ -418,13 +456,15 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Enable encryption on managed disks",
Severity: "HIGH",
References: []string{
"https://tfsec.dev/docs/azure/compute/enable-disk-encryption#azure/compute",
"https://aquasecurity.github.io/tfsec/latest/checks/azure/compute/enable-disk-encryption",
"https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk",
"https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption",
},
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "Azure",
Service: "compute",
StartLine: 12,
EndLine: 12,
},
Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ require (
github.com/BurntSushi/toml v0.4.1
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0
github.com/alicebob/miniredis/v2 v2.16.0
github.com/aquasecurity/cfsec v0.0.12
github.com/aquasecurity/defsec v0.0.30
github.com/aquasecurity/cfsec v0.2.2
github.com/aquasecurity/defsec v0.0.37
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
github.com/aquasecurity/tfsec v0.59.0
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa
github.com/aws/aws-sdk-go v1.42.0
github.com/docker/docker v20.10.10+incompatible
github.com/docker/go-connections v0.4.0
Expand Down
19 changes: 8 additions & 11 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -190,19 +190,18 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/cfsec v0.0.12 h1:6zvaJ34qKbElT5CyeMDre5WxtphPCt+XXKqz0Atj14s=
github.com/aquasecurity/cfsec v0.0.12/go.mod h1:26CqZRuXnPWAEqN2duORHQAPfz8Fh5FjVE+AT0wu78k=
github.com/aquasecurity/defsec v0.0.30 h1:7GSGUUH0xeWRlyLeksdYz+PLZqQu6taICzapGvdlu4c=
github.com/aquasecurity/defsec v0.0.30/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz1no=
github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
github.com/aquasecurity/tfsec v0.58.14/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
github.com/aquasecurity/tfsec v0.59.0 h1:HATgpKbiUEWnJ8PU3CJpHMJCEhVgJG9E32m7uEp44oo=
github.com/aquasecurity/tfsec v0.59.0/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/aquasecurity/tfsec v0.61.3 h1:jaBuFaq/0YDDqHeTR+SkD/A1XShN0+9W9/rPGlw7kmQ=
github.com/aquasecurity/tfsec v0.61.3/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa h1:mgG6allqccyBmaE0qnWFl39ju156yqNVTd0D/xwuVko=
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
Expand Down Expand Up @@ -1075,7 +1074,6 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
Expand Down Expand Up @@ -1335,7 +1333,6 @@ github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
Expand Down
6 changes: 4 additions & 2 deletions types/misconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ type MisconfResults []MisconfResult

type IacMetadata struct {
Resource string `json:",omitempty"`
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`
Provider string `json:",omitempty"`
Service string `json:",omitempty"`
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`
}

type PolicyMetadata struct {
Expand Down

0 comments on commit 2c76718

Please sign in to comment.