Skip to content
This repository has been archived by the owner on Jun 21, 2022. It is now read-only.

chore(deps): updating code scanning #336

Merged
merged 1 commit into from
Nov 30, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions config/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
misconfResult := types.MisconfResult{
Message: result.Description,
PolicyMetadata: types.PolicyMetadata{
ID: result.AVDID,
ID: result.RuleID,
Type: "Cloudformation Security Check powered by cfsec",
Title: result.RuleSummary,
Description: result.Impact,
Expand All @@ -145,14 +145,21 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
},
IacMetadata: types.IacMetadata{
Resource: result.Resource,
Provider: result.RuleProvider.DisplayName(),
Service: result.RuleService,
StartLine: result.Location.StartLine,
EndLine: result.Location.EndLine,
},
}

filePath, err := filepath.Rel(rootDir, result.Location.Filename)
filename := result.Location.Filename
if filename == "" {
filename = file.FilePath
}

filePath, err := filepath.Rel(rootDir, filename)
if err != nil {
return nil, xerrors.Errorf("filepath rel: %w", err)
return nil, xerrors.Errorf("filepath rel, root: [%s], result: [%s] %w", rootDir, file.FilePath, err)
}

misconf, ok := misConfs[filePath]
Expand Down Expand Up @@ -211,11 +218,12 @@ func (s Scanner) scanTerraformByTFSec(files []types.Config) ([]types.Misconfigur
},
IacMetadata: types.IacMetadata{
Resource: result.Resource,
Provider: result.RuleProvider.DisplayName(),
Service: result.RuleService,
StartLine: result.Location.StartLine,
EndLine: result.Location.EndLine,
},
}

filePath, err := filepath.Rel(rootDir, result.Range().Filename)
if err != nil {
return nil, xerrors.Errorf("filepath rel: %w", err)
Expand Down
60 changes: 50 additions & 10 deletions config/scanner/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -101,6 +103,8 @@ func TestScanner_ScanConfig(t *testing.T) {
References: []string{"https://cfsec.dev/docs/s3/no-public-access-with-acl/#s3", "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"},
}, IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -118,6 +122,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -137,8 +143,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 18,
EndLine: 18,
},
},
{
Expand All @@ -154,8 +162,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 19,
EndLine: 19,
},
},
{
Expand All @@ -171,7 +181,9 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
Provider: "AWS",
Service: "s3",
StartLine: 24,
EndLine: 24,
},
},
Expand All @@ -188,6 +200,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -205,6 +219,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
Provider: "AWS",
Service: "s3",
StartLine: 12,
EndLine: 24,
},
Expand All @@ -222,8 +238,10 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "S3Bucket",
StartLine: 12,
EndLine: 24,
Provider: "AWS",
Service: "s3",
StartLine: 21,
EndLine: 21,
},
},
},
Expand Down Expand Up @@ -253,6 +271,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -268,6 +288,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -283,6 +305,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "General",
Service: "secrets",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -298,6 +322,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "General",
Service: "secrets",
StartLine: 10,
EndLine: 14,
},
Expand All @@ -313,6 +339,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "General",
Service: "secrets",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -328,6 +356,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "General",
Service: "secrets",
StartLine: 10,
EndLine: 14,
},
Expand All @@ -344,6 +374,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "variable.enableEncryption",
Provider: "General",
Service: "secrets",
StartLine: 6,
EndLine: 8,
},
Expand All @@ -359,6 +391,8 @@ func TestScanner_ScanConfig(t *testing.T) {
},
IacMetadata: types.IacMetadata{
Resource: "variable.enableEncryption",
Provider: "General",
Service: "secrets",
StartLine: 6,
EndLine: 8,
},
Expand All @@ -375,14 +409,16 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Add descriptions for all security groups and rules",
Severity: "LOW",
References: []string{
"https://tfsec.dev/docs/aws/vpc/add-description-to-security-group#aws/vpc",
"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/add-description-to-security-group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
"https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
},
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 1,
EndLine: 4,
},
Expand All @@ -397,13 +433,15 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Set a more restrictive cidr range",
Severity: "CRITICAL",
References: []string{
"https://tfsec.dev/docs/aws/vpc/no-public-ingress-sgr#aws/vpc",
"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html",
},
},
IacMetadata: types.IacMetadata{
Resource: "aws_security_group_rule.my-rule",
Provider: "AWS",
Service: "vpc",
StartLine: 3,
EndLine: 3,
},
Expand All @@ -418,13 +456,15 @@ func TestScanner_ScanConfig(t *testing.T) {
RecommendedActions: "Enable encryption on managed disks",
Severity: "HIGH",
References: []string{
"https://tfsec.dev/docs/azure/compute/enable-disk-encryption#azure/compute",
"https://aquasecurity.github.io/tfsec/latest/checks/azure/compute/enable-disk-encryption",
"https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk",
"https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption",
},
},
IacMetadata: types.IacMetadata{
Resource: "azurerm_managed_disk.source",
Provider: "Azure",
Service: "compute",
StartLine: 12,
EndLine: 12,
},
Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ require (
github.com/BurntSushi/toml v0.4.1
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0
github.com/alicebob/miniredis/v2 v2.16.0
github.com/aquasecurity/cfsec v0.0.12
github.com/aquasecurity/defsec v0.0.30
github.com/aquasecurity/cfsec v0.2.2
github.com/aquasecurity/defsec v0.0.37
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
github.com/aquasecurity/tfsec v0.59.0
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa
github.com/aws/aws-sdk-go v1.42.0
github.com/docker/docker v20.10.10+incompatible
github.com/docker/go-connections v0.4.0
Expand Down
19 changes: 8 additions & 11 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -190,19 +190,18 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/cfsec v0.0.12 h1:6zvaJ34qKbElT5CyeMDre5WxtphPCt+XXKqz0Atj14s=
github.com/aquasecurity/cfsec v0.0.12/go.mod h1:26CqZRuXnPWAEqN2duORHQAPfz8Fh5FjVE+AT0wu78k=
github.com/aquasecurity/defsec v0.0.30 h1:7GSGUUH0xeWRlyLeksdYz+PLZqQu6taICzapGvdlu4c=
github.com/aquasecurity/defsec v0.0.30/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz1no=
github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
github.com/aquasecurity/tfsec v0.58.14/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
github.com/aquasecurity/tfsec v0.59.0 h1:HATgpKbiUEWnJ8PU3CJpHMJCEhVgJG9E32m7uEp44oo=
github.com/aquasecurity/tfsec v0.59.0/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/aquasecurity/tfsec v0.61.3 h1:jaBuFaq/0YDDqHeTR+SkD/A1XShN0+9W9/rPGlw7kmQ=
github.com/aquasecurity/tfsec v0.61.3/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa h1:mgG6allqccyBmaE0qnWFl39ju156yqNVTd0D/xwuVko=
github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
Expand Down Expand Up @@ -1075,7 +1074,6 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
Expand Down Expand Up @@ -1335,7 +1333,6 @@ github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
Expand Down
6 changes: 4 additions & 2 deletions types/misconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ type MisconfResults []MisconfResult

type IacMetadata struct {
Resource string `json:",omitempty"`
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`
Provider string `json:",omitempty"`
Service string `json:",omitempty"`
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`
}

type PolicyMetadata struct {
Expand Down