feat(general): number of words larger/less than or equal operators

checkov/common/checks_infra/checks_parser.py

@@ -48,7 +48,11 @@
     RangeIncludesAttributeSolver,
     RangeNotIncludesAttributeSolver,
     NumberOfWordsEqualsAttributeSolver,
-    NumberOfWordsNotEqualsAttributeSolver
+    NumberOfWordsNotEqualsAttributeSolver,
+    NumberOfWordsGreaterThanAttributeSolver,
+    NumberOfWordsGreaterThanOrEqualAttributeSolver,
+    NumberOfWordsLessThanAttributeSolver,
+    NumberOfWordsLessThanOrEqualAttributeSolver,
 )
 from checkov.common.checks_infra.solvers.connections_solvers.connection_one_exists_solver import \
     ConnectionOneExistsSolver
@@ -105,6 +109,10 @@
     "range_not_includes": RangeNotIncludesAttributeSolver,
     "number_of_words_equals": NumberOfWordsEqualsAttributeSolver,
     "number_of_words_not_equals": NumberOfWordsNotEqualsAttributeSolver,
+    "number_of_words_greater_than": NumberOfWordsGreaterThanAttributeSolver,
+    "number_of_words_greater_than_or_equal": NumberOfWordsGreaterThanOrEqualAttributeSolver,
+    "number_of_words_less_than_or_equal": NumberOfWordsLessThanOrEqualAttributeSolver,
+    "number_of_words_less_than": NumberOfWordsLessThanAttributeSolver,
 }
 
 operators_to_complex_solver_classes: dict[str, Type[BaseComplexSolver]] = {

checkov/common/checks_infra/solvers/attribute_solvers/__init__.py

@@ -36,3 +36,7 @@
 from checkov.common.checks_infra.solvers.attribute_solvers.range_not_includes_attribute_solver import RangeNotIncludesAttributeSolver  # noqa
 from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_equals_attribute_solver import NumberOfWordsEqualsAttributeSolver  # noqa
 from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_not_equals_attribute_solver import NumberOfWordsNotEqualsAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_greater_than_attribute_solver import NumberOfWordsGreaterThanAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_greater_than_or_equal_attribute_solver import NumberOfWordsGreaterThanOrEqualAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_less_than_or_equal_attribute_solver import NumberOfWordsLessThanOrEqualAttributeSolver  # noqa
+from checkov.common.checks_infra.solvers.attribute_solvers.number_of_words_less_than_attribute_solver import NumberOfWordsLessThanAttributeSolver  # noqa

checkov/common/checks_infra/solvers/attribute_solvers/base_number_of_words_attribute_solver.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+from typing import Any, TYPE_CHECKING
+
+from checkov.common.graph.checks_infra.enums import Operators
+from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver
+from checkov.common.util.type_forcers import force_int
+
+if TYPE_CHECKING:
+    from typing_extensions import TypeGuard
+
+
+class BaseNumberOfWordsAttributeSolver(BaseAttributeSolver):
+    operator = Operators.NUMBER_OF_WORDS_GREATER_THAN  # noqa: CCE003  # a static attribute
+
+    def _validate_vertex_value(self, attr: Any) -> TypeGuard[str]:
+        return isinstance(attr, str)
+
+    def _get_number_of_words(self, attr: str) -> int:
+        return len(attr.split())
+
+    def _numerize_value(self) -> int | None:
+        return force_int(self.value)
+
+    def _get_operation(self, vertex: dict[str, Any], attribute: str | None) -> bool:
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+        return self._validate_vertex_value(attr)

checkov/common/checks_infra/solvers/attribute_solvers/number_of_words_equals_attribute_solver.py

@@ -1,19 +1,20 @@
 from typing import Optional, Any, Dict
 
+from checkov.common.checks_infra.solvers.attribute_solvers.base_number_of_words_attribute_solver import \
+    BaseNumberOfWordsAttributeSolver
 from checkov.common.graph.checks_infra.enums import Operators
-from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver
-from checkov.common.util.type_forcers import force_int
 
 
-class NumberOfWordsEqualsAttributeSolver(BaseAttributeSolver):
+class NumberOfWordsEqualsAttributeSolver(BaseNumberOfWordsAttributeSolver):
     operator = Operators.NUMBER_OF_WORDS_EQUALS  # noqa: CCE003  # a static attribute
 
     def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
-        vertex_attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
 
-        if not isinstance(vertex_attr, str):
+        if not self._validate_vertex_value(attr):
             return False
-        words = vertex_attr.split()
-        value_numeric = force_int(self.value)
 
-        return len(words) == value_numeric
+        num_of_words = self._get_number_of_words(attr)
+        value_numeric = self._numerize_value()
+
+        return num_of_words == value_numeric

checkov/common/checks_infra/solvers/attribute_solvers/number_of_words_greater_than_attribute_solver.py

@@ -0,0 +1,23 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.checks_infra.solvers.attribute_solvers.base_number_of_words_attribute_solver import \
+    BaseNumberOfWordsAttributeSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class NumberOfWordsGreaterThanAttributeSolver(BaseNumberOfWordsAttributeSolver):
+    operator = Operators.NUMBER_OF_WORDS_GREATER_THAN  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+
+        if not self._validate_vertex_value(attr):
+            return False
+
+        num_of_words = self._get_number_of_words(attr)
+        value_numeric = self._numerize_value()
+
+        if value_numeric is None:
+            return False
+
+        return num_of_words > value_numeric

checkov/common/checks_infra/solvers/attribute_solvers/number_of_words_greater_than_or_equal_attribute_solver.py

@@ -0,0 +1,23 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.checks_infra.solvers.attribute_solvers.base_number_of_words_attribute_solver import \
+    BaseNumberOfWordsAttributeSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class NumberOfWordsGreaterThanOrEqualAttributeSolver(BaseNumberOfWordsAttributeSolver):
+    operator = Operators.NUMBER_OF_WORDS_GREATER_THAN  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+
+        if not self._validate_vertex_value(attr):
+            return False
+
+        num_of_words = self._get_number_of_words(attr)
+        value_numeric = self._numerize_value()
+
+        if value_numeric is None:
+            return False
+
+        return num_of_words >= value_numeric

checkov/common/checks_infra/solvers/attribute_solvers/number_of_words_less_than_attribute_solver.py

@@ -0,0 +1,23 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.checks_infra.solvers.attribute_solvers.base_number_of_words_attribute_solver import \
+    BaseNumberOfWordsAttributeSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class NumberOfWordsLessThanAttributeSolver(BaseNumberOfWordsAttributeSolver):
+    operator = Operators.NUMBER_OF_WORDS_LESS_THAN  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+
+        if not self._validate_vertex_value(attr):
+            return False
+
+        num_of_words = self._get_number_of_words(attr)
+        value_numeric = self._numerize_value()
+
+        if value_numeric is None:
+            return False
+
+        return num_of_words < value_numeric

checkov/common/checks_infra/solvers/attribute_solvers/number_of_words_less_than_or_equal_attribute_solver.py

@@ -0,0 +1,23 @@
+from typing import Optional, Any, Dict
+
+from checkov.common.checks_infra.solvers.attribute_solvers.base_number_of_words_attribute_solver import \
+    BaseNumberOfWordsAttributeSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class NumberOfWordsLessThanOrEqualAttributeSolver(BaseNumberOfWordsAttributeSolver):
+    operator = Operators.NUMBER_OF_WORDS_GREATER_THAN  # noqa: CCE003  # a static attribute
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
+
+        if not self._validate_vertex_value(attr):
+            return False
+
+        num_of_words = self._get_number_of_words(attr)
+        value_numeric = self._numerize_value()
+
+        if value_numeric is None:
+            return False
+
+        return num_of_words <= value_numeric

checkov/common/graph/checks_infra/enums.py

@@ -68,3 +68,7 @@ class Operators:
     RANGE_NOT_INCLUDES = 'range_not_includes'
     NUMBER_OF_WORDS_EQUALS = 'number_of_words_equals'
     NUMBER_OF_WORDS_NOT_EQUALS = 'number_of_words_not_equals'
+    NUMBER_OF_WORDS_GREATER_THAN = 'number_of_words_greater_than'
+    NUMBER_OF_WORDS_GREATER_THAN_OR_EQUAL = 'number_of_words_greater_than_or_equal'
+    NUMBER_OF_WORDS_LESS_THAN = 'number_of_words_less_than'
+    NUMBER_OF_WORDS_LESS_THAN_OR_EQUAL = 'number_of_words_less_than_or_equal'

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/NumberOfWordsGreaterThanOrEqual.yaml

@@ -0,0 +1,9 @@
+metadata:
+  id: "NumberOfWordsGreaterThanOrEqual"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - aws_security_group
+  attribute: ingress.description
+  operator: number_of_words_greater_than_or_equal
+  value: 6

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/test_solver.py

@@ -0,0 +1,22 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestNumberOfWordsGreaterThanOrEqual(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestNumberOfWordsGreaterThanOrEqual, self).setUp()
+
+    def test_number_of_words_greater_than_or_equal(self):
+        # this is just a basic check to make sure the operator works
+        # we'll check all the other combinations more directly (because coming up with all the policy combos is painful)
+        root_folder = '../../../resources/number_of_words'
+        check_id = "NumberOfWordsGreaterThanOrEqual"
+        should_pass = ['aws_security_group.sg1']
+        should_fail = ['aws_security_group.sg2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/NumberOfWordsGreaterThan.yaml

@@ -0,0 +1,9 @@
+metadata:
+  id: "NumberOfWordsGreaterThan"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - aws_security_group
+  attribute: ingress.description
+  operator: number_of_words_greater_than
+  value: 4

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/test_solver.py

@@ -0,0 +1,22 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestNumberOfWordsGreaterThan(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestNumberOfWordsGreaterThan, self).setUp()
+
+    def test_number_of_words_greater_than(self):
+        # this is just a basic check to make sure the operator works
+        # we'll check all the other combinations more directly (because coming up with all the policy combos is painful)
+        root_folder = '../../../resources/number_of_words'
+        check_id = "NumberOfWordsGreaterThan"
+        should_pass = ['aws_security_group.sg1']
+        should_fail = ['aws_security_group.sg2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/NumberOfWordsLessThanOrEqual.yaml

@@ -0,0 +1,9 @@
+metadata:
+  id: "NumberOfWordsLessThanOrEqual"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - aws_security_group
+  attribute: ingress.description
+  operator: number_of_words_less_than_or_equal
+  value: 3

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/test_solver.py

@@ -0,0 +1,22 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestNumberOfWordsLessThanOrEqual(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestNumberOfWordsLessThanOrEqual, self).setUp()
+
+    def test_number_of_words_less_than_or_equal(self):
+        # this is just a basic check to make sure the operator works
+        # we'll check all the other combinations more directly (because coming up with all the policy combos is painful)
+        root_folder = '../../../resources/number_of_words'
+        check_id = "NumberOfWordsLessThanOrEqual"
+        should_pass = ['aws_security_group.sg2']
+        should_fail = ['aws_security_group.sg1']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/NumberOfWordsLessThan.yaml

@@ -0,0 +1,9 @@
+metadata:
+  id: "NumberOfWordsLessThan"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - aws_security_group
+  attribute: ingress.description
+  operator: number_of_words_less_than
+  value: 4

tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/test_solver.py

@@ -0,0 +1,22 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestNumberOfWordsLessThan(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super(TestNumberOfWordsLessThan, self).setUp()
+
+    def test_number_of_words_less_than(self):
+        # this is just a basic check to make sure the operator works
+        # we'll check all the other combinations more directly (because coming up with all the policy combos is painful)
+        root_folder = '../../../resources/number_of_words'
+        check_id = "NumberOfWordsLessThan"
+        should_pass = ['aws_security_group.sg2']
+        should_fail = ['aws_security_group.sg1']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)