diff --git a/checkov/common/images/image_referencer.py b/checkov/common/images/image_referencer.py index 1181a36d007..446ff708de8 100644 --- a/checkov/common/images/image_referencer.py +++ b/checkov/common/images/image_referencer.py @@ -43,6 +43,16 @@ def enable_image_referencer( return False +def fix_related_resource_ids(report: Report | None, tmp_dir: str) -> None: + """Remove tmp dir prefix from 'relatedResourceId'""" + + if report and report.image_cached_results: + for cached_result in report.image_cached_results: + related_resource_id = cached_result.get("relatedResourceId") + if related_resource_id and isinstance(related_resource_id, str): + cached_result["relatedResourceId"] = related_resource_id.replace(tmp_dir, "", 1) + + class Image: def __init__(self, file_path: str, name: str, start_line: int, end_line: int, related_resource_id: str | None = None) -> None: diff --git a/checkov/helm/runner.py b/checkov/helm/runner.py index 22e8436130f..2fa6cd7799b 100644 --- a/checkov/helm/runner.py +++ b/checkov/helm/runner.py @@ -13,6 +13,7 @@ from checkov.common.bridgecrew.check_type import CheckType from checkov.common.graph.checks_infra.registry import BaseRegistry from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.images.image_referencer import fix_related_resource_ids from checkov.common.output.report import Report from checkov.common.parallelizer.parallel_runner import parallel_runner from checkov.common.runners.base_runner import BaseRunner, filter_ignored_paths @@ -62,12 +63,19 @@ def run( chart_results = super().run(root_folder, external_checks_dir=external_checks_dir, runner_filter=runner_filter) if isinstance(chart_results, list): - helm_report = next(chart_result for chart_result in chart_results if chart_result.check_type == self.check_type) + helm_report = next( + chart_result for chart_result in chart_results if chart_result.check_type == self.check_type + ) + sca_image_report = next( + chart_result for chart_result in chart_results if chart_result.check_type == CheckType.SCA_IMAGE + ) else: helm_report = chart_results + sca_image_report = None if root_folder is not None: - fix_report_paths(helm_report, root_folder) + fix_report_paths(report=helm_report, tmp_dir=root_folder) + fix_related_resource_ids(report=sca_image_report, tmp_dir=root_folder) return chart_results except Exception: diff --git a/checkov/kustomize/runner.py b/checkov/kustomize/runner.py index 82699d3c436..8d28e96097e 100644 --- a/checkov/kustomize/runner.py +++ b/checkov/kustomize/runner.py @@ -15,6 +15,7 @@ from typing import Optional, Dict, Any, TextIO, TYPE_CHECKING from checkov.common.graph.graph_builder import CustomAttributes +from checkov.common.images.image_referencer import fix_related_resource_ids from checkov.common.output.record import Record from checkov.common.output.report import Report from checkov.common.bridgecrew.check_type import CheckType @@ -49,6 +50,25 @@ def __init__( self.report_mutator_data: "dict[str, dict[str, Any]]" = {} self.pbar.turn_off_progress_bar() + def run( + self, + root_folder: str | None, + external_checks_dir: list[str] | None = None, + files: list[str] | None = None, + runner_filter: RunnerFilter | None = None, + collect_skip_comments: bool = True + ) -> Report | list[Report]: + results = super().run(root_folder, external_checks_dir=external_checks_dir, runner_filter=runner_filter) + + sca_image_report = None + if isinstance(results, list): + sca_image_report = next(result for result in results if result.check_type == CheckType.SCA_IMAGE) + + if root_folder is not None: + fix_related_resource_ids(report=sca_image_report, tmp_dir=root_folder) + + return results + def set_external_data( self, definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None, diff --git a/tests/helm/test_runner_image_referencer.py b/tests/helm/test_runner_image_referencer.py index 7f354ee16c4..4813fa8dbc4 100644 --- a/tests/helm/test_runner_image_referencer.py +++ b/tests/helm/test_runner_image_referencer.py @@ -117,3 +117,13 @@ def test_deployment_resources(mocker: MockerFixture, image_cached_result, licens assert len(sca_image_report.failed_checks) == 1 assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 + assert len(sca_image_report.image_cached_results) == 1 + + assert sca_image_report.image_cached_results[0]["dockerImageName"] == image_name + assert ( + sca_image_report.image_cached_results[0]["relatedResourceId"] + == "/hello-world/templates/deployment.yaml:Deployment.default.release-name-hello-world" + ) + assert sca_image_report.image_cached_results[0]["packages"] == [ + {"type": "os", "name": "zlib", "version": "1.2.12-r1", "licenses": ["Zlib"]} + ] diff --git a/tests/kustomize/test_runner_image_referencer.py b/tests/kustomize/test_runner_image_referencer.py index 15141cec4c8..fd698fe1531 100644 --- a/tests/kustomize/test_runner_image_referencer.py +++ b/tests/kustomize/test_runner_image_referencer.py @@ -121,3 +121,13 @@ def test_deployment_resources(mocker: MockerFixture, image_cached_result, licens assert len(sca_image_report.failed_checks) == 1 assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 + assert len(sca_image_report.image_cached_results) == 1 + + assert sca_image_report.image_cached_results[0]["dockerImageName"] == image_name + assert ( + sca_image_report.image_cached_results[0]["relatedResourceId"] + == "/image_referencer/overlays/prod/Deployment-default-prod-wordpress.yaml:Deployment.default.prod-wordpress" + ) + assert sca_image_report.image_cached_results[0]["packages"] == [ + {"type": "os", "name": "zlib", "version": "1.2.12-r1", "licenses": ["Zlib"]} + ]