fix: fixed failing e2e tests

tenable · May 26, 2021 · 2653799 · 2653799
1 parent 0d7f0aa
commit 2653799
Show file tree

Hide file tree

Showing 16 changed files with 133 additions and 222 deletions.
diff --git a/pkg/iac-providers/kubernetes/v1/normalize.go b/pkg/iac-providers/kubernetes/v1/normalize.go
@@ -29,7 +29,7 @@ import (
 )
 
 const (
-	terrascanSkip        = "terrascanSkip"
+	terrascanSkip        = "terrascan/skip"
 	terrascanSkipRule    = "rule"
 	terrascanSkipComment = "comment"
 	terrascanMaxSeverity = "terrascan/maxseverity"
@@ -172,13 +172,13 @@ func readSkipRulesFromAnnotations(annotations map[string]interface{}, resourceID
 		skipRules := make([]output.SkipRule, 0)
 		err := json.Unmarshal([]byte(rules), &skipRules)
 		if err != nil {
-			zap.S().Errorf("json string %s cannot be unmarshalled to []output.SkipRules struct schema", rules)
+			zap.S().Debugf("json string %s cannot be unmarshalled to []output.SkipRules struct schema", rules)
 			return nil
 		}
 		return skipRules
 	}
 
-	zap.S().Errorf("%s must be a string containing an json array like [{rule: ruleID, comment: reason for skipping}]", terrascanSkip)
+	zap.S().Debugf("%s must be a string containing an json array like [{rule: ruleID, comment: reason for skipping}]", terrascanSkip)
 	return nil
 }
 

diff --git a/pkg/iac-providers/kubernetes/v1/normalize_test.go b/pkg/iac-providers/kubernetes/v1/normalize_test.go
@@ -56,7 +56,7 @@ kind: Pod
 metadata:
   name: myapp-pod
   annotations:
-    terrascanSkip: |
+    terrascan/skip: |
       [{"rule": "accurics.kubernetes.IAM.109", "comment": "reason to skip the rule"}]
 spec:
   containers:
@@ -68,7 +68,7 @@ kind: CRD
 metadata:
   generateName: myapp-pod-prefix-
   annotations:
-    terrascanSkip: |
+    terrascan/skip: |
       [{"rule": "accurics.kubernetes.IAM.109", "comment": "reason to skip the rule"}]
 spec:
   containers:
@@ -414,7 +414,7 @@ func TestReadSkipRulesFromAnnotations(t *testing.T) {
 	}
 }
 
-func Test_readMinMaxSeverityFromAnnotations(t *testing.T) {
+func TestReadMinMaxSeverityFromAnnotations(t *testing.T) {
 	type args struct {
 		annotations map[string]interface{}
 		resourceID  string
@@ -438,31 +438,31 @@ func Test_readMinMaxSeverityFromAnnotations(t *testing.T) {
 		{
 			name: "min severity set to high",
 			args: args{annotations: map[string]interface{}{
-				"terrascan/minseverity": "High",
+				terrascanMinSeverity: "High",
 			}},
 			wantMinSeverity: "High",
 			wantMaxSeverity: "",
 		},
 		{
 			name: "max severity set to low",
 			args: args{annotations: map[string]interface{}{
-				"terrascan/maxseverity": "Low",
+				terrascanMaxSeverity: "Low",
 			}},
 			wantMinSeverity: "",
 			wantMaxSeverity: "Low",
 		},
 		{
 			name: "max severity set to None",
 			args: args{annotations: map[string]interface{}{
-				"terrascan/maxseverity": "None"}},
+				terrascanMaxSeverity: "None"}},
 			wantMinSeverity: "",
 			wantMaxSeverity: "None",
 		},
 		{
 			name: "max severity set to low and Min severity set to high",
 			args: args{annotations: map[string]interface{}{
-				"terrascan/maxseverity": "LOw",
-				"terrascan/minseverity": "hiGh",
+				terrascanMaxSeverity: "LOw",
+				terrascanMinSeverity: "hiGh",
 			}},
 			wantMinSeverity: "hiGh",
 			wantMaxSeverity: "LOw",

diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go
@@ -303,7 +303,9 @@ func (e *Engine) reportViolation(regoData *RegoData, resource *output.ResourceCo
 	}
 
 	if !strings.EqualFold(resource.MaxSeverity, "none") {
-		// if both values are set then max severity will be applicable and it will also change according to resource config and min severity value
+		// if both values are set then max severity will be applicable
+		// if minseverity is also provided then it will be applied first and over that change maxseverity will be applied.
+		// eg. resource.Violation = medium -> minseverity = High -> resource.Violation = High -> maxseverity = Low -> resource.Violation = Low
 		if utils.MinSeverityApplicable(regoData.Metadata.Severity, resource.MinSeverity) {
 			violation.Severity = strings.ToUpper(resource.MinSeverity)
 		}

diff --git a/pkg/utils/severity.go b/pkg/utils/severity.go
@@ -61,7 +61,7 @@ func CheckSeverity(ruleSeverity, desiredSeverity string) bool {
 
 // MinSeverityApplicable verifies if the severity of policy rule need to be changed to the minimum severity level
 func MinSeverityApplicable(ruleSeverity, minSeverity string) bool {
-	// this case will never arise added for safe checks
+	// this case will never arise, added for safe check
 	if !ValidateSeverityInput(minSeverity) {
 		return false
 	}
@@ -81,7 +81,7 @@ func MinSeverityApplicable(ruleSeverity, minSeverity string) bool {
 
 // MaxSeverityApplicable verifies if the severity of policy rule need to be changed to the maximum severity level
 func MaxSeverityApplicable(ruleSeverity, maxSeverity string) bool {
-	// this case will never arise added for safe checks
+	// this case will never arise, added for safe check
 	if !ValidateSeverityInput(maxSeverity) {
 		return false
 	}

diff --git a/.../scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt b/.../scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt
@@ -2,68 +2,13 @@
   "results": {
     "violations": [
       {
-        "rule_name": "imageWithLatestTag",
-        "description": "No tag or container image with :Latest tag makes difficult to rollback and track",
-        "rule_id": "AC-K8-OE-PO-L-0134",
+        "rule_name": "noHttps",
+        "description": "TLS disabled can affect the confidentiality of the data in transit",
+        "rule_id": "AC-K8-NS-IN-H-0020",
         "severity": "LOW",
-        "category": "Security Best Practices",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
-        "file": "config.yaml",
-        "line": 1
-      },
-      {
-        "rule_name": "secCompProfile",
-        "description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
-        "rule_id": "AC-K8-IA-PO-M-0141",
-        "severity": "LOW",
-        "category": "Identity and Access Management",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
-        "file": "config.yaml",
-        "line": 1
-      },
-      {
-        "rule_name": "privilegeEscalationCheck",
-        "description": "Containers Should Not Run with AllowPrivilegeEscalation",
-        "rule_id": "AC-K8-CA-PO-H-0165",
-        "severity": "LOW",
-        "category": "Compliance Validation",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
-        "file": "config.yaml",
-        "line": 1
-      },
-      {
-        "rule_name": "imageWithoutDigest",
-        "description": "Image without digest affects the integrity principle of image security",
-        "rule_id": "AC-K8-NS-PO-M-0133",
-        "severity": "LOW",
-        "category": "Infrastructure Security",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
-        "file": "config.yaml",
-        "line": 1
-      },
-      {
-        "rule_name": "appArmorProfile",
-        "description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
-        "rule_id": "AC-K8-IA-PO-M-0135",
-        "severity": "LOW",
-        "category": "Identity and Access Management",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
-        "file": "config.yaml",
-        "line": 1
-      },
-      {
-        "rule_name": "defaultNamespaceUsed",
-        "description": "The default namespace should not be used",
-        "rule_id": "accurics.kubernetes.OPS.460",
-        "severity": "LOW",
-        "category": "Operational Efficiency",
-        "resource_name": "backend-server",
-        "resource_type": "kubernetes_pod",
+        "category": "Network Security",
+        "resource_name": "ingress-demo-disallowed",
+        "resource_type": "kubernetes_ingress",
         "file": "config.yaml",
         "line": 1
       }
@@ -72,10 +17,10 @@
     "scan_summary": {
       "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s",
       "iac_type": "k8s",
-      "scanned_at": "2021-05-24 11:19:12.941151 +0000 UTC",
-      "policies_validated": 607,
-      "violated_policies": 6,
-      "low": 6,
+      "scanned_at": "2021-05-26 08:22:49.108823 +0000 UTC",
+      "policies_validated": 7,
+      "violated_policies": 1,
+      "low": 1,
       "medium": 0,
       "high": 0
     }

diff --git a/.../resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt b/.../resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt
@@ -6,20 +6,7 @@
         "description": "Ensure that your RDS database has IAM Authentication enabled.",
         "rule_id": "AWS.RDS.DataSecurity.High.0577",
         "severity": "LOW",
-        "category": "Data Protection",
-        "resource_name": "PtShGgAdi4",
-        "resource_type": "aws_db_instance",
-        "module_name": "root",
-        "file": "main.tf",
-        "plan_root": "./",
-        "line": 1
-      },
-      {
-        "rule_name": "dbInstanceLoggingDisabled",
-        "description": "Ensure AWS RDS instances have logging enabled.",
-        "rule_id": "AC_AWS_076",
-        "severity": "LOW",
-        "category": "Logging and Monitoring",
+        "category": "Data Security",
         "resource_name": "PtShGgAdi4",
         "resource_type": "aws_db_instance",
         "module_name": "root",
@@ -32,7 +19,7 @@
         "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
         "rule_id": "AWS.RDS.DataSecurity.High.0414",
         "severity": "LOW",
-        "category": "Data Protection",
+        "category": "Data Security",
         "resource_name": "PtShGgAdi4",
         "resource_type": "aws_db_instance",
         "module_name": "root",
@@ -43,12 +30,12 @@
     ],
     "skipped_violations": null,
     "scan_summary": {
-      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set",
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set/terraform",
       "iac_type": "terraform",
-      "scanned_at": "2021-05-21 13:44:04.418159 +0000 UTC",
-      "policies_validated": 607,
-      "violated_policies": 3,
-      "low": 3,
+      "scanned_at": "2021-05-26 08:32:20.553515 +0000 UTC",
+      "policies_validated": 7,
+      "violated_policies": 2,
+      "low": 2,
       "medium": 0,
       "high": 0
     }

diff --git a/...en/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt b/...en/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt
@@ -3,22 +3,22 @@
     "violations": null,
     "skipped_violations": [
       {
-        "rule_name": "noOwnerLabel",
-        "description": "No owner for namespace affects the operations",
-        "rule_id": "AC-K8-OE-NS-L-0128",
-        "severity": "LOW",
-        "category": "Security Best Practices",
-        "resource_name": "production",
-        "resource_type": "kubernetes_namespace",
+        "rule_name": "noHttps",
+        "description": "TLS disabled can affect the confidentiality of the data in transit",
+        "rule_id": "AC-K8-NS-IN-H-0020",
+        "severity": "HIGH",
+        "category": "Network Security",
+        "resource_name": "ingress-demo-disallowed",
+        "resource_type": "kubernetes_ingress",
         "file": "config.yaml",
         "line": 1
       }
     ],
     "scan_summary": {
       "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s",
       "iac_type": "k8s",
-      "scanned_at": "2021-05-24 11:12:18.816109 +0000 UTC",
-      "policies_validated": 607,
+      "scanned_at": "2021-05-26 08:26:12.117853 +0000 UTC",
+      "policies_validated": 7,
       "violated_policies": 0,
       "low": 0,
       "medium": 0,

diff --git a/...prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt b/...prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt
@@ -7,7 +7,7 @@
         "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
         "rule_id": "AWS.RDS.DataSecurity.High.0414",
         "severity": "HIGH",
-        "category": "Data Protection",
+        "category": "Data Security",
         "resource_name": "PtShGgAdi4",
         "resource_type": "aws_db_instance",
         "module_name": "root",
@@ -20,20 +20,7 @@
         "description": "Ensure that your RDS database has IAM Authentication enabled.",
         "rule_id": "AWS.RDS.DataSecurity.High.0577",
         "severity": "HIGH",
-        "category": "Data Protection",
-        "resource_name": "PtShGgAdi4",
-        "resource_type": "aws_db_instance",
-        "module_name": "root",
-        "file": "main.tf",
-        "plan_root": "./",
-        "line": 1
-      },
-      {
-        "rule_name": "dbInstanceLoggingDisabled",
-        "description": "Ensure AWS RDS instances have logging enabled.",
-        "rule_id": "AC_AWS_076",
-        "severity": "MEDIUM",
-        "category": "Logging and Monitoring",
+        "category": "Data Security",
         "resource_name": "PtShGgAdi4",
         "resource_type": "aws_db_instance",
         "module_name": "root",
@@ -43,10 +30,10 @@
       }
     ],
     "scan_summary": {
-      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none",
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/terraform",
       "iac_type": "terraform",
-      "scanned_at": "2021-05-21 15:44:35.448128 +0000 UTC",
-      "policies_validated": 607,
+      "scanned_at": "2021-05-26 08:34:10.87025 +0000 UTC",
+      "policies_validated": 7,
       "violated_policies": 0,
       "low": 0,
       "medium": 0,

diff --git a/.../scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt b/.../scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt
@@ -2,13 +2,13 @@
   "results": {
     "violations": [
       {
-        "rule_name": "noOwnerLabel",
-        "description": "No owner for namespace affects the operations",
-        "rule_id": "AC-K8-OE-NS-L-0128",
+        "rule_name": "noHttps",
+        "description": "TLS disabled can affect the confidentiality of the data in transit",
+        "rule_id": "AC-K8-NS-IN-H-0020",
         "severity": "HIGH",
-        "category": "Security Best Practices",
-        "resource_name": "production",
-        "resource_type": "kubernetes_namespace",
+        "category": "Network Security",
+        "resource_name": "ingress-demo-disallowed",
+        "resource_type": "kubernetes_ingress",
         "file": "config.yaml",
         "line": 1
       }
@@ -17,8 +17,8 @@
     "scan_summary": {
       "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s",
       "iac_type": "k8s",
-      "scanned_at": "2021-05-24 11:04:50.218849 +0000 UTC",
-      "policies_validated": 607,
+      "scanned_at": "2021-05-26 09:17:52.348215 +0000 UTC",
+      "policies_validated": 7,
       "violated_policies": 1,
       "low": 0,
       "medium": 0,