Skip to content

Commit

Permalink
Merge pull request #6798 from Checkmarx/joaom/kics-1198
Browse files Browse the repository at this point in the history
feat(engine): improve experimental signal on the results and cli
  • Loading branch information
gabriel-cx authored Nov 21, 2023
2 parents d270b07 + 4e5b0da commit 277030e
Show file tree
Hide file tree
Showing 15 changed files with 178 additions and 0 deletions.
17 changes: 17 additions & 0 deletions e2e/fixtures/E2E_CLI_032_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Application Load Balancer (alb) should not listen on HTTP",
"description_id": "55f05412",
"files": [
Expand All @@ -59,6 +60,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Insecure Configurations",
"experimental": false,
"description": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
"description_id": "bded2e99",
"files": [
Expand All @@ -85,6 +87,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses",
"description_id": "747f49ac",
"files": [
Expand Down Expand Up @@ -124,6 +127,7 @@
"platform": "Common",
"cloud_provider": "COMMON",
"category": "Secret Management",
"experimental": false,
"description": "Query to find passwords and secrets in infrastructure code.",
"description_id": "d69d8a89",
"files": [
Expand All @@ -148,6 +152,7 @@
"platform": "Common",
"cloud_provider": "COMMON",
"category": "Secret Management",
"experimental": false,
"description": "Query to find passwords and secrets in infrastructure code.",
"description_id": "d69d8a89",
"files": [
Expand All @@ -172,6 +177,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Security Group Ingress CIDR should not be open to the world",
"description_id": "08256d31",
"files": [
Expand Down Expand Up @@ -211,6 +217,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service",
"description_id": "2cad71a7",
"files": [
Expand All @@ -237,6 +244,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Availability",
"experimental": false,
"description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.",
"description_id": "99966f58",
"files": [
Expand All @@ -263,6 +271,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Availability",
"experimental": false,
"description": "ECS Service should have at least 1 task running",
"description_id": "cd242bdd",
"files": [
Expand All @@ -289,6 +298,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules",
"description_id": "3ccdd7d2",
"files": [
Expand All @@ -315,6 +325,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules",
"description_id": "7b876844",
"files": [
Expand All @@ -341,6 +352,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Access Control",
"experimental": false,
"description": "Check if any ECS cluster has not defined proper roles for services' task definitions.",
"description_id": "b47b42b2",
"files": [
Expand All @@ -367,6 +379,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Secret Management",
"experimental": false,
"description": "Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account",
"description_id": "d78bb871",
"files": [
Expand All @@ -393,6 +406,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Security Group Ingress should have a single port",
"description_id": "5f2b65f3",
"files": [
Expand Down Expand Up @@ -445,6 +459,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Observability",
"experimental": false,
"description": "Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks",
"description_id": "e2e3a50a",
"files": [
Expand Down Expand Up @@ -484,6 +499,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Best Practices",
"experimental": false,
"description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions",
"description_id": "24a6978e",
"files": [
Expand All @@ -510,6 +526,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Best Practices",
"experimental": false,
"description": "It's considered a best practice for AWS Security Group to have a description",
"description_id": "f7c62b11",
"files": [
Expand Down
5 changes: 5 additions & 0 deletions e2e/fixtures/E2E_CLI_033_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Observability",
"experimental": false,
"description": "Make sure Logging is enabled for Redshift Cluster",
"description_id": "458fe7a3",
"files": [
Expand Down Expand Up @@ -61,6 +62,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Insecure Configurations",
"experimental": false,
"description": "Redshift Cluster should be configured in VPC (Virtual Private Cloud)",
"description_id": "6fd531fa",
"files": [
Expand Down Expand Up @@ -100,6 +102,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Best Practices",
"experimental": false,
"description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions",
"description_id": "d03e85ae",
"files": [
Expand All @@ -126,6 +129,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "Redshift should not use the default port (5439) because an attacker can easily guess the port",
"description_id": "e2e48d27",
"files": [
Expand All @@ -152,6 +156,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Best Practices",
"experimental": false,
"description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'",
"description_id": "09db2d52",
"files": [
Expand Down
13 changes: 13 additions & 0 deletions e2e/fixtures/E2E_CLI_036_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Application Load Balancer (alb) should not listen on HTTP",
"description_id": "55f05412",
"files": [
Expand All @@ -59,6 +60,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Insecure Configurations",
"experimental": false,
"description": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
"description_id": "bded2e99",
"files": [
Expand All @@ -85,6 +87,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses",
"description_id": "747f49ac",
"files": [
Expand Down Expand Up @@ -124,6 +127,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Security Group Ingress CIDR should not be open to the world",
"description_id": "08256d31",
"files": [
Expand Down Expand Up @@ -163,6 +167,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service",
"description_id": "2cad71a7",
"files": [
Expand All @@ -189,6 +194,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Availability",
"experimental": false,
"description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.",
"description_id": "99966f58",
"files": [
Expand All @@ -215,6 +221,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Availability",
"experimental": false,
"description": "ECS Service should have at least 1 task running",
"description_id": "cd242bdd",
"files": [
Expand All @@ -241,6 +248,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules",
"description_id": "3ccdd7d2",
"files": [
Expand All @@ -267,6 +275,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules",
"description_id": "7b876844",
"files": [
Expand All @@ -293,6 +302,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Access Control",
"experimental": false,
"description": "Check if any ECS cluster has not defined proper roles for services' task definitions.",
"description_id": "b47b42b2",
"files": [
Expand All @@ -319,6 +329,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Security Group Ingress should have a single port",
"description_id": "5f2b65f3",
"files": [
Expand Down Expand Up @@ -371,6 +382,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Observability",
"experimental": false,
"description": "Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks",
"description_id": "e2e3a50a",
"files": [
Expand Down Expand Up @@ -410,6 +422,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Best Practices",
"experimental": false,
"description": "It's considered a best practice for AWS Security Group to have a description",
"description_id": "f7c62b11",
"files": [
Expand Down
1 change: 1 addition & 0 deletions e2e/fixtures/E2E_CLI_036_RESULT_2.json
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"platform": "CloudFormation",
"cloud_provider": "AWS",
"category": "Networking and Firewall",
"experimental": false,
"description": "AWS Security Group Ingress should have a single port",
"description_id": "5f2b65f3",
"files": [
Expand Down
3 changes: 3 additions & 0 deletions e2e/fixtures/E2E_CLI_068_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
"severity": "HIGH",
"platform": "Dockerfile",
"category": "Build Process",
"experimental": false,
"description": "A user should be specified in the dockerfile, otherwise the image will run as root",
"description_id": "eb49caf6",
"files": [
Expand All @@ -55,6 +56,7 @@
"severity": "MEDIUM",
"platform": "Dockerfile",
"category": "Supply-Chain",
"experimental": false,
"description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag",
"description_id": "22f535ec",
"files": [
Expand All @@ -78,6 +80,7 @@
"severity": "LOW",
"platform": "Dockerfile",
"category": "Insecure Configurations",
"experimental": false,
"description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working",
"description_id": "426121ee",
"files": [
Expand Down
1 change: 1 addition & 0 deletions e2e/fixtures/E2E_CLI_069_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Encryption",
"experimental": false,
"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
"description_id": "68984bf2",
"files": [
Expand Down
2 changes: 2 additions & 0 deletions e2e/fixtures/E2E_CLI_070_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Encryption",
"experimental": true,
"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
"description_id": "68984bf2",
"files": [
Expand Down Expand Up @@ -62,6 +63,7 @@
"platform": "Terraform",
"cloud_provider": "AWS",
"category": "Encryption",
"experimental": false,
"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
"description_id": "68984bf2",
"files": [
Expand Down
1 change: 1 addition & 0 deletions pkg/engine/inspector.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ const (
UndetectedVulnerabilityLine = -1
DefaultQueryID = "Undefined"
DefaultQueryName = "Anonymous"
DefaultExperimental = false
DefaultQueryDescription = "Undefined"
DefaultQueryDescriptionID = "Undefined"
DefaultQueryURI = "https://github.com/Checkmarx/kics/"
Expand Down
1 change: 1 addition & 0 deletions pkg/engine/vulnerability_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker,
FileName: linesVulne.ResolvedFile,
QueryName: getStringFromMap("queryName", DefaultQueryName, overrideKey, vObj, &logWithFields),
QueryID: queryID,
Experimental: getBoolFromMap("experimental", DefaultExperimental, overrideKey, vObj, &logWithFields),
QueryURI: getStringFromMap("descriptionUrl", DefaultQueryURI, overrideKey, vObj, &logWithFields),
Category: getStringFromMap("category", "", overrideKey, vObj, &logWithFields),
Description: getStringFromMap("descriptionText", "", overrideKey, vObj, &logWithFields),
Expand Down
22 changes: 22 additions & 0 deletions pkg/engine/vulnerability_utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,28 @@ func getStringFromMap(vulnParam, defaultParam, overrideKey string, vObj map[stri
}
return *ts
}
func getBoolFromMap(
vulnParam string,
defaultParam bool,
overrideKey string,
vObj map[string]interface{},
logWithFields *zerolog.Logger) bool {
ts, err := mapKeyToString(vObj, vulnParam, false)
if err != nil {
return defaultParam
}
overrideValue := tryOverride(overrideKey, vulnParam, vObj)
if overrideValue != nil {
ts = overrideValue
}
res, err := strconv.ParseBool(*ts)
if err != nil {
logWithFields.Err(err).
Msgf("Saving result. failed to detect %s", vulnParam)
return defaultParam
}
return res
}
func getSeverity(severity string) model.Severity {
for _, si := range model.AllSeverities {
if severity == string(si) {
Expand Down
1 change: 1 addition & 0 deletions pkg/model/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ type Vulnerability struct {
QueryName string `db:"query_name" json:"queryName"`
QueryURI string `json:"-"`
Category string `json:"category"`
Experimental bool `json:"experimental"`
Description string `json:"description"`
DescriptionID string `json:"descriptionID"`
Platform string `db:"platform" json:"platform"`
Expand Down
Loading

0 comments on commit 277030e

Please sign in to comment.