Merge pull request #6769 from Checkmarx/joaom/kics-1163

feat(engine): experimental queries as feature flag
Checkmarx · Nov 6, 2023 · 82e20dd · 82e20dd
2 parents 5131c60 + c522ee7
commit 82e20dd
Show file tree

Hide file tree

Showing 35 changed files with 609 additions and 299 deletions.
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -14,6 +14,7 @@ jobs:
         uses: actions/setup-go@v4
         with:
           go-version: 1.20.x
+          cache: false
       - name: golangci-lint
         uses: golangci/[email protected]
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -67,7 +67,6 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.
 COPY --from=build_env /app/bin/kics /app/bin/kics
 COPY --from=build_env /app/assets/queries /app/bin/assets/queries
 COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
-COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/
 
 WORKDIR /app/bin
 

diff --git a/assets/utils/experimental-queries.json b/assets/utils/experimental-queries.json
diff --git a/docker/Dockerfile.apispec b/docker/Dockerfile.apispec
@@ -56,7 +56,6 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com
 COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi
 COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI
 COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common
-COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/
 
 WORKDIR /app/bin
 

diff --git a/docker/Dockerfile.apispec.debian b/docker/Dockerfile.apispec.debian
@@ -70,7 +70,6 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com
 COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi
 COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI
 COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common
-COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/
 
 WORKDIR /app/bin
 

diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
@@ -69,7 +69,6 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d
 COPY --from=build_env /app/bin/kics /app/bin/kics
 COPY --from=build_env /app/assets/queries /app/bin/assets/queries
 COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
-COPY --from=build_env /app/assets/utils/* /app/bin/assets/utils/
 
 WORKDIR /app/bin
 

diff --git a/docs/commands.md b/docs/commands.md
@@ -1,6 +1,7 @@
 # KICS CLI
 
-KICS is a command line tool, and should be used in a terminal. The next section describes the usage, the same help content is displayed when kics is provided with the `--help` flag.
+KICS is a command line tool, and should be used in a terminal. The next section describes the usage, the same help
+content is displayed when kics is provided with the `--help` flag.
 
 ## KICS Command
 
@@ -67,10 +68,7 @@ Flags:
                                       can be provided multiple times or as a comma separated string
                                       example: 'info,low'
                                       possible values: 'high, medium, low, info, trace'
-      --experimental-queries strings include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder
-                                      can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)
-                                      example: 'terraform/databricks'
-                                      possible values found in: '/assets/utils/experimental-queries.json'
+      --experimental-queries          include experimental queries (queries not yet thoroughly reviewed) (default [false])
       --fail-on strings               which kind of results should return an exit code different from 0
                                       accepts: high, medium, low and info
                                       example: "high,low" (default [high,medium,low,info])
@@ -134,13 +132,22 @@ Flags:
 The other commands have no further options.
 
 ## Exclude Paths
-By default, KICS excludes paths specified in the .gitignore file in the root of the repository. To disable this behavior, use flag `--exclude-gitignore`.
+
+By default, KICS excludes paths specified in the .gitignore file in the root of the repository. To disable this
+behavior, use flag `--exclude-gitignore`.
 
 ## Library Flag Usage
 
-As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions need to be grouped by platform and the library file name should follow the format: `<platform>.rego` to be loaded by KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a file named `terraform.rego` wherever you want.
+As mentioned above, the library flag (`-b` or `--libraries-path`) refers to the directory with libraries. The functions 
+need to be grouped by platform and the library file name should follow the format: `<platform>.rego` to be loaded by
+KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that 
+contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a
+file named `terraform.rego` wherever you want.
 
-This will merge the custom libraries found on the flag's path with KICS's default libraries. Note that any functions declared in a custom library with the same signature as an existing function in the [default libraries](https://github.com/Checkmarx/kics/tree/master/assets/libraries) will cause **the default library function to be overwritten by the custom definition provided**.
+This will merge the custom libraries found on the flag's path with KICS's default libraries. Note that any functions
+declared in a custom library with the same signature as an existing function in
+the [default libraries](https://github.com/Checkmarx/kics/tree/master/assets/libraries) will cause **the default library
+function to be overwritten by the custom definition provided**.
 
 ---
 
@@ -154,7 +161,8 @@ You can only enable one profiler at a time, CPU or MEM.
 
 ## Disable Crash Report
 
-You can disable KICS crash report to [sentry.io](https://sentry.io) with `DISABLE_CRASH_REPORT` environment variable set to `0` or `false` e.g:
+You can disable KICS crash report to [sentry.io](https://sentry.io) with `DISABLE_CRASH_REPORT` environment variable set
+to `0` or `false` e.g:
 
 ```sh
 DISABLE_CRASH_REPORT=0 ./bin/kics version

diff --git a/docs/dockerhub.md b/docs/dockerhub.md
@@ -104,10 +104,7 @@ Flags:
       --exclude-severities strings    exclude results by providing the severity of a result
                                       can be provided multiple times or as a comma separated string
                                       example: 'info,low'
-      --experimental-queries strings   include experimental queries (queries not yet thoroughly reviewed) by providing the path of the queries folder
-                                      can be provided multiple times or as a comma-separated string (platform/cloudProvider or platform)
-                                       example: 'terraform/databricks'
-                                      possible values found in: '/assets/utils/experimental-queries.json'
+      --experimental-queries          include experimental queries (queries not yet thoroughly reviewed) (default [false])
       --fail-on strings               which kind of results should return an exit code different from 0
                                       accepts: high, medium, low and info
                                       example: "high,low" (default [high,medium,low,info])

diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json
@@ -0,0 +1,58 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 10,
+	"files_parsed": 1,
+	"lines_parsed": 9,
+	"lines_ignored": 1,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 0,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 1,
+		"TRACE": 0
+	},
+	"total_counter": 1,
+	"total_bom_resources": 0,
+	"start": "2023-10-27T16:37:16.0886334+01:00",
+	"end": "2023-10-27T16:37:16.4789259+01:00",
+	"paths": [
+		"/path/test/fixtures/experimental_test/sample",
+		"/path/test/fixtures/experimental_test/queries"
+	],
+	"queries": [
+		{
+			"query_name": "Redis Disabled",
+			"query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Encryption",
+			"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
+			"description_id": "68984bf2",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf",
+					"similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a",
+					"line": 4,
+					"resource_type": "aws_elasticache_cluster",
+					"resource_name": "cluster-example",
+					"issue_type": "IncorrectValue",
+					"search_key": "resource.aws_elasticache_cluster[positive1].engine",
+					"search_line": 4,
+					"search_value": "",
+					"expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled",
+					"actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis",
+					"remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}",
+					"remediation_type": "replacement"
+				}
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json
@@ -0,0 +1,86 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 10,
+	"files_parsed": 1,
+	"lines_parsed": 9,
+	"lines_ignored": 1,
+	"files_failed_to_scan": 0,
+	"queries_total": 2,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 1,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 1,
+		"TRACE": 0
+	},
+	"total_counter": 2,
+	"total_bom_resources": 0,
+	"start": "2023-10-27T16:46:52.5513995+01:00",
+	"end": "2023-10-27T16:46:52.8805179+01:00",
+	"paths": [
+		"/path/test/fixtures/experimental_test/sample",
+		"/path/test/fixtures/experimental_test/queries"
+	],
+	"queries": [
+		{
+			"query_name": "Redis Disabled Experimental",
+			"query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d4",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine",
+			"severity": "HIGH",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Encryption",
+			"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
+			"description_id": "68984bf2",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf",
+					"similarity_id": "4e651f5c005de96ab66f25419b1f160d9e0eecae83181edfcd1b72b3afbe9f69",
+					"line": 4,
+					"resource_type": "aws_elasticache_cluster",
+					"resource_name": "cluster-example",
+					"issue_type": "IncorrectValue",
+					"search_key": "resource.aws_elasticache_cluster[positive1].engine",
+					"search_line": 4,
+					"search_value": "",
+					"expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled",
+					"actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis",
+					"remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}",
+					"remediation_type": "replacement"
+				}
+			]
+		},
+		{
+			"query_name": "Redis Disabled",
+			"query_id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Encryption",
+			"description": "ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'",
+			"description_id": "68984bf2",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\experimental_test\\sample\\sample.tf",
+					"similarity_id": "32a6747d15f909ebe86d171c563878dd7e06dfb2f9ec1b569ef46e810860f27a",
+					"line": 4,
+					"resource_type": "aws_elasticache_cluster",
+					"resource_name": "cluster-example",
+					"issue_type": "IncorrectValue",
+					"search_key": "resource.aws_elasticache_cluster[positive1].engine",
+					"search_line": 4,
+					"search_value": "",
+					"expected_value": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled",
+					"actual_value": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis",
+					"remediation": "{\"after\":\"redis\",\"before\":\"memcached\"}",
+					"remediation_type": "replacement"
+				}
+			]
+		}
+	]
+}