From 8b913dc05ec1b0907bf195d077ec49bf5d31e112 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Fri, 9 Feb 2024 18:18:04 +0000 Subject: [PATCH 01/17] fix(flag): validating if output path is valid --- e2e/fixtures/E2E_CLI_081_RESULT.json | 707 ++++++++++++++++++ e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH | 2 + .../e2e-cli-081_output_path_valid.go | 26 + .../e2e-cli-082_output_path_invalid.go | 26 + internal/console/assets/scan-flags.json | 3 +- internal/console/flags/validate.go | 1 + internal/console/flags/validate_path.go | 18 + internal/console/flags/validate_path_test.go | 82 ++ test/fixtures/test_output_path/main.tf | 121 +++ 9 files changed, 985 insertions(+), 1 deletion(-) create mode 100644 e2e/fixtures/E2E_CLI_081_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH create mode 100644 e2e/testcases/e2e-cli-081_output_path_valid.go create mode 100644 e2e/testcases/e2e-cli-082_output_path_invalid.go create mode 100644 internal/console/flags/validate_path.go create mode 100644 internal/console/flags/validate_path_test.go create mode 100644 test/fixtures/test_output_path/main.tf diff --git a/e2e/fixtures/E2E_CLI_081_RESULT.json b/e2e/fixtures/E2E_CLI_081_RESULT.json new file mode 100644 index 00000000000..76469ff090d --- /dev/null +++ b/e2e/fixtures/E2E_CLI_081_RESULT.json @@ -0,0 +1,707 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 121, + "files_parsed": 1, + "lines_parsed": 119, + "lines_ignored": 2, + "files_failed_to_scan": 0, + "queries_total": 1045, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 10, + "INFO": 14, + "LOW": 2, + "MEDIUM": 6, + "TRACE": 0 + }, + "total_counter": 32, + "total_bom_resources": 0, + "start": "2024-02-09T18:00:41.6609138Z", + "end": "2024-02-09T18:01:44.7276323Z", + "paths": [ + "C:\\Users\\julios\\Documents\\repos\\kics\\test\\fixtures\\test_output_path\\main.tf" + ], + "queries": [ + { + "query_name": "IAM Database Auth Not Enabled", + "query_id": "88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Encryption", + "experimental": false, + "description": "IAM Database Auth Enabled should be configured to true when using compatible engine and version", + "description_id": "12b1c8aa", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "71b7bea5c9c9cee96e13074e3a8e02023c14f12dd41b4b6d92a8b65dba225687", + "line": 45, + "resource_type": "aws_db_instance", + "resource_name": "km_db_${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_db_instance[km_db]", + "search_line": 45, + "search_value": "", + "expected_value": "'iam_database_authentication_enabled' should be set to true", + "actual_value": "'iam_database_authentication_enabled' is undefined or null", + "remediation": "iam_database_authentication_enabled = true", + "remediation_type": "addition" + } + ] + }, + { + "query_name": "KMS Key With Full Permissions", + "query_id": "7ebc9038-0bde-479a-acc4-6ed7b6758899", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Insecure Configurations", + "experimental": false, + "description": "The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.", + "description_id": "32b2985e", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "4b645190ea61aa8262797dc39dd6372549c0837796cb6373038831c4b47cd86a", + "line": 35, + "resource_type": "aws_kms_key", + "resource_name": "km_db_kms_key", + "issue_type": "MissingAttribute", + "search_key": "aws_kms_key[km_db_kms_key]", + "search_line": 35, + "search_value": "", + "expected_value": "aws_kms_key[km_db_kms_key].policy should be defined and not null", + "actual_value": "aws_kms_key[km_db_kms_key].policy is undefined or null" + } + ] + }, + { + "query_name": "S3 Bucket Allows Public Policy", + "query_id": "1a4bc881-9f69-4d44-8c9a-d37d08f54c50", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Access Control", + "experimental": false, + "description": "S3 bucket allows public policy", + "description_id": "a8924b3b", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "25476a67c7f8ed62bf0999facaab5ac83a07374672a068d16e79a45ac163af10", + "line": 120, + "resource_type": "aws_s3_bucket_public_access_block", + "resource_name": "km_public_blob", + "issue_type": "IncorrectValue", + "search_key": "aws_s3_bucket_public_access_block[km_public_blob].block_public_policy", + "search_line": 120, + "search_value": "", + "expected_value": "'block_public_policy' should equal 'true'", + "actual_value": "'block_public_policy' is equal 'false'" + } + ] + }, + { + "query_name": "S3 Bucket SSE Disabled", + "query_id": "6726dcc0-5ff5-459d-b473-a780bef7665c", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Encryption", + "experimental": false, + "description": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required", + "description_id": "b386c506", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "aba464a3fadf8ad9474db05cd833d0a985d92c3ce93703d04528873f9b6a3915", + "line": 112, + "resource_type": "aws_s3_bucket", + "resource_name": "km-public-blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_public_blob]", + "search_line": 112, + "search_value": "", + "expected_value": "'aws_s3_bucket' to have 'server_side_encryption_configuration' associated", + "actual_value": "'aws_s3_bucket' does not have 'server_side_encryption_configuration' associated" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "361b4efcb1cde4c96862ea869b204790fafd39f5df66ab792071043c0ff1d55b", + "line": 104, + "resource_type": "aws_s3_bucket", + "resource_name": "km-blob-storage-${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_blob_storage]", + "search_line": 104, + "search_value": "", + "expected_value": "'aws_s3_bucket' to have 'server_side_encryption_configuration' associated", + "actual_value": "'aws_s3_bucket' does not have 'server_side_encryption_configuration' associated" + } + ] + }, + { + "query_name": "S3 Bucket Without Enabled MFA Delete", + "query_id": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Insecure Configurations", + "experimental": false, + "description": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=\u003cBUCKET_NAME\u003e --mfa=\u003cMFA_SERIAL_NUMBER\u003e'. Please, also notice that MFA delete can not be used with lifecycle configurations", + "description_id": "e1699d08", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "b1ae5517fdc518d0b9be575dd5b3e1c1e6ec912d134aa4904311221cf9717267", + "line": 104, + "resource_type": "aws_s3_bucket", + "resource_name": "km-blob-storage-${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_blob_storage]", + "search_line": 104, + "search_value": "", + "expected_value": "versioning should be defined and not null", + "actual_value": "versioning is undefined or null" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "d55ab96849a3abf381e2a72fb8dd5bd9928507bff009eab789dcc268e43c0a3c", + "line": 112, + "resource_type": "aws_s3_bucket", + "resource_name": "km-public-blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_public_blob]", + "search_line": 112, + "search_value": "", + "expected_value": "versioning should be defined and not null", + "actual_value": "versioning is undefined or null" + } + ] + }, + { + "query_name": "S3 Bucket Without Restriction Of Public Bucket", + "query_id": "1ec253ab-c220-4d63-b2de-5b40e0af9293", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Insecure Configurations", + "experimental": false, + "description": "S3 bucket without restriction of public bucket", + "description_id": "a6e86c32", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "86358229d9bc37d9c656acdcc19623f66ffc0fec727e9d372033e3afe92812af", + "line": 116, + "resource_type": "aws_s3_bucket_public_access_block", + "resource_name": "km_public_blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket_public_access_block[km_public_blob].restrict_public_buckets", + "search_line": 116, + "search_value": "", + "expected_value": "'restrict_public_buckets' should equal 'true'", + "actual_value": "'restrict_public_buckets' is missing", + "remediation": "restrict_public_buckets = true", + "remediation_type": "addition" + } + ] + }, + { + "query_name": "Sensitive Port Is Exposed To Entire Network", + "query_id": "381c3f2a-ef6f-4eff-99f7-b169cda3422c", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "experimental": false, + "description": "A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol", + "description_id": "5be78364", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "355cc208d2b42fb9d3028cd68b559e1f7deb38b711c7594f6c3865c9a87b2690", + "line": 19, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "IncorrectValue", + "search_key": "aws_security_group[km_rds_sg].ingress", + "search_line": -1, + "search_value": "TCP,5432", + "expected_value": "PostgreSQL (TCP:5432) should not be allowed", + "actual_value": "PostgreSQL (TCP:5432) is allowed" + } + ] + }, + { + "query_name": "Unrestricted Security Group Ingress", + "query_id": "4728cd65-a20c-49da-8b31-9c08b423e4db", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group.html", + "severity": "HIGH", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Networking and Firewall", + "experimental": false, + "description": "Security groups allow ingress from 0.0.0.0:0 and/or ::/0", + "description_id": "ce3ee5e0", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "c1da1442b08a56aaee6835ed501d9c41b2b716392d1a0a4210c584dd0d9ab945", + "line": 23, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "IncorrectValue", + "search_key": "aws_security_group[km_rds_sg].ingress.cidr_blocks", + "search_line": -1, + "search_value": "", + "expected_value": "One of 'ingress.cidr_blocks' not equal '0.0.0.0/0'", + "actual_value": "One of 'ingress.cidr_blocks' equal '0.0.0.0/0'" + } + ] + }, + { + "query_name": "RDS With Backup Disabled", + "query_id": "1dc73fb4-5b51-430c-8c5f-25dcf9090b02", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Backup", + "experimental": false, + "description": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup", + "description_id": "73fdfe55", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "122c76208d2bcc6912df322620f6af41e053401f9c631fc4223397a408eb30bc", + "line": 45, + "resource_type": "aws_db_instance", + "resource_name": "km_db_${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_db_instance[km_db]", + "search_line": 45, + "search_value": "", + "expected_value": "'backup_retention_period' should be defined, and bigger than '0'", + "actual_value": "'backup_retention_period' is not defined", + "remediation": "backup_retention_period = 12", + "remediation_type": "addition" + } + ] + }, + { + "query_name": "S3 Bucket Allows Public ACL", + "query_id": "d0cc8694-fcad-43ff-ac86-32331d7e867f", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Access Control", + "experimental": false, + "description": "S3 bucket allows public ACL", + "description_id": "7b8886c1", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "9048dc30ba1c1fd9dc333b79a1c7d64f4248791936620ae1c2cd48c69073979c", + "line": 119, + "resource_type": "aws_s3_bucket_public_access_block", + "resource_name": "km_public_blob", + "issue_type": "IncorrectValue", + "search_key": "aws_s3_bucket_public_access_block[km_public_blob].block_public_acls", + "search_line": 119, + "search_value": "", + "expected_value": "'block_public_acls' should equal 'true'", + "actual_value": "'block_public_acls' is equal 'false'", + "remediation": "{\"after\":\"true\",\"before\":\"false\"}", + "remediation_type": "replacement" + } + ] + }, + { + "query_name": "S3 Bucket Logging Disabled", + "query_id": "f861041c-8c9f-4156-acfc-5e6e524f5884", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Observability", + "experimental": false, + "description": "Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable", + "description_id": "fa5c7c72", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "5c063f15602837c91427457956f271b5edaac664e99b65c5b24a14a80ca8270f", + "line": 104, + "resource_type": "aws_s3_bucket", + "resource_name": "km-blob-storage-${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_blob_storage]", + "search_line": 104, + "search_value": "", + "expected_value": "'logging' should be defined and not null", + "actual_value": "'logging' is undefined or null" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "00780173256d4178dc4ac89bf9fd8b008831ac11038e346da1a9f1327fb3eeda", + "line": 112, + "resource_type": "aws_s3_bucket", + "resource_name": "km-public-blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_public_blob]", + "search_line": 112, + "search_value": "", + "expected_value": "'logging' should be defined and not null", + "actual_value": "'logging' is undefined or null" + } + ] + }, + { + "query_name": "S3 Bucket Without Versioning", + "query_id": "568a4d22-3517-44a6-a7ad-6a7eed88722c", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning", + "severity": "MEDIUM", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Observability", + "experimental": false, + "description": "S3 bucket should have versioning enabled", + "description_id": "7614ce3b", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "509918461704df65abe817289305af202e497d40bfb89ad2956a9beb77cf3a22", + "line": 112, + "resource_type": "aws_s3_bucket", + "resource_name": "km-public-blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_public_blob]", + "search_line": 112, + "search_value": "", + "expected_value": "'versioning' should be true", + "actual_value": "'versioning' is undefined or null" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "38962cc6c948dd3fe0402f0d07e2f75578016100b30d2373d46e4ab4f7ce178c", + "line": 104, + "resource_type": "aws_s3_bucket", + "resource_name": "km-blob-storage-${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[km_blob_storage]", + "search_line": 104, + "search_value": "", + "expected_value": "'versioning' should be true", + "actual_value": "'versioning' is undefined or null" + } + ] + }, + { + "query_name": "IAM Access Analyzer Not Enabled", + "query_id": "e592a0c5-5bdb-414c-9066-5dba7cdea370", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer", + "severity": "LOW", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", + "description_id": "d03e85ae", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "aa346cd1642a83b40e221f96a43d88dbfacecdf1f8e5314c24145f8d35530197", + "line": 1, + "resource_type": "n/a", + "resource_name": "n/a", + "issue_type": "MissingAttribute", + "search_key": "resource", + "search_line": -1, + "search_value": "", + "expected_value": "'aws_accessanalyzer_analyzer' should be set", + "actual_value": "'aws_accessanalyzer_analyzer' is undefined" + } + ] + }, + { + "query_name": "S3 Bucket Without Ignore Public ACL", + "query_id": "4fa66806-0dd9-4f8d-9480-3174d39c7c91", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", + "severity": "LOW", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Insecure Configurations", + "experimental": false, + "description": "S3 bucket without ignore public ACL", + "description_id": "28aa7150", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "b3adb608012771b9f48979ab7dc1ac8d2e10015f819a9747d2bfa9ce0605bcc2", + "line": 116, + "resource_type": "aws_s3_bucket_public_access_block", + "resource_name": "km_public_blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket_public_access_block[km_public_blob]", + "search_line": 116, + "search_value": "", + "expected_value": "'ignore_public_acls' should equal 'true'", + "actual_value": "'ignore_public_acls' is missing", + "remediation": "ignore_public_acls = true", + "remediation_type": "addition" + } + ] + }, + { + "query_name": "RDS Without Logging", + "query_id": "8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports", + "severity": "INFO", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Observability", + "experimental": false, + "description": "RDS does not have any kind of logger", + "description_id": "c499a58c", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "942cb2428c1404cf3dd69263b23e061188ad715ae1bdb208ffdee775748d7310", + "line": 45, + "resource_type": "aws_db_instance", + "resource_name": "km_db_${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_db_instance[km_db]", + "search_line": 45, + "search_value": "", + "expected_value": "'enabled_cloudwatch_logs_exports' should be defined", + "actual_value": "'enabled_cloudwatch_logs_exports' is undefined" + } + ] + }, + { + "query_name": "Resource Not Using Tags", + "query_id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging", + "severity": "INFO", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'", + "description_id": "09db2d52", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "e980255919ebad1fa6bf072826d10bdb114216242c4b799709b874cd6c01821a", + "line": 112, + "resource_type": "aws_s3_bucket", + "resource_name": "km_public_blob", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[{{km_public_blob}}]", + "search_line": -1, + "search_value": "", + "expected_value": "aws_s3_bucket[{{km_public_blob}}].tags should be defined and not null", + "actual_value": "aws_s3_bucket[{{km_public_blob}}].tags is undefined or null" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "d0efbf94490b1c485e4e3beeba9a58b51ab430990201f77fa15f6dcfcc2b47cf", + "line": 14, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "MissingAttribute", + "search_key": "aws_security_group[{{km_rds_sg}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_security_group[{{km_rds_sg}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_security_group[{{km_rds_sg}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "5c2ef181a7e9c643a05e1fd1933024c6127e6f684b9efa8eac31c731084e24cb", + "line": 81, + "resource_type": "aws_ssm_parameter", + "resource_name": "/km-${var.environment}/DB_PASSWORD", + "issue_type": "MissingAttribute", + "search_key": "aws_ssm_parameter[{{km_ssm_db_password}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_ssm_parameter[{{km_ssm_db_password}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_ssm_parameter[{{km_ssm_db_password}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "e2e2fdf18bc08f6e1e6c3eeb5ba41d048c64b9768d8fbde9fcdf4fb6135cd4c5", + "line": 5, + "resource_type": "aws_db_subnet_group", + "resource_name": "km_rds_subnet_grp_${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "12ed5c181348f8978b5420692df50488df2c443bc94d541e88da0ba3fa4859a3", + "line": 40, + "resource_type": "aws_kms_key", + "resource_name": "km_db_kms_key", + "issue_type": "MissingAttribute", + "search_key": "aws_kms_key[{{km_db_kms_key}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_kms_key[{{km_db_kms_key}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_kms_key[{{km_db_kms_key}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "576d47fedd6285ef04cb4ab8d878882285db3bac0b00014d3336ae515be6eecc", + "line": 99, + "resource_type": "aws_ssm_parameter", + "resource_name": "/km-${var.environment}/DB_NAME", + "issue_type": "MissingAttribute", + "search_key": "aws_ssm_parameter[{{km_ssm_db_name}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_ssm_parameter[{{km_ssm_db_name}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_ssm_parameter[{{km_ssm_db_name}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "a1a197eee9fb03c2c03efea430abaaa73cfc07558c1b83a4f75a6af5d07cf9ca", + "line": 90, + "resource_type": "aws_ssm_parameter", + "resource_name": "/km-${var.environment}/DB_USER", + "issue_type": "MissingAttribute", + "search_key": "aws_ssm_parameter[{{km_ssm_db_user}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_ssm_parameter[{{km_ssm_db_user}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_ssm_parameter[{{km_ssm_db_user}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "c761f7109a1e0e920c17cb03ac0bb4cf44a70e290f5c22aa266201add76a66d8", + "line": 61, + "resource_type": "aws_db_instance", + "resource_name": "km_db_${var.environment}", + "issue_type": "MissingAttribute", + "search_key": "aws_db_instance[{{km_db}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_db_instance[{{km_db}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_db_instance[{{km_db}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "cea4a498e30adf1eff0dabb58fff2bbd92916e63d414c30942945582072ab9e7", + "line": 107, + "resource_type": "aws_s3_bucket", + "resource_name": "km_blob_storage", + "issue_type": "MissingAttribute", + "search_key": "aws_s3_bucket[{{km_blob_storage}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_s3_bucket[{{km_blob_storage}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_s3_bucket[{{km_blob_storage}}].tags does not have additional tags defined other than 'Name'" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "231c25c467fdf7b77e7cdef64dbb1d53a3f77300b0c37b89405ef3c39cdda320", + "line": 72, + "resource_type": "aws_ssm_parameter", + "resource_name": "/km-${var.environment}/DB_HOST", + "issue_type": "MissingAttribute", + "search_key": "aws_ssm_parameter[{{km_ssm_db_host}}].tags", + "search_line": -1, + "search_value": "", + "expected_value": "aws_ssm_parameter[{{km_ssm_db_host}}].tags has additional tags defined other than 'Name'", + "actual_value": "aws_ssm_parameter[{{km_ssm_db_host}}].tags does not have additional tags defined other than 'Name'" + } + ] + }, + { + "query_name": "Security Group Rule Without Description", + "query_id": "cb3f5ed6-0d18-40de-a93d-b3538db31e8c", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", + "severity": "INFO", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "It's considered a best practice for AWS Security Group to have a description", + "description_id": "bc535d27", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "a5adfd369cfe3afead396d040d83e0137d9d947ecb1f0173c4d6f5102f168398", + "line": 10, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "MissingAttribute", + "search_key": "aws_security_group[{{km_rds_sg}}]", + "search_line": -1, + "search_value": "", + "expected_value": "aws_security_group[{{km_rds_sg}}] description should be defined and not null", + "actual_value": "aws_security_group[{{km_rds_sg}}] description is undefined or null" + } + ] + }, + { + "query_name": "Security Group Rule Without Description", + "query_id": "68eb4bf3-f9bf-463d-b5cf-e029bb446d2e", + "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", + "severity": "INFO", + "platform": "Terraform", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "It's considered a best practice for all rules in AWS Security Group to have a description", + "description_id": "cee242dd", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "6763cdfa4cad76f841c28aa4c60469923df6a68cce301656290324d903e999a4", + "line": 27, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "MissingAttribute", + "search_key": "aws_security_group[{{km_rds_sg}}].egress", + "search_line": 27, + "search_value": "", + "expected_value": "aws_security_group[{{km_rds_sg}}].egress description should be defined and not null", + "actual_value": "aws_security_group[{{km_rds_sg}}].egress description is undefined or null" + }, + { + "file_name": "test\\fixtures\\test_output_path\\main.tf", + "similarity_id": "dfa5d4e0a388e6195eb3c6a93200ca268ad1f9eaf243fa083e8e1a4cc98342d0", + "line": 19, + "resource_type": "aws_security_group", + "resource_name": "km_rds_sg", + "issue_type": "MissingAttribute", + "search_key": "aws_security_group[{{km_rds_sg}}].ingress", + "search_line": 19, + "search_value": "", + "expected_value": "aws_security_group[{{km_rds_sg}}].ingress description should be defined and not null", + "actual_value": "aws_security_group[{{km_rds_sg}}].ingress description is undefined or null" + } + ] + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH b/e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH new file mode 100644 index 00000000000..d5f2649f3ec --- /dev/null +++ b/e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH @@ -0,0 +1,2 @@ +Error: The filename, directory name, or volume label syntax is incorrect. The directory name contains invalid characters. +{{.ScanHelp}} diff --git a/e2e/testcases/e2e-cli-081_output_path_valid.go b/e2e/testcases/e2e-cli-081_output_path_valid.go new file mode 100644 index 00000000000..78372216bc4 --- /dev/null +++ b/e2e/testcases/e2e-cli-081_output_path_valid.go @@ -0,0 +1,26 @@ +package testcases + +// E2E-CLI-081 - KICS scan +// should check if output path is valid +func init() { //nolint + testSample := TestCase{ + Name: "should check if output path is valid [E2E-CLI-081]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_081_RESULT", + "-p", "\"/path/test\fixtures\test_output_path", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_081_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-082_output_path_invalid.go b/e2e/testcases/e2e-cli-082_output_path_invalid.go new file mode 100644 index 00000000000..d5ff234b3f6 --- /dev/null +++ b/e2e/testcases/e2e-cli-082_output_path_invalid.go @@ -0,0 +1,26 @@ +package testcases + +// E2E-CLI-082 - KICS scan +// should check if output path is invalid +func init() { //nolint + testSample := TestCase{ + Name: "should check if output path is invalid [E2E-CLI-082]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output?", + "--output-name", "E2E_CLI_082_RESULT", + "-p", "\"/path/test\fixtures\test_output_path", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_082_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{126}, + } + + Tests = append(Tests, testSample) +} diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 6807a0ab05c..81422eccdcf 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -119,7 +119,8 @@ "flagType": "str", "shorthandFlag": "o", "defaultValue": "", - "usage": "directory path to store reports" + "usage": "directory path to store reports", + "validation": "validatePath" }, "path": { "flagType": "multiStr", diff --git a/internal/console/flags/validate.go b/internal/console/flags/validate.go index 1a356b0aa23..8b4322b92d9 100644 --- a/internal/console/flags/validate.go +++ b/internal/console/flags/validate.go @@ -9,6 +9,7 @@ var flagValidationFuncs = flagValidationFuncsMap{ "validateMultiStrEnum": validateMultiStrEnum, "validateStrEnum": validateStrEnum, "allQueriesID": allQueriesID, + "validatePath": validatePath, } func isQueryID(id string) bool { diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go new file mode 100644 index 00000000000..afccfe8a091 --- /dev/null +++ b/internal/console/flags/validate_path.go @@ -0,0 +1,18 @@ +package flags + +import ( + "errors" + "regexp" +) + +func validatePath(flagName string) error { + regex := regexp.MustCompile(`[<>"|?*]`) + + isValid := !regex.MatchString(GetStrFlag(flagName)) + + if !isValid { + return errors.New("the directory name contains invalid characters") + } + + return nil +} diff --git a/internal/console/flags/validate_path_test.go b/internal/console/flags/validate_path_test.go new file mode 100644 index 00000000000..bf6e2cecde5 --- /dev/null +++ b/internal/console/flags/validate_path_test.go @@ -0,0 +1,82 @@ +package flags + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestFlags_validatePathEnum(t *testing.T) { + tests := []struct { + name string + flagName string + flagValue string + wantErr bool + }{ + { + name: "should execute fine", + flagName: "output-path", + flagValue: "C:/Users/user/files", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "C:\\Users\\user\\files", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "/user/files", + wantErr: false, + }, + { + name: "should return an error regarding invalid characters (|)", + flagName: "output-path", + flagValue: "C:/Users/user/files/|", + wantErr: true, + }, + { + name: "should return an error regarding invalid characters (\")", + flagName: "output-path", + flagValue: "C:/Users/user/files/\"", + wantErr: true, + }, + { + name: "should return an error regarding invalid characters (?)", + flagName: "output-path", + flagValue: "C:/Users/user/files/?", + wantErr: true, + }, + { + name: "should return an error regarding invalid characters (>)", + flagName: "output-path", + flagValue: "C:/Users/user/files/>", + wantErr: true, + }, + { + name: "should return an error regarding invalid characters (<)", + flagName: "output-path", + flagValue: "C:/Users/user/files/<", + wantErr: true, + }, + { + name: "should return an error regarding invalid characters (*)", + flagName: "output-path", + flagValue: "C:/Users/user/files/*", + wantErr: true, + }, + } + for _, test := range tests { + flagsStrReferences[test.flagName] = &test.flagValue + t.Run(test.name, func(t *testing.T) { + gotErr := validatePath(test.flagName) + if !test.wantErr { + require.NoError(t, gotErr) + } else { + require.Error(t, gotErr) + } + }) + } +} diff --git a/test/fixtures/test_output_path/main.tf b/test/fixtures/test_output_path/main.tf new file mode 100644 index 00000000000..73a6d8f59ec --- /dev/null +++ b/test/fixtures/test_output_path/main.tf @@ -0,0 +1,121 @@ +resource "aws_db_subnet_group" "km_rds_subnet_grp" { + name = "km_rds_subnet_grp_${var.environment}" + subnet_ids = var.private_subnet + + tags = merge(var.default_tags, { + Name = "km_rds_subnet_grp_${var.environment}" + }) +} + +resource "aws_security_group" "km_rds_sg" { + name = "km_rds_sg" + vpc_id = var.vpc_id + + tags = merge(var.default_tags, { + Name = "km_rds_sg_${var.environment}" + }) + + # HTTP access from anywhere + ingress { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + # outbound internet access + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_kms_key" "km_db_kms_key" { + description = "KMS Key for DB instance ${var.environment}" + deletion_window_in_days = 10 + enable_key_rotation = true + + tags = merge(var.default_tags, { + Name = "km_db_kms_key_${var.environment}" + }) +} + +resource "aws_db_instance" "km_db" { + name = "km_db_${var.environment}" + allocated_storage = 20 + engine = "postgres" + engine_version = "10.6" + instance_class = "db.t3.medium" + storage_type = "gp2" + password = var.db_password + username = var.db_username + vpc_security_group_ids = [aws_security_group.km_rds_sg.id] + db_subnet_group_name = aws_db_subnet_group.km_rds_subnet_grp.id + identifier = "km-db-${var.environment}" + storage_encrypted = true + skip_final_snapshot = true + final_snapshot_identifier = "km-db-${var.environment}-db-destroy-snapshot" + kms_key_id = aws_kms_key.km_db_kms_key.arn + tags = merge(var.default_tags, { + Name = "km_db_${var.environment}" + }) +} + +resource "aws_ssm_parameter" "km_ssm_db_host" { + name = "/km-${var.environment}/DB_HOST" + description = "Kai Monkey Database" + type = "SecureString" + value = aws_db_instance.km_db.endpoint + + tags = merge(var.default_tags, {}) +} + +resource "aws_ssm_parameter" "km_ssm_db_password" { + name = "/km-${var.environment}/DB_PASSWORD" + description = "Kai Monkey Database Password" + type = "SecureString" + value = aws_db_instance.km_db.password + + tags = merge(var.default_tags, {}) +} + +resource "aws_ssm_parameter" "km_ssm_db_user" { + name = "/km-${var.environment}/DB_USER" + description = "Kai Monkey Database Username" + type = "SecureString" + value = aws_db_instance.km_db.username + + tags = merge(var.default_tags, {}) +} + +resource "aws_ssm_parameter" "km_ssm_db_name" { + name = "/km-${var.environment}/DB_NAME" + description = "Kai Monkey Database Name" + type = "SecureString" + value = aws_db_instance.km_db.name + + tags = merge(var.default_tags, { + environment = "${var.environment}" + }) +} + +resource "aws_s3_bucket" "km_blob_storage" { + bucket = "km-blob-storage-${var.environment}" + acl = "private" + tags = merge(var.default_tags, { + name = "km_blob_storage_${var.environment}" + }) +} + +resource "aws_s3_bucket" "km_public_blob" { + bucket = "km-public-blob" +} + +resource "aws_s3_bucket_public_access_block" "km_public_blob" { + bucket = aws_s3_bucket.km_public_blob.id + + block_public_acls = false + block_public_policy = false +} \ No newline at end of file From 116ad24fdc509d43fd0a210d41a9ddc987bfd756 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 10:21:50 +0000 Subject: [PATCH 02/17] =?UTF-8?q?resolu=C3=A7ao=20de=20problemas=20nos=20t?= =?UTF-8?q?estes=20e2e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...2E_CLI_082_INVALID_OUTPUT_PATH => E2E_CLI_082_RESULT} | 0 e2e/testcases/e2e-cli-081_output_path_valid.go | 2 +- e2e/testcases/e2e-cli-082_output_path_invalid.go | 9 +++------ 3 files changed, 4 insertions(+), 7 deletions(-) rename e2e/fixtures/{E2E_CLI_082_INVALID_OUTPUT_PATH => E2E_CLI_082_RESULT} (100%) diff --git a/e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH b/e2e/fixtures/E2E_CLI_082_RESULT similarity index 100% rename from e2e/fixtures/E2E_CLI_082_INVALID_OUTPUT_PATH rename to e2e/fixtures/E2E_CLI_082_RESULT diff --git a/e2e/testcases/e2e-cli-081_output_path_valid.go b/e2e/testcases/e2e-cli-081_output_path_valid.go index 78372216bc4..b5684a45c2a 100644 --- a/e2e/testcases/e2e-cli-081_output_path_valid.go +++ b/e2e/testcases/e2e-cli-081_output_path_valid.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_081_RESULT", - "-p", "\"/path/test\fixtures\test_output_path", + "-p", "\"/path/test\fixtures\test_output_path\"", }, }, ExpectedResult: []ResultsValidation{ diff --git a/e2e/testcases/e2e-cli-082_output_path_invalid.go b/e2e/testcases/e2e-cli-082_output_path_invalid.go index d5ff234b3f6..2e7333a1cfd 100644 --- a/e2e/testcases/e2e-cli-082_output_path_invalid.go +++ b/e2e/testcases/e2e-cli-082_output_path_invalid.go @@ -9,14 +9,11 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output?", "--output-name", "E2E_CLI_082_RESULT", - "-p", "\"/path/test\fixtures\test_output_path", + "-p", "\"/path/test\fixtures\test_output_path\"", }, }, - ExpectedResult: []ResultsValidation{ - { - ResultsFile: "E2E_CLI_082_RESULT", - ResultsFormats: []string{"json"}, - }, + ExpectedOut: []string{ + "E2E_CLI_082_RESULT", }, }, WantStatus: []int{126}, From f2c54c2ae2db495008c624d77efaba509a647e0f Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 10:48:13 +0000 Subject: [PATCH 03/17] resolucao de problemas dos testes e2e --- e2e/fixtures/E2E_CLI_081_RESULT.json | 705 +----------------- e2e/fixtures/E2E_CLI_082_RESULT | 2 +- .../test_output_path/azuredeploy.json | 66 ++ test/fixtures/test_output_path/main.tf | 121 --- 4 files changed, 80 insertions(+), 814 deletions(-) create mode 100644 test/fixtures/test_output_path/azuredeploy.json delete mode 100644 test/fixtures/test_output_path/main.tf diff --git a/e2e/fixtures/E2E_CLI_081_RESULT.json b/e2e/fixtures/E2E_CLI_081_RESULT.json index 76469ff090d..14f51de05bc 100644 --- a/e2e/fixtures/E2E_CLI_081_RESULT.json +++ b/e2e/fixtures/E2E_CLI_081_RESULT.json @@ -1,707 +1,28 @@ { "kics_version": "development", "files_scanned": 1, - "lines_scanned": 121, + "lines_scanned": 67, "files_parsed": 1, - "lines_parsed": 119, - "lines_ignored": 2, + "lines_parsed": 67, + "lines_ignored": 0, "files_failed_to_scan": 0, - "queries_total": 1045, + "queries_total": 43, "queries_failed_to_execute": 0, "queries_failed_to_compute_similarity_id": 0, "scan_id": "console", "severity_counters": { - "HIGH": 10, - "INFO": 14, - "LOW": 2, - "MEDIUM": 6, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, "TRACE": 0 }, - "total_counter": 32, + "total_counter": 0, "total_bom_resources": 0, - "start": "2024-02-09T18:00:41.6609138Z", - "end": "2024-02-09T18:01:44.7276323Z", + "start": "2024-02-12T10:46:29.7261251Z", + "end": "2024-02-12T10:46:32.4822031Z", "paths": [ - "C:\\Users\\julios\\Documents\\repos\\kics\\test\\fixtures\\test_output_path\\main.tf" + "C:\\Users\\julios\\Documents\\repos\\kics\\test\\fixtures\\test_output_path" ], - "queries": [ - { - "query_name": "IAM Database Auth Not Enabled", - "query_id": "88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Encryption", - "experimental": false, - "description": "IAM Database Auth Enabled should be configured to true when using compatible engine and version", - "description_id": "12b1c8aa", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "71b7bea5c9c9cee96e13074e3a8e02023c14f12dd41b4b6d92a8b65dba225687", - "line": 45, - "resource_type": "aws_db_instance", - "resource_name": "km_db_${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_db_instance[km_db]", - "search_line": 45, - "search_value": "", - "expected_value": "'iam_database_authentication_enabled' should be set to true", - "actual_value": "'iam_database_authentication_enabled' is undefined or null", - "remediation": "iam_database_authentication_enabled = true", - "remediation_type": "addition" - } - ] - }, - { - "query_name": "KMS Key With Full Permissions", - "query_id": "7ebc9038-0bde-479a-acc4-6ed7b6758899", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Insecure Configurations", - "experimental": false, - "description": "The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.", - "description_id": "32b2985e", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "4b645190ea61aa8262797dc39dd6372549c0837796cb6373038831c4b47cd86a", - "line": 35, - "resource_type": "aws_kms_key", - "resource_name": "km_db_kms_key", - "issue_type": "MissingAttribute", - "search_key": "aws_kms_key[km_db_kms_key]", - "search_line": 35, - "search_value": "", - "expected_value": "aws_kms_key[km_db_kms_key].policy should be defined and not null", - "actual_value": "aws_kms_key[km_db_kms_key].policy is undefined or null" - } - ] - }, - { - "query_name": "S3 Bucket Allows Public Policy", - "query_id": "1a4bc881-9f69-4d44-8c9a-d37d08f54c50", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Access Control", - "experimental": false, - "description": "S3 bucket allows public policy", - "description_id": "a8924b3b", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "25476a67c7f8ed62bf0999facaab5ac83a07374672a068d16e79a45ac163af10", - "line": 120, - "resource_type": "aws_s3_bucket_public_access_block", - "resource_name": "km_public_blob", - "issue_type": "IncorrectValue", - "search_key": "aws_s3_bucket_public_access_block[km_public_blob].block_public_policy", - "search_line": 120, - "search_value": "", - "expected_value": "'block_public_policy' should equal 'true'", - "actual_value": "'block_public_policy' is equal 'false'" - } - ] - }, - { - "query_name": "S3 Bucket SSE Disabled", - "query_id": "6726dcc0-5ff5-459d-b473-a780bef7665c", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Encryption", - "experimental": false, - "description": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required", - "description_id": "b386c506", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "aba464a3fadf8ad9474db05cd833d0a985d92c3ce93703d04528873f9b6a3915", - "line": 112, - "resource_type": "aws_s3_bucket", - "resource_name": "km-public-blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_public_blob]", - "search_line": 112, - "search_value": "", - "expected_value": "'aws_s3_bucket' to have 'server_side_encryption_configuration' associated", - "actual_value": "'aws_s3_bucket' does not have 'server_side_encryption_configuration' associated" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "361b4efcb1cde4c96862ea869b204790fafd39f5df66ab792071043c0ff1d55b", - "line": 104, - "resource_type": "aws_s3_bucket", - "resource_name": "km-blob-storage-${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_blob_storage]", - "search_line": 104, - "search_value": "", - "expected_value": "'aws_s3_bucket' to have 'server_side_encryption_configuration' associated", - "actual_value": "'aws_s3_bucket' does not have 'server_side_encryption_configuration' associated" - } - ] - }, - { - "query_name": "S3 Bucket Without Enabled MFA Delete", - "query_id": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Insecure Configurations", - "experimental": false, - "description": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=\u003cBUCKET_NAME\u003e --mfa=\u003cMFA_SERIAL_NUMBER\u003e'. Please, also notice that MFA delete can not be used with lifecycle configurations", - "description_id": "e1699d08", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "b1ae5517fdc518d0b9be575dd5b3e1c1e6ec912d134aa4904311221cf9717267", - "line": 104, - "resource_type": "aws_s3_bucket", - "resource_name": "km-blob-storage-${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_blob_storage]", - "search_line": 104, - "search_value": "", - "expected_value": "versioning should be defined and not null", - "actual_value": "versioning is undefined or null" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "d55ab96849a3abf381e2a72fb8dd5bd9928507bff009eab789dcc268e43c0a3c", - "line": 112, - "resource_type": "aws_s3_bucket", - "resource_name": "km-public-blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_public_blob]", - "search_line": 112, - "search_value": "", - "expected_value": "versioning should be defined and not null", - "actual_value": "versioning is undefined or null" - } - ] - }, - { - "query_name": "S3 Bucket Without Restriction Of Public Bucket", - "query_id": "1ec253ab-c220-4d63-b2de-5b40e0af9293", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Insecure Configurations", - "experimental": false, - "description": "S3 bucket without restriction of public bucket", - "description_id": "a6e86c32", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "86358229d9bc37d9c656acdcc19623f66ffc0fec727e9d372033e3afe92812af", - "line": 116, - "resource_type": "aws_s3_bucket_public_access_block", - "resource_name": "km_public_blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket_public_access_block[km_public_blob].restrict_public_buckets", - "search_line": 116, - "search_value": "", - "expected_value": "'restrict_public_buckets' should equal 'true'", - "actual_value": "'restrict_public_buckets' is missing", - "remediation": "restrict_public_buckets = true", - "remediation_type": "addition" - } - ] - }, - { - "query_name": "Sensitive Port Is Exposed To Entire Network", - "query_id": "381c3f2a-ef6f-4eff-99f7-b169cda3422c", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "experimental": false, - "description": "A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol", - "description_id": "5be78364", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "355cc208d2b42fb9d3028cd68b559e1f7deb38b711c7594f6c3865c9a87b2690", - "line": 19, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "IncorrectValue", - "search_key": "aws_security_group[km_rds_sg].ingress", - "search_line": -1, - "search_value": "TCP,5432", - "expected_value": "PostgreSQL (TCP:5432) should not be allowed", - "actual_value": "PostgreSQL (TCP:5432) is allowed" - } - ] - }, - { - "query_name": "Unrestricted Security Group Ingress", - "query_id": "4728cd65-a20c-49da-8b31-9c08b423e4db", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group.html", - "severity": "HIGH", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Networking and Firewall", - "experimental": false, - "description": "Security groups allow ingress from 0.0.0.0:0 and/or ::/0", - "description_id": "ce3ee5e0", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "c1da1442b08a56aaee6835ed501d9c41b2b716392d1a0a4210c584dd0d9ab945", - "line": 23, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "IncorrectValue", - "search_key": "aws_security_group[km_rds_sg].ingress.cidr_blocks", - "search_line": -1, - "search_value": "", - "expected_value": "One of 'ingress.cidr_blocks' not equal '0.0.0.0/0'", - "actual_value": "One of 'ingress.cidr_blocks' equal '0.0.0.0/0'" - } - ] - }, - { - "query_name": "RDS With Backup Disabled", - "query_id": "1dc73fb4-5b51-430c-8c5f-25dcf9090b02", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance", - "severity": "MEDIUM", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Backup", - "experimental": false, - "description": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup", - "description_id": "73fdfe55", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "122c76208d2bcc6912df322620f6af41e053401f9c631fc4223397a408eb30bc", - "line": 45, - "resource_type": "aws_db_instance", - "resource_name": "km_db_${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_db_instance[km_db]", - "search_line": 45, - "search_value": "", - "expected_value": "'backup_retention_period' should be defined, and bigger than '0'", - "actual_value": "'backup_retention_period' is not defined", - "remediation": "backup_retention_period = 12", - "remediation_type": "addition" - } - ] - }, - { - "query_name": "S3 Bucket Allows Public ACL", - "query_id": "d0cc8694-fcad-43ff-ac86-32331d7e867f", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", - "severity": "MEDIUM", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Access Control", - "experimental": false, - "description": "S3 bucket allows public ACL", - "description_id": "7b8886c1", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "9048dc30ba1c1fd9dc333b79a1c7d64f4248791936620ae1c2cd48c69073979c", - "line": 119, - "resource_type": "aws_s3_bucket_public_access_block", - "resource_name": "km_public_blob", - "issue_type": "IncorrectValue", - "search_key": "aws_s3_bucket_public_access_block[km_public_blob].block_public_acls", - "search_line": 119, - "search_value": "", - "expected_value": "'block_public_acls' should equal 'true'", - "actual_value": "'block_public_acls' is equal 'false'", - "remediation": "{\"after\":\"true\",\"before\":\"false\"}", - "remediation_type": "replacement" - } - ] - }, - { - "query_name": "S3 Bucket Logging Disabled", - "query_id": "f861041c-8c9f-4156-acfc-5e6e524f5884", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", - "severity": "MEDIUM", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Observability", - "experimental": false, - "description": "Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable", - "description_id": "fa5c7c72", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "5c063f15602837c91427457956f271b5edaac664e99b65c5b24a14a80ca8270f", - "line": 104, - "resource_type": "aws_s3_bucket", - "resource_name": "km-blob-storage-${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_blob_storage]", - "search_line": 104, - "search_value": "", - "expected_value": "'logging' should be defined and not null", - "actual_value": "'logging' is undefined or null" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "00780173256d4178dc4ac89bf9fd8b008831ac11038e346da1a9f1327fb3eeda", - "line": 112, - "resource_type": "aws_s3_bucket", - "resource_name": "km-public-blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_public_blob]", - "search_line": 112, - "search_value": "", - "expected_value": "'logging' should be defined and not null", - "actual_value": "'logging' is undefined or null" - } - ] - }, - { - "query_name": "S3 Bucket Without Versioning", - "query_id": "568a4d22-3517-44a6-a7ad-6a7eed88722c", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning", - "severity": "MEDIUM", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Observability", - "experimental": false, - "description": "S3 bucket should have versioning enabled", - "description_id": "7614ce3b", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "509918461704df65abe817289305af202e497d40bfb89ad2956a9beb77cf3a22", - "line": 112, - "resource_type": "aws_s3_bucket", - "resource_name": "km-public-blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_public_blob]", - "search_line": 112, - "search_value": "", - "expected_value": "'versioning' should be true", - "actual_value": "'versioning' is undefined or null" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "38962cc6c948dd3fe0402f0d07e2f75578016100b30d2373d46e4ab4f7ce178c", - "line": 104, - "resource_type": "aws_s3_bucket", - "resource_name": "km-blob-storage-${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[km_blob_storage]", - "search_line": 104, - "search_value": "", - "expected_value": "'versioning' should be true", - "actual_value": "'versioning' is undefined or null" - } - ] - }, - { - "query_name": "IAM Access Analyzer Not Enabled", - "query_id": "e592a0c5-5bdb-414c-9066-5dba7cdea370", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer", - "severity": "LOW", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Best Practices", - "experimental": false, - "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", - "description_id": "d03e85ae", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "aa346cd1642a83b40e221f96a43d88dbfacecdf1f8e5314c24145f8d35530197", - "line": 1, - "resource_type": "n/a", - "resource_name": "n/a", - "issue_type": "MissingAttribute", - "search_key": "resource", - "search_line": -1, - "search_value": "", - "expected_value": "'aws_accessanalyzer_analyzer' should be set", - "actual_value": "'aws_accessanalyzer_analyzer' is undefined" - } - ] - }, - { - "query_name": "S3 Bucket Without Ignore Public ACL", - "query_id": "4fa66806-0dd9-4f8d-9480-3174d39c7c91", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block", - "severity": "LOW", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Insecure Configurations", - "experimental": false, - "description": "S3 bucket without ignore public ACL", - "description_id": "28aa7150", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "b3adb608012771b9f48979ab7dc1ac8d2e10015f819a9747d2bfa9ce0605bcc2", - "line": 116, - "resource_type": "aws_s3_bucket_public_access_block", - "resource_name": "km_public_blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket_public_access_block[km_public_blob]", - "search_line": 116, - "search_value": "", - "expected_value": "'ignore_public_acls' should equal 'true'", - "actual_value": "'ignore_public_acls' is missing", - "remediation": "ignore_public_acls = true", - "remediation_type": "addition" - } - ] - }, - { - "query_name": "RDS Without Logging", - "query_id": "8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports", - "severity": "INFO", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Observability", - "experimental": false, - "description": "RDS does not have any kind of logger", - "description_id": "c499a58c", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "942cb2428c1404cf3dd69263b23e061188ad715ae1bdb208ffdee775748d7310", - "line": 45, - "resource_type": "aws_db_instance", - "resource_name": "km_db_${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_db_instance[km_db]", - "search_line": 45, - "search_value": "", - "expected_value": "'enabled_cloudwatch_logs_exports' should be defined", - "actual_value": "'enabled_cloudwatch_logs_exports' is undefined" - } - ] - }, - { - "query_name": "Resource Not Using Tags", - "query_id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging", - "severity": "INFO", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Best Practices", - "experimental": false, - "description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'", - "description_id": "09db2d52", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "e980255919ebad1fa6bf072826d10bdb114216242c4b799709b874cd6c01821a", - "line": 112, - "resource_type": "aws_s3_bucket", - "resource_name": "km_public_blob", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[{{km_public_blob}}]", - "search_line": -1, - "search_value": "", - "expected_value": "aws_s3_bucket[{{km_public_blob}}].tags should be defined and not null", - "actual_value": "aws_s3_bucket[{{km_public_blob}}].tags is undefined or null" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "d0efbf94490b1c485e4e3beeba9a58b51ab430990201f77fa15f6dcfcc2b47cf", - "line": 14, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "MissingAttribute", - "search_key": "aws_security_group[{{km_rds_sg}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_security_group[{{km_rds_sg}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_security_group[{{km_rds_sg}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "5c2ef181a7e9c643a05e1fd1933024c6127e6f684b9efa8eac31c731084e24cb", - "line": 81, - "resource_type": "aws_ssm_parameter", - "resource_name": "/km-${var.environment}/DB_PASSWORD", - "issue_type": "MissingAttribute", - "search_key": "aws_ssm_parameter[{{km_ssm_db_password}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_ssm_parameter[{{km_ssm_db_password}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_ssm_parameter[{{km_ssm_db_password}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "e2e2fdf18bc08f6e1e6c3eeb5ba41d048c64b9768d8fbde9fcdf4fb6135cd4c5", - "line": 5, - "resource_type": "aws_db_subnet_group", - "resource_name": "km_rds_subnet_grp_${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_db_subnet_group[{{km_rds_subnet_grp}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "12ed5c181348f8978b5420692df50488df2c443bc94d541e88da0ba3fa4859a3", - "line": 40, - "resource_type": "aws_kms_key", - "resource_name": "km_db_kms_key", - "issue_type": "MissingAttribute", - "search_key": "aws_kms_key[{{km_db_kms_key}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_kms_key[{{km_db_kms_key}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_kms_key[{{km_db_kms_key}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "576d47fedd6285ef04cb4ab8d878882285db3bac0b00014d3336ae515be6eecc", - "line": 99, - "resource_type": "aws_ssm_parameter", - "resource_name": "/km-${var.environment}/DB_NAME", - "issue_type": "MissingAttribute", - "search_key": "aws_ssm_parameter[{{km_ssm_db_name}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_ssm_parameter[{{km_ssm_db_name}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_ssm_parameter[{{km_ssm_db_name}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "a1a197eee9fb03c2c03efea430abaaa73cfc07558c1b83a4f75a6af5d07cf9ca", - "line": 90, - "resource_type": "aws_ssm_parameter", - "resource_name": "/km-${var.environment}/DB_USER", - "issue_type": "MissingAttribute", - "search_key": "aws_ssm_parameter[{{km_ssm_db_user}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_ssm_parameter[{{km_ssm_db_user}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_ssm_parameter[{{km_ssm_db_user}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "c761f7109a1e0e920c17cb03ac0bb4cf44a70e290f5c22aa266201add76a66d8", - "line": 61, - "resource_type": "aws_db_instance", - "resource_name": "km_db_${var.environment}", - "issue_type": "MissingAttribute", - "search_key": "aws_db_instance[{{km_db}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_db_instance[{{km_db}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_db_instance[{{km_db}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "cea4a498e30adf1eff0dabb58fff2bbd92916e63d414c30942945582072ab9e7", - "line": 107, - "resource_type": "aws_s3_bucket", - "resource_name": "km_blob_storage", - "issue_type": "MissingAttribute", - "search_key": "aws_s3_bucket[{{km_blob_storage}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_s3_bucket[{{km_blob_storage}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_s3_bucket[{{km_blob_storage}}].tags does not have additional tags defined other than 'Name'" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "231c25c467fdf7b77e7cdef64dbb1d53a3f77300b0c37b89405ef3c39cdda320", - "line": 72, - "resource_type": "aws_ssm_parameter", - "resource_name": "/km-${var.environment}/DB_HOST", - "issue_type": "MissingAttribute", - "search_key": "aws_ssm_parameter[{{km_ssm_db_host}}].tags", - "search_line": -1, - "search_value": "", - "expected_value": "aws_ssm_parameter[{{km_ssm_db_host}}].tags has additional tags defined other than 'Name'", - "actual_value": "aws_ssm_parameter[{{km_ssm_db_host}}].tags does not have additional tags defined other than 'Name'" - } - ] - }, - { - "query_name": "Security Group Rule Without Description", - "query_id": "cb3f5ed6-0d18-40de-a93d-b3538db31e8c", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", - "severity": "INFO", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Best Practices", - "experimental": false, - "description": "It's considered a best practice for AWS Security Group to have a description", - "description_id": "bc535d27", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "a5adfd369cfe3afead396d040d83e0137d9d947ecb1f0173c4d6f5102f168398", - "line": 10, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "MissingAttribute", - "search_key": "aws_security_group[{{km_rds_sg}}]", - "search_line": -1, - "search_value": "", - "expected_value": "aws_security_group[{{km_rds_sg}}] description should be defined and not null", - "actual_value": "aws_security_group[{{km_rds_sg}}] description is undefined or null" - } - ] - }, - { - "query_name": "Security Group Rule Without Description", - "query_id": "68eb4bf3-f9bf-463d-b5cf-e029bb446d2e", - "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description", - "severity": "INFO", - "platform": "Terraform", - "cloud_provider": "AWS", - "category": "Best Practices", - "experimental": false, - "description": "It's considered a best practice for all rules in AWS Security Group to have a description", - "description_id": "cee242dd", - "files": [ - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "6763cdfa4cad76f841c28aa4c60469923df6a68cce301656290324d903e999a4", - "line": 27, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "MissingAttribute", - "search_key": "aws_security_group[{{km_rds_sg}}].egress", - "search_line": 27, - "search_value": "", - "expected_value": "aws_security_group[{{km_rds_sg}}].egress description should be defined and not null", - "actual_value": "aws_security_group[{{km_rds_sg}}].egress description is undefined or null" - }, - { - "file_name": "test\\fixtures\\test_output_path\\main.tf", - "similarity_id": "dfa5d4e0a388e6195eb3c6a93200ca268ad1f9eaf243fa083e8e1a4cc98342d0", - "line": 19, - "resource_type": "aws_security_group", - "resource_name": "km_rds_sg", - "issue_type": "MissingAttribute", - "search_key": "aws_security_group[{{km_rds_sg}}].ingress", - "search_line": 19, - "search_value": "", - "expected_value": "aws_security_group[{{km_rds_sg}}].ingress description should be defined and not null", - "actual_value": "aws_security_group[{{km_rds_sg}}].ingress description is undefined or null" - } - ] - } - ] + "queries": [] } diff --git a/e2e/fixtures/E2E_CLI_082_RESULT b/e2e/fixtures/E2E_CLI_082_RESULT index d5f2649f3ec..0e7222ed831 100644 --- a/e2e/fixtures/E2E_CLI_082_RESULT +++ b/e2e/fixtures/E2E_CLI_082_RESULT @@ -1,2 +1,2 @@ -Error: The filename, directory name, or volume label syntax is incorrect. The directory name contains invalid characters. +Error: the directory name contains invalid characters {{.ScanHelp}} diff --git a/test/fixtures/test_output_path/azuredeploy.json b/test/fixtures/test_output_path/azuredeploy.json new file mode 100644 index 00000000000..fdde0d8de78 --- /dev/null +++ b/test/fixtures/test_output_path/azuredeploy.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "acrName": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "Name of your Azure Container Registry" + } + }, + "acrAdminUserEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable admin user that have push / pull permission to the registry." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "acrSku": { + "type": "string", + "metadata": { + "description": "Tier of your Azure Container Registry." + }, + "defaultValue": "Basic", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ] + } + }, + "resources": [ + { + "name": "[parameters('acrName')]", + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2019-12-01-preview", + "location": "[parameters('location')]", + "comments": "Container registry for storing docker images", + "tags": { + "displayName": "Container Registry", + "container.registry": "[parameters('acrName')]" + }, + "sku": { + "name": "[parameters('acrSku')]", + "tier": "[parameters('acrSku')]" + }, + "properties": { + "adminUserEnabled": "[parameters('acrAdminUserEnabled')]" + } + } + ], + "outputs": { + "acrLoginServer": { + "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-12-01-preview').loginServer]", + "type": "string" + } + } +} diff --git a/test/fixtures/test_output_path/main.tf b/test/fixtures/test_output_path/main.tf deleted file mode 100644 index 73a6d8f59ec..00000000000 --- a/test/fixtures/test_output_path/main.tf +++ /dev/null @@ -1,121 +0,0 @@ -resource "aws_db_subnet_group" "km_rds_subnet_grp" { - name = "km_rds_subnet_grp_${var.environment}" - subnet_ids = var.private_subnet - - tags = merge(var.default_tags, { - Name = "km_rds_subnet_grp_${var.environment}" - }) -} - -resource "aws_security_group" "km_rds_sg" { - name = "km_rds_sg" - vpc_id = var.vpc_id - - tags = merge(var.default_tags, { - Name = "km_rds_sg_${var.environment}" - }) - - # HTTP access from anywhere - ingress { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - # outbound internet access - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_kms_key" "km_db_kms_key" { - description = "KMS Key for DB instance ${var.environment}" - deletion_window_in_days = 10 - enable_key_rotation = true - - tags = merge(var.default_tags, { - Name = "km_db_kms_key_${var.environment}" - }) -} - -resource "aws_db_instance" "km_db" { - name = "km_db_${var.environment}" - allocated_storage = 20 - engine = "postgres" - engine_version = "10.6" - instance_class = "db.t3.medium" - storage_type = "gp2" - password = var.db_password - username = var.db_username - vpc_security_group_ids = [aws_security_group.km_rds_sg.id] - db_subnet_group_name = aws_db_subnet_group.km_rds_subnet_grp.id - identifier = "km-db-${var.environment}" - storage_encrypted = true - skip_final_snapshot = true - final_snapshot_identifier = "km-db-${var.environment}-db-destroy-snapshot" - kms_key_id = aws_kms_key.km_db_kms_key.arn - tags = merge(var.default_tags, { - Name = "km_db_${var.environment}" - }) -} - -resource "aws_ssm_parameter" "km_ssm_db_host" { - name = "/km-${var.environment}/DB_HOST" - description = "Kai Monkey Database" - type = "SecureString" - value = aws_db_instance.km_db.endpoint - - tags = merge(var.default_tags, {}) -} - -resource "aws_ssm_parameter" "km_ssm_db_password" { - name = "/km-${var.environment}/DB_PASSWORD" - description = "Kai Monkey Database Password" - type = "SecureString" - value = aws_db_instance.km_db.password - - tags = merge(var.default_tags, {}) -} - -resource "aws_ssm_parameter" "km_ssm_db_user" { - name = "/km-${var.environment}/DB_USER" - description = "Kai Monkey Database Username" - type = "SecureString" - value = aws_db_instance.km_db.username - - tags = merge(var.default_tags, {}) -} - -resource "aws_ssm_parameter" "km_ssm_db_name" { - name = "/km-${var.environment}/DB_NAME" - description = "Kai Monkey Database Name" - type = "SecureString" - value = aws_db_instance.km_db.name - - tags = merge(var.default_tags, { - environment = "${var.environment}" - }) -} - -resource "aws_s3_bucket" "km_blob_storage" { - bucket = "km-blob-storage-${var.environment}" - acl = "private" - tags = merge(var.default_tags, { - name = "km_blob_storage_${var.environment}" - }) -} - -resource "aws_s3_bucket" "km_public_blob" { - bucket = "km-public-blob" -} - -resource "aws_s3_bucket_public_access_block" "km_public_blob" { - bucket = aws_s3_bucket.km_public_blob.id - - block_public_acls = false - block_public_policy = false -} \ No newline at end of file From a23c091f99e0d801c3b1c3e60a583d11b70f8a26 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 11:21:49 +0000 Subject: [PATCH 04/17] substituicao do ficheiro de teste e2e --- .../test_output_path/azuredeploy.json | 66 ---------------- test/fixtures/test_output_path/positive1.json | 77 +++++++++++++++++++ 2 files changed, 77 insertions(+), 66 deletions(-) delete mode 100644 test/fixtures/test_output_path/azuredeploy.json create mode 100644 test/fixtures/test_output_path/positive1.json diff --git a/test/fixtures/test_output_path/azuredeploy.json b/test/fixtures/test_output_path/azuredeploy.json deleted file mode 100644 index fdde0d8de78..00000000000 --- a/test/fixtures/test_output_path/azuredeploy.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "acrName": { - "type": "string", - "minLength": 5, - "maxLength": 50, - "metadata": { - "description": "Name of your Azure Container Registry" - } - }, - "acrAdminUserEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Enable admin user that have push / pull permission to the registry." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Location for all resources." - } - }, - "acrSku": { - "type": "string", - "metadata": { - "description": "Tier of your Azure Container Registry." - }, - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Standard", - "Premium" - ] - } - }, - "resources": [ - { - "name": "[parameters('acrName')]", - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2019-12-01-preview", - "location": "[parameters('location')]", - "comments": "Container registry for storing docker images", - "tags": { - "displayName": "Container Registry", - "container.registry": "[parameters('acrName')]" - }, - "sku": { - "name": "[parameters('acrSku')]", - "tier": "[parameters('acrSku')]" - }, - "properties": { - "adminUserEnabled": "[parameters('acrAdminUserEnabled')]" - } - } - ], - "outputs": { - "acrLoginServer": { - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-12-01-preview').loginServer]", - "type": "string" - } - } -} diff --git a/test/fixtures/test_output_path/positive1.json b/test/fixtures/test_output_path/positive1.json new file mode 100644 index 00000000000..4c3b06490fc --- /dev/null +++ b/test/fixtures/test_output_path/positive1.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": false + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ] +} From 8326baf76f36e5a214e2ac08ea49907725668261 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 11:41:19 +0000 Subject: [PATCH 05/17] =?UTF-8?q?altera=C3=A7=C3=A3o=20do=20resultado=20es?= =?UTF-8?q?perado=20do=20E2E=2081?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- e2e/fixtures/E2E_CLI_081_RESULT.json | 43 ++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_081_RESULT.json b/e2e/fixtures/E2E_CLI_081_RESULT.json index 14f51de05bc..3c27c616d7b 100644 --- a/e2e/fixtures/E2E_CLI_081_RESULT.json +++ b/e2e/fixtures/E2E_CLI_081_RESULT.json @@ -1,9 +1,9 @@ { "kics_version": "development", "files_scanned": 1, - "lines_scanned": 67, + "lines_scanned": 78, "files_parsed": 1, - "lines_parsed": 67, + "lines_parsed": 78, "lines_ignored": 0, "files_failed_to_scan": 0, "queries_total": 43, @@ -11,18 +11,45 @@ "queries_failed_to_compute_similarity_id": 0, "scan_id": "console", "severity_counters": { - "HIGH": 0, + "HIGH": 1, "INFO": 0, "LOW": 0, "MEDIUM": 0, "TRACE": 0 }, - "total_counter": 0, + "total_counter": 1, "total_bom_resources": 0, - "start": "2024-02-12T10:46:29.7261251Z", - "end": "2024-02-12T10:46:32.4822031Z", + "start": "2024-02-12T11:21:19.8490877Z", + "end": "2024-02-12T11:21:22.8440655Z", "paths": [ - "C:\\Users\\julios\\Documents\\repos\\kics\\test\\fixtures\\test_output_path" + "/test\\fixtures\\test_output_path" ], - "queries": [] + "queries": [ + { + "query_name": "Azure Instance Using Basic Authentication", + "query_id": "6797f581-0433-4768-ae3e-7ceb2f8b138e", + "query_url": "https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json#linuxconfiguration-object", + "severity": "HIGH", + "platform": "AzureResourceManager", + "category": "Best Practices", + "experimental": false, + "description": "Azure Instances should use SSH Key instead of basic authentication", + "description_id": "98ba05ca", + "files": [ + { + "file_name": "test\\fixtures\\test_output_path\\positive1.json", + "similarity_id": "42d73d5b2fa1fbcb1145ea43b7dc4ec20f92adda85c61161b6a7714b6cd86219", + "line": 53, + "resource_type": "Microsoft.Compute/virtualMachines", + "resource_name": "[variables('vmName')]", + "issue_type": "IncorrectValue", + "search_key": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "search_line": 53, + "search_value": "", + "expected_value": "'disablePasswordAuthentication' should be set to true", + "actual_value": "'disablePasswordAuthentication' property value is set to false" + } + ] + } + ] } From 25569380d178f1bfb8145219a585a71feaf1f234 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 12:22:01 +0000 Subject: [PATCH 06/17] alteracao dos output path --- e2e/testcases/e2e-cli-081_output_path_valid.go | 2 +- e2e/testcases/e2e-cli-082_output_path_invalid.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-081_output_path_valid.go b/e2e/testcases/e2e-cli-081_output_path_valid.go index b5684a45c2a..a362f3a16d5 100644 --- a/e2e/testcases/e2e-cli-081_output_path_valid.go +++ b/e2e/testcases/e2e-cli-081_output_path_valid.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_081_RESULT", - "-p", "\"/path/test\fixtures\test_output_path\"", + "-p", "\"/path/test/fixtures/test_output_path\"", }, }, ExpectedResult: []ResultsValidation{ diff --git a/e2e/testcases/e2e-cli-082_output_path_invalid.go b/e2e/testcases/e2e-cli-082_output_path_invalid.go index 2e7333a1cfd..b68ef31b3d9 100644 --- a/e2e/testcases/e2e-cli-082_output_path_invalid.go +++ b/e2e/testcases/e2e-cli-082_output_path_invalid.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output?", "--output-name", "E2E_CLI_082_RESULT", - "-p", "\"/path/test\fixtures\test_output_path\"", + "-p", "\"/path/test/fixtures/test_output_path\"", }, }, ExpectedOut: []string{ From e94912db94c256206b8cebb0b80f5002660680f8 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 12 Feb 2024 13:43:18 +0000 Subject: [PATCH 07/17] alteracao do resultado esperado --- e2e/fixtures/E2E_CLI_081_RESULT.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_081_RESULT.json b/e2e/fixtures/E2E_CLI_081_RESULT.json index 3c27c616d7b..055b9cee8ca 100644 --- a/e2e/fixtures/E2E_CLI_081_RESULT.json +++ b/e2e/fixtures/E2E_CLI_081_RESULT.json @@ -19,10 +19,10 @@ }, "total_counter": 1, "total_bom_resources": 0, - "start": "2024-02-12T11:21:19.8490877Z", - "end": "2024-02-12T11:21:22.8440655Z", + "start": "2024-02-12T12:34:07.3154393Z", + "end": "2024-02-12T12:34:25.658434Z", "paths": [ - "/test\\fixtures\\test_output_path" + "/path/test/fixtures/test_output_path" ], "queries": [ { @@ -37,7 +37,7 @@ "description_id": "98ba05ca", "files": [ { - "file_name": "test\\fixtures\\test_output_path\\positive1.json", + "file_name": "..\\test\\fixtures\\test_output_path\\positive1.json", "similarity_id": "42d73d5b2fa1fbcb1145ea43b7dc4ec20f92adda85c61161b6a7714b6cd86219", "line": 53, "resource_type": "Microsoft.Compute/virtualMachines", From 8638a3894329e1ea47e01dfb284285b0339a7582 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 19 Feb 2024 10:58:59 +0000 Subject: [PATCH 08/17] improved regex catching more cases and added new tests --- internal/console/flags/validate_path.go | 4 +- internal/console/flags/validate_path_test.go | 56 +++++++++++++++++++- 2 files changed, 57 insertions(+), 3 deletions(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index afccfe8a091..afab17c5bd4 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -6,9 +6,9 @@ import ( ) func validatePath(flagName string) error { - regex := regexp.MustCompile(`[<>"|?*]`) + regex := regexp.MustCompile(`^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$|^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$`) - isValid := !regex.MatchString(GetStrFlag(flagName)) + isValid := regex.MatchString(GetStrFlag(flagName)) if !isValid { return errors.New("the directory name contains invalid characters") diff --git a/internal/console/flags/validate_path_test.go b/internal/console/flags/validate_path_test.go index bf6e2cecde5..d5beb232151 100644 --- a/internal/console/flags/validate_path_test.go +++ b/internal/console/flags/validate_path_test.go @@ -22,7 +22,19 @@ func TestFlags_validatePathEnum(t *testing.T) { { name: "should execute fine", flagName: "output-path", - flagValue: "C:\\Users\\user\\files", + flagValue: "/file", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "file", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "C:\\Users\\user\\.file", wantErr: false, }, { @@ -31,6 +43,36 @@ func TestFlags_validatePathEnum(t *testing.T) { flagValue: "/user/files", wantErr: false, }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "\\user\\file", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "user\\file", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "./user/files", + wantErr: false, + }, + { + name: "should execute fine", + flagName: "output-path", + flagValue: "../user/files", + wantErr: false, + }, + { + name: "should return an error regarding invalid characters (*)", + flagName: "output-path", + flagValue: "../user/fil*es", + wantErr: true, + }, { name: "should return an error regarding invalid characters (|)", flagName: "output-path", @@ -49,6 +91,12 @@ func TestFlags_validatePathEnum(t *testing.T) { flagValue: "C:/Users/user/files/?", wantErr: true, }, + { + name: "should return an error regarding invalid characters (?)", + flagName: "output-path", + flagValue: "..\file?", + wantErr: true, + }, { name: "should return an error regarding invalid characters (>)", flagName: "output-path", @@ -67,6 +115,12 @@ func TestFlags_validatePathEnum(t *testing.T) { flagValue: "C:/Users/user/files/*", wantErr: true, }, + { + name: "should return an error regarding invalid characters", + flagName: "output-path", + flagValue: "c:/**/:??/folder", + wantErr: true, + }, } for _, test := range tests { flagsStrReferences[test.flagName] = &test.flagValue From 376311405c50a903fb4a50036a70a93911b34096 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 19 Feb 2024 11:52:03 +0000 Subject: [PATCH 09/17] fixed issue where scan wasn't working if output flag wasn't used --- internal/console/flags/validate_path.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index afab17c5bd4..9373b6ce06a 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -8,7 +8,8 @@ import ( func validatePath(flagName string) error { regex := regexp.MustCompile(`^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$|^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$`) - isValid := regex.MatchString(GetStrFlag(flagName)) + path := GetStrFlag(flagName) + isValid := regex.MatchString(path) || len(path) == 0 if !isValid { return errors.New("the directory name contains invalid characters") From 2052df6e8fb6bdc6fede77b37eb39b35b488c88c Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 19 Feb 2024 12:42:13 +0000 Subject: [PATCH 10/17] lint related changes --- internal/console/flags/validate_path.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index 9373b6ce06a..aff103d48be 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -9,7 +9,7 @@ func validatePath(flagName string) error { regex := regexp.MustCompile(`^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$|^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$`) path := GetStrFlag(flagName) - isValid := regex.MatchString(path) || len(path) == 0 + isValid := regex.MatchString(path) || path == "" if !isValid { return errors.New("the directory name contains invalid characters") From c5aa5939d30594319db2d855081b7046ec888431 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 19 Feb 2024 15:01:06 +0000 Subject: [PATCH 11/17] lint changes --- internal/console/flags/validate_path.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index aff103d48be..2d1628c20cd 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -6,7 +6,9 @@ import ( ) func validatePath(flagName string) error { - regex := regexp.MustCompile(`^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$|^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$`) + relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$` + absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$` + regex := regexp.MustCompile(relPath + `|` + absPath) path := GetStrFlag(flagName) isValid := regex.MatchString(path) || path == "" From 3b76b7ed803fc20a48a507115768e0308aafa0a6 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 19 Feb 2024 15:21:55 +0000 Subject: [PATCH 12/17] lint fixes --- internal/console/flags/validate_path.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index 2d1628c20cd..15ca35d9376 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -6,7 +6,7 @@ import ( ) func validatePath(flagName string) error { - relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$` + relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(\/|\\)?$` absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$` regex := regexp.MustCompile(relPath + `|` + absPath) From 9137ee939b849031450b554b05f48b6fe59b5468 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Tue, 20 Feb 2024 09:35:41 +0000 Subject: [PATCH 13/17] updated regex to support trailing slashes --- internal/console/flags/validate_path.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index 15ca35d9376..d62e9ceb1e0 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -7,7 +7,7 @@ import ( func validatePath(flagName string) error { relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(\/|\\)?$` - absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+$` + absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(?:\/|\\)?$` regex := regexp.MustCompile(relPath + `|` + absPath) path := GetStrFlag(flagName) From 3951d6f91b2e910bac252dd5448d722e31280bc3 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Wed, 21 Feb 2024 14:56:42 +0000 Subject: [PATCH 14/17] updated error message and fixed regex --- internal/console/flags/validate_path.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index d62e9ceb1e0..f186c52bbe9 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -2,19 +2,23 @@ package flags import ( "errors" + "fmt" "regexp" ) func validatePath(flagName string) error { - relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(\/|\\)?$` - absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(?:\/|\\)?$` + relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\\/])*[^<>:"\/\\|?*]+(\/|\\)?$` + absPath := `^[a-zA-Z]:[\\\/](?:[^<>:"\/\\|?*]+[\\\/])*[^<>:"\/\\|?*]+(?:\/|\\)?$` regex := regexp.MustCompile(relPath + `|` + absPath) path := GetStrFlag(flagName) isValid := regex.MatchString(path) || path == "" + fmt.Println(flagName, GetStrFlag(flagName)) + if !isValid { - return errors.New("the directory name contains invalid characters") + errorMsg := "the directory name you provided for the " + flagName + " flag contains invalid characters" + return errors.New(errorMsg) } return nil From 4edfed9d600452facc916e99f68a2fbc1b1ac77a Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Wed, 21 Feb 2024 14:56:42 +0000 Subject: [PATCH 15/17] updated error message and fixed regex --- internal/console/flags/validate_path.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index d62e9ceb1e0..9582128ff6c 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -6,15 +6,16 @@ import ( ) func validatePath(flagName string) error { - relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(\/|\\)?$` - absPath := `^[a-zA-Z]:[\\|\/](?:[^<>:"\/\\|?*]+[\\|\/])*[^<>:"\/\\|?*]+(?:\/|\\)?$` + relPath := `^(?:\.\.\\|\.\\|\.\.\/|\.\/|\\|\/)?(?:[^<>:"\/\\|?*]+[\\\/])*[^<>:"\/\\|?*]+(\/|\\)?$` + absPath := `^[a-zA-Z]:[\\\/](?:[^<>:"\/\\|?*]+[\\\/])*[^<>:"\/\\|?*]+(?:\/|\\)?$` regex := regexp.MustCompile(relPath + `|` + absPath) path := GetStrFlag(flagName) isValid := regex.MatchString(path) || path == "" if !isValid { - return errors.New("the directory name contains invalid characters") + errorMsg := "the directory name you provided for the " + flagName + " flag contains invalid characters" + return errors.New(errorMsg) } return nil From 2e73af3bbf8408e1dc20dc12721f54d153edadf5 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Wed, 21 Feb 2024 15:02:07 +0000 Subject: [PATCH 16/17] removed unnecessary print --- internal/console/flags/validate_path.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/internal/console/flags/validate_path.go b/internal/console/flags/validate_path.go index f186c52bbe9..9582128ff6c 100644 --- a/internal/console/flags/validate_path.go +++ b/internal/console/flags/validate_path.go @@ -2,7 +2,6 @@ package flags import ( "errors" - "fmt" "regexp" ) @@ -14,8 +13,6 @@ func validatePath(flagName string) error { path := GetStrFlag(flagName) isValid := regex.MatchString(path) || path == "" - fmt.Println(flagName, GetStrFlag(flagName)) - if !isValid { errorMsg := "the directory name you provided for the " + flagName + " flag contains invalid characters" return errors.New(errorMsg) From b60807cfef2c523c50be963a1dab405129e61a1e Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Wed, 21 Feb 2024 15:59:12 +0000 Subject: [PATCH 17/17] changed e2e test to reflect changes to the error message --- e2e/fixtures/E2E_CLI_082_RESULT | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/fixtures/E2E_CLI_082_RESULT b/e2e/fixtures/E2E_CLI_082_RESULT index 0e7222ed831..da4219a4fa0 100644 --- a/e2e/fixtures/E2E_CLI_082_RESULT +++ b/e2e/fixtures/E2E_CLI_082_RESULT @@ -1,2 +1,2 @@ -Error: the directory name contains invalid characters +Error: the directory name you provided for the output-path flag contains invalid characters {{.ScanHelp}}