Merge pull request fanal#321 from owenrumney/owenr-add-cfsec-support

add support for cfsec

Author: owenrumney

analyzer/config/cloudformation/cloudformation.go

@@ -0,0 +1,76 @@
+package cloudformation
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"regexp"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/types"
+)
+
+const version = 1
+
+var requiredExts = []string{".yaml", ".json", ".yml"}
+
+var awsConfigurationRegex = regexp.MustCompile(`(?i)(?m)^\s*?["|]?AWSTemplateFormatVersion[:|"]?`)
+var cloudFormationMatchRegex = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)(?m)^\s*?["|]?Resources[:|"]?`),
+	regexp.MustCompile(`(?i)(?m)^\s*?["|]?Parameters[:|"]?`),
+}
+
+type ConfigAnalyzer struct {
+}
+
+func NewConfigAnalyzer() ConfigAnalyzer {
+	return ConfigAnalyzer{}
+}
+
+// Analyze returns a results of CloudFormation file
+func (a ConfigAnalyzer) Analyze(_ context.Context, target analyzer.AnalysisTarget) (*analyzer.AnalysisResult, error) {
+
+	if looksLikeCloudFormation(target.Content) {
+		return &analyzer.AnalysisResult{
+			Configs: []types.Config{
+				{
+					Type:     types.CloudFormation,
+					FilePath: filepath.Join(target.Dir, target.FilePath),
+				},
+			},
+		}, nil
+	}
+	return &analyzer.AnalysisResult{}, nil
+}
+
+func (a ConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
+	for _, extension := range requiredExts {
+		if filepath.Ext(filePath) == extension {
+			return true
+		}
+	}
+	return false
+}
+
+func (ConfigAnalyzer) Type() analyzer.Type {
+	return analyzer.TypeCloudFormation
+}
+
+func (ConfigAnalyzer) Version() int {
+	return version
+}
+
+func looksLikeCloudFormation(content []byte) bool {
+
+	if awsConfigurationRegex.MatchString(string(content)) {
+		return true
+	}
+
+	for _, regex := range cloudFormationMatchRegex {
+		if !regex.MatchString(string(content)) {
+			return false
+		}
+	}
+
+	return true
+}

analyzer/config/cloudformation/cloudformation_test.go

@@ -0,0 +1,133 @@
+package cloudformation
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestConfigAnalyzer_Required(t *testing.T) {
+	tests := []struct {
+		name     string
+		filePath string
+		want     bool
+	}{
+		{
+			name:     "CloudFormation yaml",
+			filePath: "main.yaml",
+			want:     true,
+		},
+		{
+			name:     "Cloudformation JSON",
+			filePath: "main.json",
+			want:     true,
+		},
+		{
+			name:     "non CloudFormation yaml",
+			filePath: "k8s.yaml",
+			want:     true,
+		},
+		{
+			name:     "non CloudFormation json",
+			filePath: "random.yaml",
+			want:     true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := ConfigAnalyzer{}
+			got := a.Required(tt.filePath, nil)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestConfigAnalyzer_Analyzed(t *testing.T) {
+	tests := []struct {
+		name     string
+		content  string
+		filePath string
+		want     int
+	}{
+		{
+			name: "CloudFormation yaml",
+			content: `---
+Parameters:
+  SomeParameter:
+Resources:
+  SomeResource:
+    Type: Something
+`,
+			filePath: "main.yaml",
+			want:     1,
+		},
+		{
+			name: "Cloudformation JSON",
+			content: `{
+  "Parameters": {
+    "SomeParameter": null
+  },
+  "Resources": {
+    "SomeResource": {
+      "Type": "Something"
+    }
+  }
+}`,
+			filePath: "main.json",
+			want:     1,
+		},
+		{
+			name: "non CloudFormation yaml",
+			content: `---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  minReadySeconds: 5
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+`,
+			filePath: "k8s.yaml",
+			want:     0,
+		},
+		{
+			name: "non CloudFormation json",
+			content: `{
+  "foo": [ 
+       "baaaaa", 
+       "bar", 
+       "baa"
+    ]
+}
+`,
+			filePath: "random.yaml",
+			want:     0,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := ConfigAnalyzer{}
+			got, err := a.Analyze(context.Background(), analyzer.AnalysisTarget{
+				FilePath: tt.filePath,
+				Content:  []byte(tt.content),
+			})
+			require.NoError(t, err)
+			assert.Len(t, got.Configs, tt.want)
+		})
+	}
+}

analyzer/config/config.go

@@ -5,6 +5,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/aquasecurity/fanal/analyzer/config/cloudformation"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/fanal/analyzer"
@@ -68,6 +69,7 @@ func RegisterConfigAnalyzers(filePatterns []string) error {
 	analyzer.RegisterAnalyzer(hcl.NewConfigAnalyzer(hclRegexp))
 	analyzer.RegisterAnalyzer(json.NewConfigAnalyzer(jsonRegexp))
 	analyzer.RegisterAnalyzer(terraform.NewConfigAnalyzer())
+	analyzer.RegisterAnalyzer(cloudformation.NewConfigAnalyzer())
 	analyzer.RegisterAnalyzer(toml.NewConfigAnalyzer(tomlRegexp))
 	analyzer.RegisterAnalyzer(yaml.NewConfigAnalyzer(yamlRegexp))
 

analyzer/const.go

@@ -67,12 +67,13 @@ const (
 	// =================
 	// Structured Config
 	// =================
-	TypeYaml       Type = "yaml"
-	TypeTOML       Type = "toml"
-	TypeJSON       Type = "json"
-	TypeDockerfile Type = "dockerfile"
-	TypeHCL        Type = "hcl"
-	TypeTerraform  Type = "terraform"
+	TypeYaml           Type = "yaml"
+	TypeTOML           Type = "toml"
+	TypeJSON           Type = "json"
+	TypeDockerfile     Type = "dockerfile"
+	TypeHCL            Type = "hcl"
+	TypeTerraform      Type = "terraform"
+	TypeCloudFormation Type = "cloudFormation"
 )
 
 var (