Merge pull request fanal#336 from aquasecurity/owenr-update-tfsec-and-cfsec

owenrumney · web-flow · commit bb5abd4cc7f1 · 2021-11-30T14:55:58.000Z
chore(deps): updating code scanning
diff --git a/config/scanner/scanner.go b/config/scanner/scanner.go
@@ -135,7 +135,7 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
 			misconfResult := types.MisconfResult{
 				Message: result.Description,
 				PolicyMetadata: types.PolicyMetadata{
-					ID:                 result.AVDID,
+					ID:                 result.RuleID,
 					Type:               "Cloudformation Security Check powered by cfsec",
 					Title:              result.RuleSummary,
 					Description:        result.Impact,
@@ -145,14 +145,21 @@ func (s Scanner) scanCloudFormationByCFSec(files []types.Config) ([]types.Miscon
 				},
 				IacMetadata: types.IacMetadata{
 					Resource:  result.Resource,
+					Provider:  result.RuleProvider.DisplayName(),
+					Service:   result.RuleService,
 					StartLine: result.Location.StartLine,
 					EndLine:   result.Location.EndLine,
 				},
 			}
 
-			filePath, err := filepath.Rel(rootDir, result.Location.Filename)
+			filename := result.Location.Filename
+			if filename == "" {
+				filename = file.FilePath
+			}
+
+			filePath, err := filepath.Rel(rootDir, filename)
 			if err != nil {
-				return nil, xerrors.Errorf("filepath rel: %w", err)
+				return nil, xerrors.Errorf("filepath rel, root: [%s], result: [%s] %w", rootDir, file.FilePath, err)
 			}
 
 			misconf, ok := misConfs[filePath]
@@ -211,11 +218,12 @@ func (s Scanner) scanTerraformByTFSec(files []types.Config) ([]types.Misconfigur
 			},
 			IacMetadata: types.IacMetadata{
 				Resource:  result.Resource,
+				Provider:  result.RuleProvider.DisplayName(),
+				Service:   result.RuleService,
 				StartLine: result.Location.StartLine,
 				EndLine:   result.Location.EndLine,
 			},
 		}
-
 		filePath, err := filepath.Rel(rootDir, result.Range().Filename)
 		if err != nil {
 			return nil, xerrors.Errorf("filepath rel: %w", err)
diff --git a/config/scanner/scanner_test.go b/config/scanner/scanner_test.go
@@ -85,6 +85,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
+							Provider:  "AWS",
+							Service:   "s3",
 							StartLine: 12,
 							EndLine:   24,
 						},
@@ -101,6 +103,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 							References:         []string{"https://cfsec.dev/docs/s3/no-public-access-with-acl/#s3", "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"},
 						}, IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
+							Provider:  "AWS",
+							Service:   "s3",
 							StartLine: 12,
 							EndLine:   24,
 						},
@@ -118,6 +122,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
+							Provider:  "AWS",
+							Service:   "s3",
 							StartLine: 12,
 							EndLine:   24,
 						},
@@ -137,8 +143,10 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
-							StartLine: 12,
-							EndLine:   24,
+							Provider:  "AWS",
+							Service:   "s3",
+							StartLine: 18,
+							EndLine:   18,
 						},
 					},
 					{
@@ -154,8 +162,10 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
-							StartLine: 12,
-							EndLine:   24,
+							Provider:  "AWS",
+							Service:   "s3",
+							StartLine: 19,
+							EndLine:   19,
 						},
 					},
 					{
@@ -171,7 +181,9 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
-							StartLine: 12,
+							Provider:  "AWS",
+							Service:   "s3",
+							StartLine: 24,
 							EndLine:   24,
 						},
 					},
@@ -188,6 +200,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
+							Provider:  "AWS",
+							Service:   "s3",
 							StartLine: 12,
 							EndLine:   24,
 						},
@@ -205,6 +219,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
+							Provider:  "AWS",
+							Service:   "s3",
 							StartLine: 12,
 							EndLine:   24,
 						},
@@ -222,8 +238,10 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "S3Bucket",
-							StartLine: 12,
-							EndLine:   24,
+							Provider:  "AWS",
+							Service:   "s3",
+							StartLine: 21,
+							EndLine:   21,
 						},
 					},
 				},
@@ -253,6 +271,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "AWS",
+							Service:   "vpc",
 							StartLine: 1,
 							EndLine:   4,
 						},
@@ -268,6 +288,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "AWS",
+							Service:   "vpc",
 							StartLine: 1,
 							EndLine:   4,
 						},
@@ -283,6 +305,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 1,
 							EndLine:   4,
 						},
@@ -298,6 +322,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "azurerm_managed_disk.source",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 10,
 							EndLine:   14,
 						},
@@ -313,6 +339,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 1,
 							EndLine:   4,
 						},
@@ -328,6 +356,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "azurerm_managed_disk.source",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 10,
 							EndLine:   14,
 						},
@@ -344,6 +374,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "variable.enableEncryption",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 6,
 							EndLine:   8,
 						},
@@ -359,6 +391,8 @@ func TestScanner_ScanConfig(t *testing.T) {
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "variable.enableEncryption",
+							Provider:  "General",
+							Service:   "secrets",
 							StartLine: 6,
 							EndLine:   8,
 						},
@@ -375,14 +409,16 @@ func TestScanner_ScanConfig(t *testing.T) {
 							RecommendedActions: "Add descriptions for all security groups and rules",
 							Severity:           "LOW",
 							References: []string{
-								"https://tfsec.dev/docs/aws/vpc/add-description-to-security-group#aws/vpc",
+								"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/add-description-to-security-group",
 								"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
 								"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
 								"https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html",
 							},
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "AWS",
+							Service:   "vpc",
 							StartLine: 1,
 							EndLine:   4,
 						},
@@ -397,13 +433,15 @@ func TestScanner_ScanConfig(t *testing.T) {
 							RecommendedActions: "Set a more restrictive cidr range",
 							Severity:           "CRITICAL",
 							References: []string{
-								"https://tfsec.dev/docs/aws/vpc/no-public-ingress-sgr#aws/vpc",
+								"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr",
 								"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks",
 								"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html",
 							},
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "aws_security_group_rule.my-rule",
+							Provider:  "AWS",
+							Service:   "vpc",
 							StartLine: 3,
 							EndLine:   3,
 						},
@@ -418,13 +456,15 @@ func TestScanner_ScanConfig(t *testing.T) {
 							RecommendedActions: "Enable encryption on managed disks",
 							Severity:           "HIGH",
 							References: []string{
-								"https://tfsec.dev/docs/azure/compute/enable-disk-encryption#azure/compute",
+								"https://aquasecurity.github.io/tfsec/latest/checks/azure/compute/enable-disk-encryption",
 								"https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk",
 								"https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption",
 							},
 						},
 						IacMetadata: types.IacMetadata{
 							Resource:  "azurerm_managed_disk.source",
+							Provider:  "Azure",
+							Service:   "compute",
 							StartLine: 12,
 							EndLine:   12,
 						},
diff --git a/go.mod b/go.mod
@@ -6,11 +6,11 @@ require (
 	github.com/BurntSushi/toml v0.4.1
 	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0
 	github.com/alicebob/miniredis/v2 v2.16.0
-	github.com/aquasecurity/cfsec v0.0.12
-	github.com/aquasecurity/defsec v0.0.30
+	github.com/aquasecurity/cfsec v0.2.2
+	github.com/aquasecurity/defsec v0.0.37
 	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 	github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
-	github.com/aquasecurity/tfsec v0.59.0
+	github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa
 	github.com/aws/aws-sdk-go v1.42.0
 	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
diff --git a/go.sum b/go.sum
@@ -190,19 +190,18 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/cfsec v0.0.12 h1:6zvaJ34qKbElT5CyeMDre5WxtphPCt+XXKqz0Atj14s=
-github.com/aquasecurity/cfsec v0.0.12/go.mod h1:26CqZRuXnPWAEqN2duORHQAPfz8Fh5FjVE+AT0wu78k=
-github.com/aquasecurity/defsec v0.0.30 h1:7GSGUUH0xeWRlyLeksdYz+PLZqQu6taICzapGvdlu4c=
-github.com/aquasecurity/defsec v0.0.30/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
+github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz1no=
+github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
+github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
+github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
-github.com/aquasecurity/tfsec v0.58.14/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
-github.com/aquasecurity/tfsec v0.59.0 h1:HATgpKbiUEWnJ8PU3CJpHMJCEhVgJG9E32m7uEp44oo=
-github.com/aquasecurity/tfsec v0.59.0/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
+github.com/aquasecurity/tfsec v0.61.3 h1:jaBuFaq/0YDDqHeTR+SkD/A1XShN0+9W9/rPGlw7kmQ=
+github.com/aquasecurity/tfsec v0.61.3/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
+github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa h1:mgG6allqccyBmaE0qnWFl39ju156yqNVTd0D/xwuVko=
+github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -1075,7 +1074,6 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
 github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
-github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
 github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
 github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
 github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
@@ -1335,7 +1333,6 @@ github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
 github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
 github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
diff --git a/types/misconf.go b/types/misconf.go
@@ -30,8 +30,10 @@ type MisconfResults []MisconfResult
 
 type IacMetadata struct {
 	Resource  string `json:",omitempty"`
-	StartLine int `json:",omitempty"`
-	EndLine   int `json:",omitempty"`
+	Provider  string `json:",omitempty"`
+	Service   string `json:",omitempty"`
+	StartLine int    `json:",omitempty"`
+	EndLine   int    `json:",omitempty"`
 }
 
 type PolicyMetadata struct {
