From ced544749b6e2c7989f8ca124e06bc23ba72ee47 Mon Sep 17 00:00:00 2001 From: achia Date: Tue, 13 Dec 2022 14:02:14 +0200 Subject: [PATCH 1/7] conflict --- tests/terraform/runner/test_plan_runner.py | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/terraform/runner/test_plan_runner.py b/tests/terraform/runner/test_plan_runner.py index 9ac10634018..2643f75a775 100644 --- a/tests/terraform/runner/test_plan_runner.py +++ b/tests/terraform/runner/test_plan_runner.py @@ -645,6 +645,39 @@ def test_runner_extra_check(self): resource_ids = [check.resource for check in report.failed_checks] self.assertCountEqual(resource_ids,["aws_secretsmanager_secret.default", "aws_secretsmanager_secret.default"]) + def test_runner_with_iam_policies(self): + # given + tf_file_path = Path(__file__).parent / "resources/plan_with_iam_policies/tfplan.json" + + passing_resources = { + "aws_iam_policy.policy_pass", + } + failing_resources = { + "aws_iam_role_policy.fail_1", + "aws_iam_group_policy.fail_2", + "aws_iam_user_policy.fail_3", + } + + # when + report = Runner().run( + root_folder=None, + files=[str(tf_file_path)], + external_checks_dir=None, + runner_filter=RunnerFilter(framework=["terraform_plan"], checks=["CKV2_AWS_40"]), + ) + + # then + summary = report.get_summary() + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 3) + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + def test_runner_nested_child_modules_with_connections(self): # given tf_file_path = Path(__file__).parent / "resources/plan_nested_child_modules_with_connections/tfplan.json" From b47dc024fd42dbec5f6cc27c5bd3b5f57ca09421 Mon Sep 17 00:00:00 2001 From: achia Date: Tue, 13 Dec 2022 14:04:34 +0200 Subject: [PATCH 2/7] Revert "conflict" This reverts commit ced544749b6e2c7989f8ca124e06bc23ba72ee47. --- tests/terraform/runner/test_plan_runner.py | 33 ---------------------- 1 file changed, 33 deletions(-) diff --git a/tests/terraform/runner/test_plan_runner.py b/tests/terraform/runner/test_plan_runner.py index 2643f75a775..9ac10634018 100644 --- a/tests/terraform/runner/test_plan_runner.py +++ b/tests/terraform/runner/test_plan_runner.py @@ -645,39 +645,6 @@ def test_runner_extra_check(self): resource_ids = [check.resource for check in report.failed_checks] self.assertCountEqual(resource_ids,["aws_secretsmanager_secret.default", "aws_secretsmanager_secret.default"]) - def test_runner_with_iam_policies(self): - # given - tf_file_path = Path(__file__).parent / "resources/plan_with_iam_policies/tfplan.json" - - passing_resources = { - "aws_iam_policy.policy_pass", - } - failing_resources = { - "aws_iam_role_policy.fail_1", - "aws_iam_group_policy.fail_2", - "aws_iam_user_policy.fail_3", - } - - # when - report = Runner().run( - root_folder=None, - files=[str(tf_file_path)], - external_checks_dir=None, - runner_filter=RunnerFilter(framework=["terraform_plan"], checks=["CKV2_AWS_40"]), - ) - - # then - summary = report.get_summary() - - self.assertEqual(summary["passed"], 1) - self.assertEqual(summary["failed"], 3) - - passed_check_resources = {c.resource for c in report.passed_checks} - failed_check_resources = {c.resource for c in report.failed_checks} - - self.assertEqual(passing_resources, passed_check_resources) - self.assertEqual(failing_resources, failed_check_resources) - def test_runner_nested_child_modules_with_connections(self): # given tf_file_path = Path(__file__).parent / "resources/plan_nested_child_modules_with_connections/tfplan.json" From bca8d9aec6c214cbb7f9ff5697a9deca47354e4b Mon Sep 17 00:00:00 2001 From: Adam Varsano Date: Sun, 15 Jan 2023 16:32:12 +0200 Subject: [PATCH 3/7] revert --- poetry.lock | 145 +++++++++++++++++++++++++++++++++++++++++++++++++ pyproject.toml | 15 +++++ 2 files changed, 160 insertions(+) create mode 100644 poetry.lock create mode 100644 pyproject.toml diff --git a/poetry.lock b/poetry.lock new file mode 100644 index 00000000000..b74ee8b1f0f --- /dev/null +++ b/poetry.lock @@ -0,0 +1,145 @@ +[[package]] +name = "attrs" +version = "22.1.0" +description = "Classes Without Boilerplate" +category = "main" +optional = false +python-versions = ">=3.5" + +[package.extras] +dev = ["cloudpickle", "coverage[toml] (>=5.0.2)", "furo", "hypothesis", "mypy (>=0.900,!=0.940)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "sphinx", "sphinx-notfound-page", "zope.interface"] +docs = ["furo", "sphinx", "sphinx-notfound-page", "zope.interface"] +tests = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "zope.interface"] +tests-no-zope = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins"] + +[[package]] +name = "colorama" +version = "0.4.6" +description = "Cross-platform colored terminal text." +category = "main" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" + +[[package]] +name = "exceptiongroup" +version = "1.0.1" +description = "Backport of PEP 654 (exception groups)" +category = "main" +optional = false +python-versions = ">=3.7" + +[package.extras] +test = ["pytest (>=6)"] + +[[package]] +name = "iniconfig" +version = "1.1.1" +description = "iniconfig: brain-dead simple config-ini parsing" +category = "main" +optional = false +python-versions = "*" + +[[package]] +name = "packaging" +version = "21.3" +description = "Core utilities for Python packages" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" + +[[package]] +name = "pluggy" +version = "1.0.0" +description = "plugin and hook calling mechanisms for python" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.extras] +dev = ["pre-commit", "tox"] +testing = ["pytest", "pytest-benchmark"] + +[[package]] +name = "pyparsing" +version = "3.0.9" +description = "pyparsing module - Classes and methods to define and execute parsing grammars" +category = "main" +optional = false +python-versions = ">=3.6.8" + +[package.extras] +diagrams = ["jinja2", "railroad-diagrams"] + +[[package]] +name = "pytest" +version = "7.2.0" +description = "pytest: simple powerful testing with Python" +category = "main" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +attrs = ">=19.2.0" +colorama = {version = "*", markers = "sys_platform == \"win32\""} +exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} +iniconfig = "*" +packaging = "*" +pluggy = ">=0.12,<2.0" +tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} + +[package.extras] +testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] + +[[package]] +name = "tomli" +version = "2.0.1" +description = "A lil' TOML parser" +category = "main" +optional = false +python-versions = ">=3.7" + +[metadata] +lock-version = "1.1" +python-versions = "^3.9" +content-hash = "184bbdd4f7036f8bd4b4ca54b41173f41cd07763ee4eaabd95a96c9a13c0da86" + +[metadata.files] +attrs = [ + {file = "attrs-22.1.0-py2.py3-none-any.whl", hash = "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"}, + {file = "attrs-22.1.0.tar.gz", hash = "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6"}, +] +colorama = [ + {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, + {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, +] +exceptiongroup = [ + {file = "exceptiongroup-1.0.1-py3-none-any.whl", hash = "sha256:4d6c0aa6dd825810941c792f53d7b8d71da26f5e5f84f20f9508e8f2d33b140a"}, + {file = "exceptiongroup-1.0.1.tar.gz", hash = "sha256:73866f7f842ede6cb1daa42c4af078e2035e5f7607f0e2c762cc51bb31bbe7b2"}, +] +iniconfig = [ + {file = "iniconfig-1.1.1-py2.py3-none-any.whl", hash = "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3"}, + {file = "iniconfig-1.1.1.tar.gz", hash = "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32"}, +] +packaging = [ + {file = "packaging-21.3-py3-none-any.whl", hash = "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"}, + {file = "packaging-21.3.tar.gz", hash = "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb"}, +] +pluggy = [ + {file = "pluggy-1.0.0-py2.py3-none-any.whl", hash = "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"}, + {file = "pluggy-1.0.0.tar.gz", hash = "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159"}, +] +pyparsing = [ + {file = "pyparsing-3.0.9-py3-none-any.whl", hash = "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"}, + {file = "pyparsing-3.0.9.tar.gz", hash = "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb"}, +] +pytest = [ + {file = "pytest-7.2.0-py3-none-any.whl", hash = "sha256:892f933d339f068883b6fd5a459f03d85bfcb355e4981e146d2c7616c21fef71"}, + {file = "pytest-7.2.0.tar.gz", hash = "sha256:c4014eb40e10f11f355ad4e3c2fb2c6c6d1919c73f3b5a433de4708202cade59"}, +] +tomli = [ + {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, + {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, +] diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 00000000000..8995d3a3d9a --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,15 @@ +[tool.poetry] +name = "checkov" +version = "0.1.0" +description = "" +authors = ["Adam Varsano "] +readme = "README.md" + +[tool.poetry.dependencies] +python = "^3.9" +pytest = "^7.2.0" + + +[build-system] +requires = ["poetry-core"] +build-backend = "poetry.core.masonry.api" From 09a81cb2ed89099273ac01f32e4a8429d1a32c52 Mon Sep 17 00:00:00 2001 From: Adam Varsano Date: Sun, 15 Jan 2023 16:32:51 +0200 Subject: [PATCH 4/7] revert --- poetry.lock | 145 ------------------------------------------------- pyproject.toml | 15 ----- 2 files changed, 160 deletions(-) delete mode 100644 poetry.lock delete mode 100644 pyproject.toml diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index b74ee8b1f0f..00000000000 --- a/poetry.lock +++ /dev/null @@ -1,145 +0,0 @@ -[[package]] -name = "attrs" -version = "22.1.0" -description = "Classes Without Boilerplate" -category = "main" -optional = false -python-versions = ">=3.5" - -[package.extras] -dev = ["cloudpickle", "coverage[toml] (>=5.0.2)", "furo", "hypothesis", "mypy (>=0.900,!=0.940)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "sphinx", "sphinx-notfound-page", "zope.interface"] -docs = ["furo", "sphinx", "sphinx-notfound-page", "zope.interface"] -tests = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "zope.interface"] -tests-no-zope = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins"] - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" - -[[package]] -name = "exceptiongroup" -version = "1.0.1" -description = "Backport of PEP 654 (exception groups)" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "iniconfig" -version = "1.1.1" -description = "iniconfig: brain-dead simple config-ini parsing" -category = "main" -optional = false -python-versions = "*" - -[[package]] -name = "packaging" -version = "21.3" -description = "Core utilities for Python packages" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.dependencies] -pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" - -[[package]] -name = "pluggy" -version = "1.0.0" -description = "plugin and hook calling mechanisms for python" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.extras] -dev = ["pre-commit", "tox"] -testing = ["pytest", "pytest-benchmark"] - -[[package]] -name = "pyparsing" -version = "3.0.9" -description = "pyparsing module - Classes and methods to define and execute parsing grammars" -category = "main" -optional = false -python-versions = ">=3.6.8" - -[package.extras] -diagrams = ["jinja2", "railroad-diagrams"] - -[[package]] -name = "pytest" -version = "7.2.0" -description = "pytest: simple powerful testing with Python" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -attrs = ">=19.2.0" -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -category = "main" -optional = false -python-versions = ">=3.7" - -[metadata] -lock-version = "1.1" -python-versions = "^3.9" -content-hash = "184bbdd4f7036f8bd4b4ca54b41173f41cd07763ee4eaabd95a96c9a13c0da86" - -[metadata.files] -attrs = [ - {file = "attrs-22.1.0-py2.py3-none-any.whl", hash = "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"}, - {file = "attrs-22.1.0.tar.gz", hash = "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6"}, -] -colorama = [ - {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, - {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, -] -exceptiongroup = [ - {file = "exceptiongroup-1.0.1-py3-none-any.whl", hash = "sha256:4d6c0aa6dd825810941c792f53d7b8d71da26f5e5f84f20f9508e8f2d33b140a"}, - {file = "exceptiongroup-1.0.1.tar.gz", hash = "sha256:73866f7f842ede6cb1daa42c4af078e2035e5f7607f0e2c762cc51bb31bbe7b2"}, -] -iniconfig = [ - {file = "iniconfig-1.1.1-py2.py3-none-any.whl", hash = "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3"}, - {file = "iniconfig-1.1.1.tar.gz", hash = "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32"}, -] -packaging = [ - {file = "packaging-21.3-py3-none-any.whl", hash = "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"}, - {file = "packaging-21.3.tar.gz", hash = "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb"}, -] -pluggy = [ - {file = "pluggy-1.0.0-py2.py3-none-any.whl", hash = "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"}, - {file = "pluggy-1.0.0.tar.gz", hash = "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159"}, -] -pyparsing = [ - {file = "pyparsing-3.0.9-py3-none-any.whl", hash = "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"}, - {file = "pyparsing-3.0.9.tar.gz", hash = "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb"}, -] -pytest = [ - {file = "pytest-7.2.0-py3-none-any.whl", hash = "sha256:892f933d339f068883b6fd5a459f03d85bfcb355e4981e146d2c7616c21fef71"}, - {file = "pytest-7.2.0.tar.gz", hash = "sha256:c4014eb40e10f11f355ad4e3c2fb2c6c6d1919c73f3b5a433de4708202cade59"}, -] -tomli = [ - {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, - {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, -] diff --git a/pyproject.toml b/pyproject.toml deleted file mode 100644 index 8995d3a3d9a..00000000000 --- a/pyproject.toml +++ /dev/null @@ -1,15 +0,0 @@ -[tool.poetry] -name = "checkov" -version = "0.1.0" -description = "" -authors = ["Adam Varsano "] -readme = "README.md" - -[tool.poetry.dependencies] -python = "^3.9" -pytest = "^7.2.0" - - -[build-system] -requires = ["poetry-core"] -build-backend = "poetry.core.masonry.api" From 95e15ed829c33e77e693844d181f259519b23370 Mon Sep 17 00:00:00 2001 From: Adam Varsano Date: Sun, 15 Jan 2023 16:34:06 +0200 Subject: [PATCH 5/7] revert --- poetry.lock | 145 ------------------------------------------------- pyproject.toml | 15 ----- 2 files changed, 160 deletions(-) delete mode 100644 poetry.lock delete mode 100644 pyproject.toml diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index b74ee8b1f0f..00000000000 --- a/poetry.lock +++ /dev/null @@ -1,145 +0,0 @@ -[[package]] -name = "attrs" -version = "22.1.0" -description = "Classes Without Boilerplate" -category = "main" -optional = false -python-versions = ">=3.5" - -[package.extras] -dev = ["cloudpickle", "coverage[toml] (>=5.0.2)", "furo", "hypothesis", "mypy (>=0.900,!=0.940)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "sphinx", "sphinx-notfound-page", "zope.interface"] -docs = ["furo", "sphinx", "sphinx-notfound-page", "zope.interface"] -tests = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "zope.interface"] -tests-no-zope = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy (>=0.900,!=0.940)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins"] - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" - -[[package]] -name = "exceptiongroup" -version = "1.0.1" -description = "Backport of PEP 654 (exception groups)" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "iniconfig" -version = "1.1.1" -description = "iniconfig: brain-dead simple config-ini parsing" -category = "main" -optional = false -python-versions = "*" - -[[package]] -name = "packaging" -version = "21.3" -description = "Core utilities for Python packages" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.dependencies] -pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" - -[[package]] -name = "pluggy" -version = "1.0.0" -description = "plugin and hook calling mechanisms for python" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.extras] -dev = ["pre-commit", "tox"] -testing = ["pytest", "pytest-benchmark"] - -[[package]] -name = "pyparsing" -version = "3.0.9" -description = "pyparsing module - Classes and methods to define and execute parsing grammars" -category = "main" -optional = false -python-versions = ">=3.6.8" - -[package.extras] -diagrams = ["jinja2", "railroad-diagrams"] - -[[package]] -name = "pytest" -version = "7.2.0" -description = "pytest: simple powerful testing with Python" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -attrs = ">=19.2.0" -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -category = "main" -optional = false -python-versions = ">=3.7" - -[metadata] -lock-version = "1.1" -python-versions = "^3.9" -content-hash = "184bbdd4f7036f8bd4b4ca54b41173f41cd07763ee4eaabd95a96c9a13c0da86" - -[metadata.files] -attrs = [ - {file = "attrs-22.1.0-py2.py3-none-any.whl", hash = "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"}, - {file = "attrs-22.1.0.tar.gz", hash = "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6"}, -] -colorama = [ - {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, - {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, -] -exceptiongroup = [ - {file = "exceptiongroup-1.0.1-py3-none-any.whl", hash = "sha256:4d6c0aa6dd825810941c792f53d7b8d71da26f5e5f84f20f9508e8f2d33b140a"}, - {file = "exceptiongroup-1.0.1.tar.gz", hash = "sha256:73866f7f842ede6cb1daa42c4af078e2035e5f7607f0e2c762cc51bb31bbe7b2"}, -] -iniconfig = [ - {file = "iniconfig-1.1.1-py2.py3-none-any.whl", hash = "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3"}, - {file = "iniconfig-1.1.1.tar.gz", hash = "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32"}, -] -packaging = [ - {file = "packaging-21.3-py3-none-any.whl", hash = "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"}, - {file = "packaging-21.3.tar.gz", hash = "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb"}, -] -pluggy = [ - {file = "pluggy-1.0.0-py2.py3-none-any.whl", hash = "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"}, - {file = "pluggy-1.0.0.tar.gz", hash = "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159"}, -] -pyparsing = [ - {file = "pyparsing-3.0.9-py3-none-any.whl", hash = "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"}, - {file = "pyparsing-3.0.9.tar.gz", hash = "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb"}, -] -pytest = [ - {file = "pytest-7.2.0-py3-none-any.whl", hash = "sha256:892f933d339f068883b6fd5a459f03d85bfcb355e4981e146d2c7616c21fef71"}, - {file = "pytest-7.2.0.tar.gz", hash = "sha256:c4014eb40e10f11f355ad4e3c2fb2c6c6d1919c73f3b5a433de4708202cade59"}, -] -tomli = [ - {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, - {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, -] diff --git a/pyproject.toml b/pyproject.toml deleted file mode 100644 index 8995d3a3d9a..00000000000 --- a/pyproject.toml +++ /dev/null @@ -1,15 +0,0 @@ -[tool.poetry] -name = "checkov" -version = "0.1.0" -description = "" -authors = ["Adam Varsano "] -readme = "README.md" - -[tool.poetry.dependencies] -python = "^3.9" -pytest = "^7.2.0" - - -[build-system] -requires = ["poetry-core"] -build-backend = "poetry.core.masonry.api" From b62d3c4cd049764d1ceedf4a34d3524272600e68 Mon Sep 17 00:00:00 2001 From: rshamasnah Date: Wed, 15 Mar 2023 16:14:43 +0200 Subject: [PATCH 6/7] support scope as list --- checkov/common/checks_infra/checks_parser.py | 62 ++++++++++++++++++-- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/checkov/common/checks_infra/checks_parser.py b/checkov/common/checks_infra/checks_parser.py index 311427397c5..b8eb406c949 100644 --- a/checkov/common/checks_infra/checks_parser.py +++ b/checkov/common/checks_infra/checks_parser.py @@ -1,6 +1,7 @@ from __future__ import annotations -from typing import Dict, Any, List, Optional, Type, TYPE_CHECKING +import logging +from typing import Dict, Any, List, Optional, Type, TYPE_CHECKING, cast from checkov.common.checks_infra.solvers import ( EqualsAttributeSolver, @@ -53,6 +54,7 @@ NumberOfWordsGreaterThanOrEqualAttributeSolver, NumberOfWordsLessThanAttributeSolver, NumberOfWordsLessThanOrEqualAttributeSolver, + NotWithinAttributeSolver, ) from checkov.common.checks_infra.solvers.connections_solvers.connection_one_exists_solver import \ ConnectionOneExistsSolver @@ -80,6 +82,7 @@ "contains": ContainsAttributeSolver, "not_exists": NotExistsAttributeSolver, "within": WithinAttributeSolver, + "not_within": NotWithinAttributeSolver, "not_contains": NotContainsAttributeSolver, "starting_with": StartingWithAttributeSolver, "not_starting_with": NotStartingWithAttributeSolver, @@ -146,21 +149,56 @@ JSONPATH_PREFIX = "jsonpath_" -class NXGraphCheckParser(BaseGraphCheckParser): +class GraphCheckParser(BaseGraphCheckParser): + def validate_check_config(self, file_path: str, raw_check: dict[str, dict[str, Any]]) -> bool: + missing_fields = [] + + # check existence of metadata block + if "metadata" in raw_check: + metadata = raw_check["metadata"] + if "id" not in metadata: + missing_fields.append("metadata.id") + if "name" not in metadata: + missing_fields.append("metadata.name") + if "category" not in metadata: + missing_fields.append("metadata.category") + else: + missing_fields.extend(("metadata.id", "metadata.name", "metadata.category")) + + # check existence of definition block + if "definition" not in raw_check: + missing_fields.append("definition") + + if missing_fields: + logging.warning(f"Custom policy {file_path} is missing required fields {', '.join(missing_fields)}") + return False + + # check if definition block is not obviously invalid + definition = raw_check["definition"] + if not isinstance(definition, (list, dict)): + logging.warning( + f"Custom policy {file_path} has an invalid 'definition' block type '{type(definition).__name__}', " + "needs to be either a 'list' or 'dict'" + ) + return False + + return True + def parse_raw_check(self, raw_check: Dict[str, Dict[str, Any]], **kwargs: Any) -> BaseGraphCheck: policy_definition = raw_check.get("definition", {}) - check = self._parse_raw_check(policy_definition, kwargs.get("resources_types")) + check = self._parse_raw_check(policy_definition, kwargs.get("resources_types"), raw_check) check.id = raw_check.get("metadata", {}).get("id", "") check.name = raw_check.get("metadata", {}).get("name", "") check.category = raw_check.get("metadata", {}).get("category", "") check.frameworks = raw_check.get("metadata", {}).get("frameworks", []) check.guideline = raw_check.get("metadata", {}).get("guideline") + check.check_path = kwargs.get("check_path", "") solver = self.get_check_solver(check) check.set_solver(solver) return check - def _parse_raw_check(self, raw_check: Dict[str, Any], resources_types: Optional[List[str]]) -> BaseGraphCheck: + def _parse_raw_check(self, raw_check: Dict[str, Any], resources_types: Optional[List[str]], json_check: Dict[str, Any]) -> BaseGraphCheck: check = BaseGraphCheck() complex_operator = get_complex_operator(raw_check) if complex_operator: @@ -174,7 +212,7 @@ def _parse_raw_check(self, raw_check: Dict[str, Any], resources_types: Optional[ sub_solvers = [sub_solvers] for sub_solver in sub_solvers: - check.sub_checks.append(self._parse_raw_check(sub_solver, resources_types)) + check.sub_checks.append(self._parse_raw_check(sub_solver, resources_types, json_check)) resources_types_of_sub_solvers = [ force_list(q.resource_types) for q in check.sub_checks if q is not None and q.resource_types is not None ] @@ -190,6 +228,15 @@ def _parse_raw_check(self, raw_check: Dict[str, Any], resources_types: Optional[ or (isinstance(resource_type, list) and resource_type[0].lower() == "all") ): check.resource_types = resources_types or [] + elif "provider" in resource_type: + provider = json_check.get("scope", {}).get("provider", "") + provider_type = "" + if cast(str, provider): + provider_type = provider.lower() + elif cast(list, provider): + provider_type = provider[0].lower() + check.resource_types.append(f"provider.{provider_type}") + else: check.resource_types = resource_type @@ -251,6 +298,11 @@ def get_check_solver(self, check: BaseGraphCheck) -> BaseSolver: return solver +class NXGraphCheckParser(GraphCheckParser): + # TODO: delete after downstream adjustments + pass + + def get_complex_operator(raw_check: Dict[str, Any]) -> Optional[str]: for operator in operators_to_complex_solver_classes.keys(): if raw_check.get(operator): From e46f155290d47f9c95ac8d9818e1ed0368d960ac Mon Sep 17 00:00:00 2001 From: ChanochShayner Date: Tue, 17 Oct 2023 15:28:40 +0300 Subject: [PATCH 7/7] Support merge inside jsondecode --- .../variable_rendering/evaluate_terraform.py | 11 ++++ .../main.tf | 27 ++++++++++ .../jsonpath_equals_solver/EcsWithMerge.yaml | 11 ++++ .../jsonpath_equals_solver/test_solver.py | 9 ++++ .../graph/resources/ecs_with_merge/main.tf | 53 +++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml create mode 100644 tests/terraform/graph/resources/ecs_with_merge/main.tf diff --git a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py index 5899ff67445..0e677f4269b 100644 --- a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py +++ b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py @@ -57,9 +57,20 @@ def evaluate_terraform(input_str: Any, keep_interpolations: bool = True) -> Any: elif not keep_interpolations and second_evaluated_value == value_after_removing_interpolations: return value_before_removing_interpolations else: + second_evaluated_value = _eval_merge_as_list(second_evaluated_value) return second_evaluated_value +def _eval_merge_as_list(eval_value): + """ + Edge case for an eval in eval. + UT for this: test_jsonpath_equals_ecs_with_merge + """ + if eval_value and isinstance(eval_value, list) and isinstance(eval_value[0], str) and eval_value[0].startswith('merge'): + return _try_evaluate(eval_value[0]) + return eval_value + + def _try_evaluate(input_str: Union[str, bool]) -> Any: try: return evaluate(input_str) diff --git a/tests/terraform/checks/resource/aws/example_ECSTaskDefinitionRoleCheck/main.tf b/tests/terraform/checks/resource/aws/example_ECSTaskDefinitionRoleCheck/main.tf index ad2b7a5da3d..e95e509720d 100644 --- a/tests/terraform/checks/resource/aws/example_ECSTaskDefinitionRoleCheck/main.tf +++ b/tests/terraform/checks/resource/aws/example_ECSTaskDefinitionRoleCheck/main.tf @@ -38,4 +38,31 @@ resource "aws_ecs_task_definition" "fail" { ]) execution_role_arn = "aws_iam_role.example.arn" task_role_arn = "aws_iam_role.example.arn" +} + +resource "aws_ecs_task_definition" "service01" { + family = "service" + container_definitions = jsonencode([ + merge( + { + name = "first" + image = "service-first" + }, + { + cpu = 10 + memory = 512 + essential = true + portMappings = [ + { + containerPort = 80 + hostPort = 80 + } + ] + } + ) + ]) + volume { + name = "service-storage" + host_path = "/ecs/service-storage" + } } \ No newline at end of file diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml new file mode 100644 index 00000000000..19d1b07373c --- /dev/null +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml @@ -0,0 +1,11 @@ +metadata: + id: "CUSTOM_003" +scope: + provider: "AWS" +definition: + cond_type: "attribute" + resource_types: + - "aws_ecs_task_definition" + attribute: "container_definitions.*.image" + operator: "equals" + value: "service-first" \ No newline at end of file diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py index 8d4612c6731..e0b9e3d0c49 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py @@ -36,3 +36,12 @@ def test_jsonpath_equals_azure_rule(self): expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}} self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id) + + def test_jsonpath_equals_ecs_with_merge(self): + root_folder = '../../../resources/ecs_with_merge' + check_id = "CUSTOM_003" + should_pass = ['aws_ecs_task_definition.service01'] + should_fail = ['aws_ecs_task_definition.service02'] + expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}} + + self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id) diff --git a/tests/terraform/graph/resources/ecs_with_merge/main.tf b/tests/terraform/graph/resources/ecs_with_merge/main.tf new file mode 100644 index 00000000000..431e2f7a2a6 --- /dev/null +++ b/tests/terraform/graph/resources/ecs_with_merge/main.tf @@ -0,0 +1,53 @@ +resource "aws_ecs_task_definition" "service01" { + family = "service" + container_definitions = jsonencode([ + merge( + { + name = "first" + image = "service-first" + }, + { + cpu = 10 + memory = 512 + essential = true + portMappings = [ + { + containerPort = 80 + hostPort = 80 + } + ] + } + ) + ]) + volume { + name = "service-storage" + host_path = "/ecs/service-storage" + } +} + +resource "aws_ecs_task_definition" "service02" { + family = "service" + container_definitions = jsonencode([ + merge( + { + name = "first" + image = "service" + }, + { + cpu = 10 + memory = 512 + essential = true + portMappings = [ + { + containerPort = 80 + hostPort = 80 + } + ] + } + ) + ]) + volume { + name = "service-storage" + host_path = "/ecs/service-storage" + } +} \ No newline at end of file