fix(general): Fix sast & cdk integration tests

.github/workflows/pr-test.yml

@@ -146,8 +146,8 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: [ "3.8" ]
-        os: [ ubuntu-latest, macos-latest]
+        python: ["3.8", "3.11"]
+        os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
@@ -170,8 +170,8 @@ jobs:
           bash -c 'pipenv run pip install dist/checkov-*.whl'
       - name: Clone flask - Python repo for SAST
         run: git clone https://github.com/pallets/flask
-      - name: Clone jenkins - Java repo for SAST
-        run: git clone https://github.com/jenkinsci/jenkins
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
       - name: Clone axios - JavaScript repo for SAST
         run: git clone https://github.com/axios/axios
       - name: Create checkov reports
@@ -192,8 +192,8 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: [ "3.8" ]
-        os: [ ubuntu-latest, macos-latest]
+        python: ["3.8", "3.11"]
+        os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3

cdk_integration_tests/prepare_data.sh

@@ -14,7 +14,8 @@ for file in "checkov/cdk/checks/python"/*; do
       # create a report for this check
       echo "creating report for check: $filename, id: $check_id"
       pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json --check $check_id \
-        -d "cdk_integration_tests/src/python/$filename"  > "checkov_report_cdk_python_$filename.json"
+        -d "cdk_integration_tests/src/python/$filename" --external-checks-dir "checkov/cdk/checks/python" \
+         > "checkov_report_cdk_python_$filename.json"
   fi
 done
 

checkov/sast/checks_infra/base_registry.py

@@ -13,13 +13,13 @@
 
 
 class Registry(BaseCheckRegistry):
-    def __init__(self, checks_dir: str) -> None:
+    def __init__(self, checks_dir: str | None = None) -> None:
         super().__init__(report_type=CheckType.SAST)
         self.rules: List[Dict[str, Any]] = []
         self.checks_dir = checks_dir
         self.logger = logging.getLogger(__name__)
         self.runner_filter: Optional[RunnerFilter] = None
-        self.checks_dirs_path: List[str] = [checks_dir]
+        self.checks_dirs_path: List[str] = [checks_dir] if checks_dir else []
 
     def extract_entity_details(self, entity: dict[str, Any]) -> tuple[str, str, dict[str, Any]]:
         # TODO

checkov/sast/engines/prisma_engine.py

@@ -193,7 +193,7 @@ def run_go_library(self, languages: Set[SastLanguages],
                        report_reachability: bool = False,
                        remove_default_policies: bool = False) -> Union[List[Report], SastPolicies]:
 
-        validate_params(languages, source_codes, policies, list_policies)
+        validate_params(languages, source_codes, list_policies)
 
         if bc_integration.bc_source:
             name = bc_integration.bc_source.name
@@ -376,17 +376,13 @@ def get_policies(self, languages: Set[SastLanguages]) -> SastPolicies:
 
 def validate_params(languages: Set[SastLanguages],
                     source_codes: List[str],
-                    policies: List[str],
                     list_policies: bool) -> None:
     if list_policies:
         return
 
     if len(source_codes) == 0:
         raise Exception('must provide source code file or dir for sast runner')
 
-    if len(policies) == 0:
-        raise Exception('must provide policy file or dir for sast runner')
-
     if len(languages) == 0:
         raise Exception('must provide a language for sast runner')
 

checkov/sast/prisma_models/report.py

@@ -4,7 +4,7 @@
 
 
 class Profiler(BaseModel):
-    duration: str  # noqa: CCE003
+    duration: int  # noqa: CCE003
     memory: int  # noqa: CCE003
 
 
@@ -27,22 +27,14 @@ class MatchLocation(BaseModel):
     code_block: str  # noqa: CCE003
 
 
-class MatchMetavariable(BaseModel):
-    path: Optional[str]  # noqa: CCE003
-    start: Optional[Point]  # noqa: CCE003
-    end: Optional[Point]  # noqa: CCE003
-    data_flow: Optional[List[Flow]]  # noqa: CCE003
-    code_block: Optional[str]  # noqa: CCE003
-
-
 class DataFlow(BaseModel):
     data_flow: List[Flow]  # noqa: CCE003
 
 
 class MatchMetadata(BaseModel):
-    metavariables: Dict[str, MatchMetavariable]  # noqa: CCE003
+    metavariables: Dict[str, DataFlow]  # noqa: CCE003
     variables: Dict[str, Any]  # noqa: CCE003
-    taint_mode: Optional[DataFlow]  # noqa: CCE003
+    taint_mode: Optional[DataFlow] = None  # noqa: CCE003
 
 
 class Match(BaseModel):

checkov/sast/runner.py

@@ -2,7 +2,6 @@
 
 import logging
 import os
-import pathlib
 import sys
 
 from checkov.common.bridgecrew.check_type import CheckType
@@ -17,15 +16,13 @@
 
 logger = logging.getLogger(__name__)
 
-CHECKS_DIR = (os.path.join(pathlib.Path(__file__).parent.resolve(), 'checks'))
-
 
 class Runner(BaseRunner[None, None, None]):
     check_type = CheckType.SAST  # noqa: CCE003  # a static attribute
 
     def __init__(self) -> None:
         super().__init__(file_extensions=["." + a for a in FILE_EXT_TO_SAST_LANG.keys()])
-        self.registry = Registry(checks_dir=CHECKS_DIR)
+        self.registry = Registry()
         self.engine = PrismaEngine()  # noqa: disallow-untyped-calls
 
     def should_scan_file(self, file: str) -> bool:

sast_integration_tests/prepare_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-pipenv run checkov -s --framework sast_python -d flask --repo-id cli/flask -o json > checkov_report_sast_python.json
-pipenv run checkov -s --framework sast_java -d jenkins --repo-id cli/jenkins -o json > checkov_report_sast_java.json
-pipenv run checkov -s --framework sast_javascript -d axios --repo-id cli/axios -o json > checkov_report_sast_javascript.json
+pipenv run checkov -s --framework sast_python -d flask --repo-id cli/flask -o json --output-file-path checkov_report_sast_python.json,
+pipenv run checkov -s --framework sast_java -d WebGoat --repo-id cli/webgoat -o json --output-file-path checkov_report_sast_java.json,
+pipenv run checkov -s --framework sast_javascript -d axios --repo-id cli/axios -o json --output-file-path checkov_report_sast_javascript.json,

sast_integration_tests/run_integration_tests.sh

@@ -19,16 +19,16 @@ set_env_vars() {
 
 prepare_data () {
   python checkov/main.py -s --framework sast_python -d repositories/flask -o json > checkov_report_sast_python.json
-  python checkov/main.py -s --framework sast_java -d repositories/jenkins -o json > checkov_report_sast_java.json
+  python checkov/main.py -s --framework sast_java -d repositories/WebGoat -o json > checkov_report_sast_java.json
   python checkov/main.py -s --framework sast_javascript -d repositories/axios -o json > checkov_report_sast_javascript.json
 
 }
 
 clone_repositories () {
   echo Clone flask - Python repo for SAST;
   git clone https://github.com/pallets/flask
-  echo Clone jenkins - Java repo for SAST
-  git clone https://github.com/jenkinsci/jenkins
+  echo Clone WebGoat - Java repo for SAST
+  git clone https://github.com/WebGoat/WebGoat
   echo Clone axios - JavaScript repo for SAST
   git clone https://github.com/axios/axios
 }

sast_integration_tests/test_checkov_sast_report.py

@@ -1,8 +1,6 @@
 import json
 import os
 
-import pytest
-
 current_dir = os.path.dirname(os.path.realpath(__file__))
 
 
@@ -16,7 +14,6 @@ def test_sast_java() -> None:
     validate_report(os.path.abspath(report_path))
 
 
-@pytest.mark.skip(reason="No JavaScript policies implemented yet")
 def test_sast_javascript() -> None:
     report_path = os.path.join(current_dir, '..', 'checkov_report_sast_javascript.json')
     validate_report(os.path.abspath(report_path))