github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/cloudformation/aws/sam/api.go (about) 1 package sam 2 3 import ( 4 "github.com/aquasecurity/defsec/pkg/providers/aws/sam" 5 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 6 "github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser" 7 ) 8 9 func getApis(cfFile parser.FileContext) (apis []sam.API) { 10 11 apiResources := cfFile.GetResourcesByType("AWS::Serverless::Api") 12 for _, r := range apiResources { 13 api := sam.API{ 14 Metadata: r.Metadata(), 15 Name: r.GetStringProperty("Name", ""), 16 TracingEnabled: r.GetBoolProperty("TracingEnabled"), 17 DomainConfiguration: getDomainConfiguration(r), 18 AccessLogging: getAccessLogging(r), 19 RESTMethodSettings: getRestMethodSettings(r), 20 } 21 22 apis = append(apis, api) 23 } 24 25 return apis 26 } 27 28 func getRestMethodSettings(r *parser.Resource) sam.RESTMethodSettings { 29 30 settings := sam.RESTMethodSettings{ 31 Metadata: r.Metadata(), 32 CacheDataEncrypted: defsecTypes.BoolDefault(false, r.Metadata()), 33 LoggingEnabled: defsecTypes.BoolDefault(false, r.Metadata()), 34 DataTraceEnabled: defsecTypes.BoolDefault(false, r.Metadata()), 35 MetricsEnabled: defsecTypes.BoolDefault(false, r.Metadata()), 36 } 37 38 settingsProp := r.GetProperty("MethodSettings") 39 if settingsProp.IsNotNil() { 40 41 settings = sam.RESTMethodSettings{ 42 Metadata: settingsProp.Metadata(), 43 CacheDataEncrypted: settingsProp.GetBoolProperty("CacheDataEncrypted"), 44 LoggingEnabled: defsecTypes.BoolDefault(false, settingsProp.Metadata()), 45 DataTraceEnabled: settingsProp.GetBoolProperty("DataTraceEnabled"), 46 MetricsEnabled: settingsProp.GetBoolProperty("MetricsEnabled"), 47 } 48 49 if loggingLevel := settingsProp.GetProperty("LoggingLevel"); loggingLevel.IsNotNil() { 50 if loggingLevel.EqualTo("OFF", parser.IgnoreCase) { 51 settings.LoggingEnabled = defsecTypes.Bool(false, loggingLevel.Metadata()) 52 } else { 53 settings.LoggingEnabled = defsecTypes.Bool(true, loggingLevel.Metadata()) 54 } 55 } 56 } 57 58 return settings 59 } 60 61 func getAccessLogging(r *parser.Resource) sam.AccessLogging { 62 63 logging := sam.AccessLogging{ 64 Metadata: r.Metadata(), 65 CloudwatchLogGroupARN: defsecTypes.StringDefault("", r.Metadata()), 66 } 67 68 if access := r.GetProperty("AccessLogSetting"); access.IsNotNil() { 69 logging = sam.AccessLogging{ 70 Metadata: access.Metadata(), 71 CloudwatchLogGroupARN: access.GetStringProperty("DestinationArn", ""), 72 } 73 } 74 75 return logging 76 } 77 78 func getDomainConfiguration(r *parser.Resource) sam.DomainConfiguration { 79 80 domainConfig := sam.DomainConfiguration{ 81 Metadata: r.Metadata(), 82 Name: defsecTypes.StringDefault("", r.Metadata()), 83 SecurityPolicy: defsecTypes.StringDefault("TLS_1_0", r.Metadata()), 84 } 85 86 if domain := r.GetProperty("Domain"); domain.IsNotNil() { 87 domainConfig = sam.DomainConfiguration{ 88 Metadata: domain.Metadata(), 89 Name: domain.GetStringProperty("DomainName", ""), 90 SecurityPolicy: domain.GetStringProperty("SecurityPolicy", "TLS_1_0"), 91 } 92 } 93 94 return domainConfig 95 96 }