github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/cloudformation/scanner_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/cloudformation/scanner_test.go (about)

     1  package cloudformation
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  
     7  	"github.com/aquasecurity/defsec/pkg/framework"
     8  	"github.com/aquasecurity/defsec/pkg/scan"
     9  	"github.com/stretchr/testify/assert"
    10  	"github.com/stretchr/testify/require"
    11  
    12  	"github.com/aquasecurity/defsec/pkg/scanners/options"
    13  	"github.com/aquasecurity/trivy-iac/test/testutil"
    14  )
    15  
    16  func Test_BasicScan(t *testing.T) {
    17  
    18  	fs := testutil.CreateFS(t, map[string]string{
    19  		"/code/main.yaml": `---
    20  Resources:
    21    S3Bucket:
    22      Type: 'AWS::S3::Bucket'
    23      Properties:
    24        BucketName: public-bucket
    25  
    26  `,
    27  		"/rules/rule.rego": `package builtin.dockerfile.DS006
    28  
    29  __rego_metadata__ := {
    30  	"id": "DS006",
    31  	"avd_id": "AVD-DS-0006",
    32  	"title": "COPY '--from' referring to the current image",
    33  	"short_code": "no-self-referencing-copy-from",
    34  	"version": "v1.0.0",
    35  	"severity": "CRITICAL",
    36  	"type": "Dockerfile Security Check",
    37  	"description": "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself.",
    38  	"recommended_actions": "Change the '--from' so that it will not refer to itself",
    39  	"url": "https://docs.docker.com/develop/develop-images/multistage-build/",
    40  }
    41  
    42  __rego_input__ := {
    43  	"combine": false,
    44  	"selector": [{"type": "defsec", "subtypes": [{"service": "s3", "provider": "aws"}]}],
    45  }
    46  
    47  deny[res] {
    48  	res := {
    49  		"msg": "oh no",
    50  		"filepath": "code/main.yaml",
    51  		"startline": 6,
    52  		"endline": 6,
    53  	}
    54  }
    55  
    56  `,
    57  	})
    58  
    59  	scanner := New(options.ScannerWithPolicyDirs("rules"), options.ScannerWithRegoOnly(true))
    60  
    61  	results, err := scanner.ScanFS(context.TODO(), fs, "code")
    62  	require.NoError(t, err)
    63  
    64  	require.Len(t, results.GetFailed(), 1)
    65  
    66  	assert.Equal(t, scan.Rule{
    67  		AVDID:          "AVD-DS-0006",
    68  		Aliases:        []string{"DS006"},
    69  		ShortCode:      "no-self-referencing-copy-from",
    70  		Summary:        "COPY '--from' referring to the current image",
    71  		Explanation:    "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself.",
    72  		Impact:         "",
    73  		Resolution:     "Change the '--from' so that it will not refer to itself",
    74  		Provider:       "cloud",
    75  		Service:        "general",
    76  		Links:          []string{"https://docs.docker.com/develop/develop-images/multistage-build/"},
    77  		Severity:       "CRITICAL",
    78  		Terraform:      &scan.EngineMetadata{},
    79  		CloudFormation: &scan.EngineMetadata{},
    80  		CustomChecks: scan.CustomChecks{
    81  			Terraform: (*scan.TerraformCustomCheck)(nil),
    82  		},
    83  		RegoPackage: "data.builtin.dockerfile.DS006",
    84  		Frameworks:  map[framework.Framework][]string{},
    85  	}, results.GetFailed()[0].Rule())
    86  
    87  	failure := results.GetFailed()[0]
    88  	actualCode, err := failure.GetCode()
    89  	require.NoError(t, err)
    90  	for i := range actualCode.Lines {
    91  		actualCode.Lines[i].Highlighted = ""
    92  	}
    93  	assert.Equal(t, []scan.Line{
    94  		{
    95  			Number:     6,
    96  			Content:    "      BucketName: public-bucket",
    97  			IsCause:    true,
    98  			FirstCause: true,
    99  			LastCause:  true,
   100  			Annotation: "",
   101  		},
   102  	}, actualCode.Lines)
   103  }