github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/terraform/executor/executor_test.go (about) 1 package executor 2 3 import ( 4 "context" 5 "testing" 6 7 "github.com/aquasecurity/defsec/pkg/providers" 8 "github.com/aquasecurity/defsec/pkg/rules" 9 "github.com/aquasecurity/defsec/pkg/scan" 10 "github.com/aquasecurity/defsec/pkg/severity" 11 "github.com/aquasecurity/defsec/pkg/terraform" 12 "github.com/stretchr/testify/assert" 13 "github.com/stretchr/testify/require" 14 15 "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" 16 "github.com/aquasecurity/trivy-iac/test/testutil" 17 ) 18 19 var panicRule = scan.Rule{ 20 Provider: providers.AWSProvider, 21 Service: "service", 22 ShortCode: "abc", 23 Severity: severity.High, 24 CustomChecks: scan.CustomChecks{ 25 Terraform: &scan.TerraformCustomCheck{ 26 RequiredTypes: []string{"resource"}, 27 RequiredLabels: []string{"problem"}, 28 Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) { 29 if resourceBlock.GetAttribute("panic").IsTrue() { 30 panic("This is fine") 31 } 32 return 33 }, 34 }, 35 }, 36 } 37 38 func Test_PanicInCheckNotAllowed(t *testing.T) { 39 40 reg := rules.Register(panicRule) 41 defer rules.Deregister(reg) 42 43 fs := testutil.CreateFS(t, map[string]string{ 44 "project/main.tf": ` 45 resource "problem" "this" { 46 panic = true 47 } 48 `, 49 }) 50 51 p := parser.New(fs, "", parser.OptionStopOnHCLError(true)) 52 err := p.ParseFS(context.TODO(), "project") 53 require.NoError(t, err) 54 modules, _, err := p.EvaluateAll(context.TODO()) 55 require.NoError(t, err) 56 results, _, _ := New().Execute(modules) 57 assert.Equal(t, len(results.GetFailed()), 0) 58 } 59 60 func Test_PanicInCheckAllowed(t *testing.T) { 61 62 reg := rules.Register(panicRule) 63 defer rules.Deregister(reg) 64 65 fs := testutil.CreateFS(t, map[string]string{ 66 "project/main.tf": ` 67 resource "problem" "this" { 68 panic = true 69 } 70 `, 71 }) 72 73 p := parser.New(fs, "", parser.OptionStopOnHCLError(true)) 74 err := p.ParseFS(context.TODO(), "project") 75 require.NoError(t, err) 76 modules, _, err := p.EvaluateAll(context.TODO()) 77 require.NoError(t, err) 78 _, _, err = New(OptionStopOnErrors(false)).Execute(modules) 79 assert.Error(t, err) 80 } 81 82 func Test_PanicNotInCheckNotIncludePassed(t *testing.T) { 83 84 reg := rules.Register(panicRule) 85 defer rules.Deregister(reg) 86 87 fs := testutil.CreateFS(t, map[string]string{ 88 "project/main.tf": ` 89 resource "problem" "this" { 90 panic = true 91 } 92 `, 93 }) 94 95 p := parser.New(fs, "", parser.OptionStopOnHCLError(true)) 96 err := p.ParseFS(context.TODO(), "project") 97 require.NoError(t, err) 98 modules, _, err := p.EvaluateAll(context.TODO()) 99 require.NoError(t, err) 100 results, _, _ := New().Execute(modules) 101 assert.Equal(t, len(results.GetFailed()), 0) 102 } 103 104 func Test_PanicNotInCheckNotIncludePassedStopOnError(t *testing.T) { 105 106 reg := rules.Register(panicRule) 107 defer rules.Deregister(reg) 108 109 fs := testutil.CreateFS(t, map[string]string{ 110 "project/main.tf": ` 111 resource "problem" "this" { 112 panic = true 113 } 114 `, 115 }) 116 117 p := parser.New(fs, "", parser.OptionStopOnHCLError(true)) 118 err := p.ParseFS(context.TODO(), "project") 119 require.NoError(t, err) 120 modules, _, err := p.EvaluateAll(context.TODO()) 121 require.NoError(t, err) 122 123 _, _, err = New(OptionStopOnErrors(false)).Execute(modules) 124 assert.Error(t, err) 125 }