github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/terraform/options.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/terraform/options.go (about)

     1  package terraform
     2  
     3  import (
     4  	"io/fs"
     5  	"strings"
     6  
     7  	"github.com/aquasecurity/defsec/pkg/scan"
     8  	"github.com/aquasecurity/defsec/pkg/scanners/options"
     9  	"github.com/aquasecurity/defsec/pkg/severity"
    10  	"github.com/aquasecurity/defsec/pkg/state"
    11  
    12  	"github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor"
    13  	"github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser"
    14  )
    15  
    16  type ConfigurableTerraformScanner interface {
    17  	options.ConfigurableScanner
    18  	SetForceAllDirs(bool)
    19  	AddExecutorOptions(options ...executor.Option)
    20  	AddParserOptions(options ...options.ParserOption)
    21  }
    22  
    23  func ScannerWithTFVarsPaths(paths ...string) options.ScannerOption {
    24  	return func(s options.ConfigurableScanner) {
    25  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    26  			tf.AddParserOptions(parser.OptionWithTFVarsPaths(paths...))
    27  		}
    28  	}
    29  }
    30  
    31  func ScannerWithAlternativeIDProvider(f func(string) []string) options.ScannerOption {
    32  	return func(s options.ConfigurableScanner) {
    33  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    34  			tf.AddExecutorOptions(executor.OptionWithAlternativeIDProvider(f))
    35  		}
    36  	}
    37  }
    38  
    39  func ScannerWithSeverityOverrides(overrides map[string]string) options.ScannerOption {
    40  	return func(s options.ConfigurableScanner) {
    41  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    42  			tf.AddExecutorOptions(executor.OptionWithSeverityOverrides(overrides))
    43  		}
    44  	}
    45  }
    46  
    47  func ScannerWithNoIgnores() options.ScannerOption {
    48  	return func(s options.ConfigurableScanner) {
    49  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    50  			tf.AddExecutorOptions(executor.OptionNoIgnores())
    51  		}
    52  	}
    53  }
    54  
    55  func ScannerWithExcludedRules(ruleIDs []string) options.ScannerOption {
    56  	return func(s options.ConfigurableScanner) {
    57  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    58  			tf.AddExecutorOptions(executor.OptionExcludeRules(ruleIDs))
    59  		}
    60  	}
    61  }
    62  
    63  func ScannerWithExcludeIgnores(ruleIDs []string) options.ScannerOption {
    64  	return func(s options.ConfigurableScanner) {
    65  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    66  			tf.AddExecutorOptions(executor.OptionExcludeIgnores(ruleIDs))
    67  		}
    68  	}
    69  }
    70  
    71  func ScannerWithIncludedRules(ruleIDs []string) options.ScannerOption {
    72  	return func(s options.ConfigurableScanner) {
    73  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    74  			tf.AddExecutorOptions(executor.OptionIncludeRules(ruleIDs))
    75  		}
    76  	}
    77  }
    78  
    79  func ScannerWithStopOnRuleErrors(stop bool) options.ScannerOption {
    80  	return func(s options.ConfigurableScanner) {
    81  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    82  			tf.AddExecutorOptions(executor.OptionStopOnErrors(stop))
    83  		}
    84  	}
    85  }
    86  
    87  func ScannerWithWorkspaceName(name string) options.ScannerOption {
    88  	return func(s options.ConfigurableScanner) {
    89  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    90  			tf.AddParserOptions(parser.OptionWithWorkspaceName(name))
    91  			tf.AddExecutorOptions(executor.OptionWithWorkspaceName(name))
    92  		}
    93  	}
    94  }
    95  
    96  func ScannerWithSingleThread(single bool) options.ScannerOption {
    97  	return func(s options.ConfigurableScanner) {
    98  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
    99  			tf.AddExecutorOptions(executor.OptionWithSingleThread(single))
   100  		}
   101  	}
   102  }
   103  
   104  func ScannerWithAllDirectories(all bool) options.ScannerOption {
   105  	return func(s options.ConfigurableScanner) {
   106  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   107  			tf.SetForceAllDirs(all)
   108  		}
   109  	}
   110  }
   111  
   112  func ScannerWithStopOnHCLError(stop bool) options.ScannerOption {
   113  	return func(s options.ConfigurableScanner) {
   114  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   115  			tf.AddParserOptions(parser.OptionStopOnHCLError(stop))
   116  		}
   117  	}
   118  }
   119  
   120  func ScannerWithSkipDownloaded(skip bool) options.ScannerOption {
   121  	return func(s options.ConfigurableScanner) {
   122  		if !skip {
   123  			return
   124  		}
   125  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   126  			tf.AddExecutorOptions(executor.OptionWithResultsFilter(func(results scan.Results) scan.Results {
   127  				for i, result := range results {
   128  					prefix := result.Range().GetSourcePrefix()
   129  					switch {
   130  					case prefix == "":
   131  					case strings.HasPrefix(prefix, "."):
   132  					default:
   133  						results[i].OverrideStatus(scan.StatusIgnored)
   134  					}
   135  				}
   136  				return results
   137  			}))
   138  		}
   139  	}
   140  }
   141  
   142  func ScannerWithResultsFilter(f func(scan.Results) scan.Results) options.ScannerOption {
   143  	return func(s options.ConfigurableScanner) {
   144  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   145  			tf.AddExecutorOptions(executor.OptionWithResultsFilter(f))
   146  		}
   147  	}
   148  }
   149  
   150  func ScannerWithMinimumSeverity(minimum severity.Severity) options.ScannerOption {
   151  	min := severityAsOrdinal(minimum)
   152  	return func(s options.ConfigurableScanner) {
   153  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   154  			tf.AddExecutorOptions(executor.OptionWithResultsFilter(func(results scan.Results) scan.Results {
   155  				for i, result := range results {
   156  					if severityAsOrdinal(result.Severity()) < min {
   157  						results[i].OverrideStatus(scan.StatusIgnored)
   158  					}
   159  				}
   160  				return results
   161  			}))
   162  		}
   163  	}
   164  }
   165  
   166  func severityAsOrdinal(sev severity.Severity) int {
   167  	switch sev {
   168  	case severity.Critical:
   169  		return 4
   170  	case severity.High:
   171  		return 3
   172  	case severity.Medium:
   173  		return 2
   174  	case severity.Low:
   175  		return 1
   176  	default:
   177  		return 0
   178  	}
   179  }
   180  
   181  func ScannerWithStateFunc(f ...func(*state.State)) options.ScannerOption {
   182  	return func(s options.ConfigurableScanner) {
   183  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   184  			tf.AddExecutorOptions(executor.OptionWithStateFunc(f...))
   185  		}
   186  	}
   187  }
   188  
   189  func ScannerWithDownloadsAllowed(allowed bool) options.ScannerOption {
   190  	return func(s options.ConfigurableScanner) {
   191  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   192  			tf.AddParserOptions(parser.OptionWithDownloads(allowed))
   193  		}
   194  	}
   195  }
   196  
   197  func ScannerWithSkipCachedModules(b bool) options.ScannerOption {
   198  	return func(s options.ConfigurableScanner) {
   199  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   200  			tf.AddParserOptions(parser.OptionWithDownloads(b))
   201  		}
   202  	}
   203  }
   204  
   205  func ScannerWithConfigsFileSystem(fsys fs.FS) options.ScannerOption {
   206  	return func(s options.ConfigurableScanner) {
   207  		if tf, ok := s.(ConfigurableTerraformScanner); ok {
   208  			tf.AddParserOptions(parser.OptionWithConfigsFS(fsys))
   209  		}
   210  	}
   211  }