github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/docker_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/docker_test.go (about)

     1  package test
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"os"
     7  	"testing"
     8  
     9  	"github.com/aquasecurity/defsec/pkg/scan"
    10  	"github.com/aquasecurity/defsec/pkg/scanners/options"
    11  	"github.com/stretchr/testify/assert"
    12  	"github.com/stretchr/testify/require"
    13  
    14  	"github.com/aquasecurity/trivy-iac/pkg/scanners/dockerfile"
    15  )
    16  
    17  // func addFilesToMemFS(memfs *memoryfs.FS, typePolicy bool, folderName string) error {
    18  //	base := filepath.Base(folderName)
    19  //	if err := memfs.MkdirAll(base, 0o700); err != nil {
    20  //		return err
    21  //	}
    22  //	err := filepath.Walk(filepath.FromSlash(folderName),
    23  //		func(fpath string, info os.FileInfo, err error) error {
    24  //			if err != nil {
    25  //				return err
    26  //			}
    27  //			if info.IsDir() {
    28  //				return nil
    29  //			}
    30  //			if typePolicy && !rego.IsRegoFile(info.Name()) {
    31  //				return nil
    32  //			}
    33  //			data, err := os.ReadFile(fpath)
    34  //			if err != nil {
    35  //				return err
    36  //			}
    37  //			fileName := getFileName(fpath, info, typePolicy)
    38  //			if err := memfs.WriteFile(path.Join(base, fileName), data, 0o644); err != nil {
    39  //				return err
    40  //			}
    41  //			return nil
    42  //		})
    43  //
    44  //	if err != nil {
    45  //		return err
    46  //	}
    47  //	return nil
    48  //}
    49  
    50  // TODO: Evaluate usefulness of this test
    51  // func Test_Docker_RegoPoliciesFromDisk(t *testing.T) {
    52  //	t.Parallel()
    53  //
    54  //	entries, err := os.ReadDir("./testdata/dockerfile")
    55  //	require.NoError(t, err)
    56  //
    57  //	policiesPath, err := filepath.Abs("../rules")
    58  //	require.NoError(t, err)
    59  //	scanner := dockerfile.NewScanner(
    60  //		options.ScannerWithPolicyDirs(filepath.Base(policiesPath)),
    61  //	)
    62  //	memfs := memoryfs.New()
    63  //	// add policies
    64  //	err = addFilesToMemFS(memfs, true, policiesPath)
    65  //	require.NoError(t, err)
    66  //
    67  //	// add test data
    68  //	testDataPath, err := filepath.Abs("./testdata/dockerfile")
    69  //	require.NoError(t, err)
    70  //	err = addFilesToMemFS(memfs, false, testDataPath)
    71  //	require.NoError(t, err)
    72  //
    73  //	results, err := scanner.ScanFS(context.TODO(), memfs, filepath.Base(testDataPath))
    74  //	require.NoError(t, err)
    75  //
    76  //	for _, entry := range entries {
    77  //		if !entry.IsDir() {
    78  //			continue
    79  //		}
    80  //		t.Run(entry.Name(), func(t *testing.T) {
    81  //			require.NoError(t, err)
    82  //			t.Run(entry.Name(), func(t *testing.T) {
    83  //				var matched int
    84  //				for _, result := range results {
    85  //					if result.Rule().HasID(entry.Name()) && result.Status() == scan.StatusFailed {
    86  //						if result.Description() != "Specify at least 1 USER command in Dockerfile with non-root user as argument" {
    87  //							assert.Greater(t, result.Range().GetStartLine(), 0)
    88  //							assert.Greater(t, result.Range().GetEndLine(), 0)
    89  //						}
    90  //						if !strings.HasSuffix(result.Range().GetFilename(), entry.Name()) {
    91  //							continue
    92  //						}
    93  //						matched++
    94  //					}
    95  //				}
    96  //				assert.Equal(t, 1, matched, "Rule should be matched once")
    97  //			})
    98  //
    99  //		})
   100  //	}
   101  //}
   102  
   103  func Test_Docker_RegoPoliciesEmbedded(t *testing.T) {
   104  	t.Parallel()
   105  
   106  	entries, err := os.ReadDir("./testdata/dockerfile")
   107  	require.NoError(t, err)
   108  
   109  	scanner := dockerfile.NewScanner(options.ScannerWithEmbeddedPolicies(true), options.ScannerWithEmbeddedLibraries(true))
   110  	srcFS := os.DirFS("../")
   111  
   112  	results, err := scanner.ScanFS(context.TODO(), srcFS, "test/testdata/dockerfile")
   113  	require.NoError(t, err)
   114  
   115  	for _, entry := range entries {
   116  		if !entry.IsDir() {
   117  			continue
   118  		}
   119  		t.Run(entry.Name(), func(t *testing.T) {
   120  			require.NoError(t, err)
   121  			t.Run(entry.Name(), func(t *testing.T) {
   122  				var matched bool
   123  				for _, result := range results {
   124  					if result.Rule().HasID(entry.Name()) && result.Status() == scan.StatusFailed {
   125  						if result.Description() != "Specify at least 1 USER command in Dockerfile with non-root user as argument" {
   126  							assert.Greater(t, result.Range().GetStartLine(), 0)
   127  							assert.Greater(t, result.Range().GetEndLine(), 0)
   128  						}
   129  						assert.Equal(t, fmt.Sprintf("test/testdata/dockerfile/%s/Dockerfile.denied", entry.Name()), result.Range().GetFilename())
   130  						matched = true
   131  					}
   132  				}
   133  				assert.True(t, matched)
   134  			})
   135  
   136  		})
   137  	}
   138  }