github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/json_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/json_test.go (about)

     1  package test
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/aquasecurity/defsec/pkg/providers"
     7  	"github.com/aquasecurity/defsec/pkg/rules"
     8  	"github.com/aquasecurity/defsec/pkg/scan"
     9  	"github.com/aquasecurity/defsec/pkg/severity"
    10  	"github.com/aquasecurity/defsec/pkg/terraform"
    11  
    12  	"github.com/aquasecurity/trivy-iac/test/testutil"
    13  )
    14  
    15  func TestScanningJSON(t *testing.T) {
    16  
    17  	var tests = []struct {
    18  		name       string
    19  		source     string
    20  		shouldFail bool
    21  	}{
    22  		{
    23  			name: "check results are picked up in tf json configs",
    24  			source: `
    25  			{
    26  				"provider": {
    27  					"aws": {
    28  						"profile": null,
    29  						"region": "eu-west-1"
    30  					}
    31  				},
    32  				"resource": {
    33  					"bad": {
    34  						"thing": {
    35  							"type": "ingress",
    36  							"cidr_blocks": ["0.0.0.0/0"],
    37  							"description": "testing"
    38  						}
    39  					}
    40  				}
    41  			}`,
    42  			shouldFail: true,
    43  		},
    44  		{
    45  			name: "check attributes are checked in tf json configs",
    46  			source: `
    47  			{
    48  				"provider": {
    49  					"aws": {
    50  						"profile": null,
    51  						"region": "eu-west-1"
    52  					}
    53  				},
    54  				"resource": {
    55  					"bad": {
    56  						"or_not": {
    57  							"secure": true
    58  						}
    59  					}
    60  				}
    61  			}`,
    62  			shouldFail: false,
    63  		},
    64  	}
    65  
    66  	for _, test := range tests {
    67  		t.Run(test.name, func(t *testing.T) {
    68  			r1 := scan.Rule{
    69  				Provider:  providers.AWSProvider,
    70  				Service:   "service",
    71  				ShortCode: "abc123",
    72  				Severity:  severity.High,
    73  				CustomChecks: scan.CustomChecks{
    74  					Terraform: &scan.TerraformCustomCheck{
    75  						RequiredLabels: []string{"bad"},
    76  						Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
    77  							if resourceBlock.GetAttribute("secure").IsTrue() {
    78  								return
    79  							}
    80  							results.Add("something", resourceBlock)
    81  							return
    82  						},
    83  					},
    84  				},
    85  			}
    86  			reg := rules.Register(r1)
    87  			defer rules.Deregister(reg)
    88  
    89  			results := scanJSON(t, test.source)
    90  			var include, exclude string
    91  			if test.shouldFail {
    92  				include = r1.LongID()
    93  			} else {
    94  				exclude = r1.LongID()
    95  			}
    96  			if include != "" {
    97  				testutil.AssertRuleFound(t, include, results, "false negative found")
    98  			}
    99  			if exclude != "" {
   100  				testutil.AssertRuleNotFound(t, exclude, results, "false positive found")
   101  			}
   102  		})
   103  	}
   104  }