github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/wildcard_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/test/wildcard_test.go (about)

     1  package test
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/aquasecurity/defsec/pkg/rules"
     8  	"github.com/aquasecurity/defsec/pkg/scan"
     9  	"github.com/aquasecurity/defsec/pkg/severity"
    10  	"github.com/aquasecurity/defsec/pkg/terraform"
    11  
    12  	"github.com/aquasecurity/trivy-iac/test/testutil"
    13  )
    14  
    15  func Test_WildcardMatchingOnRequiredLabels(t *testing.T) {
    16  
    17  	tests := []struct {
    18  		input           string
    19  		pattern         string
    20  		expectedFailure bool
    21  	}{
    22  		{
    23  			pattern:         "aws_*",
    24  			input:           `resource "aws_instance" "blah" {}`,
    25  			expectedFailure: true,
    26  		},
    27  		{
    28  			pattern:         "gcp_*",
    29  			input:           `resource "aws_instance" "blah" {}`,
    30  			expectedFailure: false,
    31  		},
    32  		{
    33  			pattern:         "x_aws_*",
    34  			input:           `resource "aws_instance" "blah" {}`,
    35  			expectedFailure: false,
    36  		},
    37  		{
    38  			pattern:         "aws_security_group*",
    39  			input:           `resource "aws_security_group" "blah" {}`,
    40  			expectedFailure: true,
    41  		},
    42  		{
    43  			pattern:         "aws_security_group*",
    44  			input:           `resource "aws_security_group_rule" "blah" {}`,
    45  			expectedFailure: true,
    46  		},
    47  	}
    48  
    49  	for i, test := range tests {
    50  
    51  		code := fmt.Sprintf("wild%d", i)
    52  
    53  		t.Run(code, func(t *testing.T) {
    54  
    55  			rule := scan.Rule{
    56  				Service:   "service",
    57  				ShortCode: code,
    58  				Summary:   "blah",
    59  				Provider:  "custom",
    60  				Severity:  severity.High,
    61  				CustomChecks: scan.CustomChecks{
    62  					Terraform: &scan.TerraformCustomCheck{
    63  						RequiredTypes:  []string{"resource"},
    64  						RequiredLabels: []string{test.pattern},
    65  						Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
    66  							results.Add("Custom check failed for resource.", resourceBlock)
    67  							return
    68  						},
    69  					},
    70  				},
    71  			}
    72  			reg := rules.Register(rule)
    73  			defer rules.Deregister(reg)
    74  
    75  			results := scanHCL(t, test.input)
    76  
    77  			if test.expectedFailure {
    78  				testutil.AssertRuleFound(t, fmt.Sprintf("custom-service-%s", code), results, "")
    79  			} else {
    80  				testutil.AssertRuleNotFound(t, fmt.Sprintf("custom-service-%s", code), results, "")
    81  			}
    82  		})
    83  	}
    84  
    85  }