github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/pkg/scanners/cloudformation/scanner_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/pkg/scanners/cloudformation/scanner_test.go (about)

     1  package cloudformation
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/scanners/options"
    10  
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/khulnasoft-lab/defsec/test/testutil"
    14  
    15  	"github.com/stretchr/testify/assert"
    16  
    17  	"github.com/stretchr/testify/require"
    18  )
    19  
    20  func Test_BasicScan(t *testing.T) {
    21  
    22  	fs := testutil.CreateFS(t, map[string]string{
    23  		"/code/main.yaml": `---
    24  Resources:
    25    S3Bucket:
    26      Type: 'AWS::S3::Bucket'
    27      Properties:
    28        BucketName: public-bucket
    29  
    30  `,
    31  		"/rules/rule.rego": `package builtin.dockerfile.DS006
    32  
    33  __rego_metadata__ := {
    34  	"id": "DS006",
    35  	"avd_id": "AVD-DS-0006",
    36  	"title": "COPY '--from' referring to the current image",
    37  	"short_code": "no-self-referencing-copy-from",
    38  	"version": "v1.0.0",
    39  	"severity": "CRITICAL",
    40  	"type": "Dockerfile Security Check",
    41  	"description": "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself.",
    42  	"recommended_actions": "Change the '--from' so that it will not refer to itself",
    43  	"url": "https://docs.docker.com/develop/develop-images/multistage-build/",
    44  }
    45  
    46  __rego_input__ := {
    47  	"combine": false,
    48  	"selector": [{"type": "defsec", "subtypes": [{"service": "s3", "provider": "aws"}]}],
    49  }
    50  
    51  deny[res] {
    52  	res := {
    53  		"msg": "oh no",
    54  		"filepath": "code/main.yaml",
    55  		"startline": 6,
    56  		"endline": 6,
    57  	}
    58  }
    59  
    60  `,
    61  	})
    62  
    63  	scanner := New(options.ScannerWithPolicyDirs("rules"), options.ScannerWithRegoOnly(true))
    64  
    65  	results, err := scanner.ScanFS(context.TODO(), fs, "code")
    66  	require.NoError(t, err)
    67  
    68  	require.Len(t, results.GetFailed(), 1)
    69  
    70  	assert.Equal(t, scan.Rule{
    71  		AVDID:          "AVD-DS-0006",
    72  		Aliases:        []string{"DS006"},
    73  		ShortCode:      "no-self-referencing-copy-from",
    74  		Summary:        "COPY '--from' referring to the current image",
    75  		Explanation:    "COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself.",
    76  		Impact:         "",
    77  		Resolution:     "Change the '--from' so that it will not refer to itself",
    78  		Provider:       "cloud",
    79  		Service:        "general",
    80  		Links:          []string{"https://docs.docker.com/develop/develop-images/multistage-build/"},
    81  		Severity:       "CRITICAL",
    82  		Terraform:      &scan.EngineMetadata{},
    83  		CloudFormation: &scan.EngineMetadata{},
    84  		CustomChecks: scan.CustomChecks{
    85  			Terraform: (*scan.TerraformCustomCheck)(nil),
    86  		},
    87  		RegoPackage: "data.builtin.dockerfile.DS006",
    88  		Frameworks:  map[framework.Framework][]string{},
    89  	}, results.GetFailed()[0].Rule())
    90  
    91  	failure := results.GetFailed()[0]
    92  	actualCode, err := failure.GetCode()
    93  	require.NoError(t, err)
    94  	for i := range actualCode.Lines {
    95  		actualCode.Lines[i].Highlighted = ""
    96  	}
    97  	assert.Equal(t, []scan.Line{
    98  		{
    99  			Number:     6,
   100  			Content:    "      BucketName: public-bucket",
   101  			IsCause:    true,
   102  			FirstCause: true,
   103  			LastCause:  true,
   104  			Annotation: "",
   105  		},
   106  	}, actualCode.Lines)
   107  }