Skip to content

Commit

Permalink
refactor: remove support for custom Terraform checks (#7901)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
  • Loading branch information
nikpivkin and simar7 authored Nov 27, 2024
1 parent ad0ff5d commit f5bdc79
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 378 deletions.
5 changes: 1 addition & 4 deletions pkg/iac/scanners/cloudformation/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,10 +79,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil),
},
RegoPackage: "data.builtin.dockerfile.DS006",
RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down
8 changes: 2 additions & 6 deletions pkg/iac/scanners/dockerfile/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,9 +249,7 @@ USER root
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil)},
RegoPackage: "data.builtin.dockerfile.DS006",
RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down Expand Up @@ -600,9 +598,7 @@ COPY --from=dep /binary /`
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil)},
RegoPackage: "data.builtin.dockerfile.DS006",
RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down
13 changes: 3 additions & 10 deletions pkg/iac/scanners/generic/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil),
},
RegoPackage: "data.builtin.json.lol",
RegoPackage: "data.builtin.json.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down Expand Up @@ -141,9 +138,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil)},
RegoPackage: "data.builtin.yaml.lol",
RegoPackage: "data.builtin.yaml.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down Expand Up @@ -211,9 +206,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
CustomChecks: scan.CustomChecks{
Terraform: (*scan.TerraformCustomCheck)(nil)},
RegoPackage: "data.builtin.toml.lol",
RegoPackage: "data.builtin.toml.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
Expand Down
132 changes: 0 additions & 132 deletions pkg/iac/scanners/terraform/executor/executor_test.go

This file was deleted.

137 changes: 3 additions & 134 deletions pkg/iac/scanners/terraform/executor/pool.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ package executor
import (
"context"
"fmt"
"os"
"path/filepath"
runtimeDebug "runtime/debug"
"strings"
"sync"

"github.com/aquasecurity/trivy/pkg/iac/rego"
Expand Down Expand Up @@ -62,21 +59,9 @@ func (p *Pool) Run() (scan.Results, error) {

if !p.regoOnly {
for _, r := range p.rules {
if r.GetRule().CustomChecks.Terraform != nil && r.GetRule().CustomChecks.Terraform.Check != nil {
// run local hcl rule
for _, module := range p.modules {
mod := *module
outgoing <- &hclModuleRuleJob{
module: &mod,
rule: r,
}
}
} else {
// run defsec rule
outgoing <- &infraRuleJob{
state: p.state,
rule: r,
}
outgoing <- &infraRuleJob{
state: p.state,
rule: r,
}
}
}
Expand All @@ -103,11 +88,6 @@ type infraRuleJob struct {
rule types.RegisteredRule
}

type hclModuleRuleJob struct {
module *terraform.Module
rule types.RegisteredRule
}

type regoJob struct {
state *state.State
scanner *rego.Scanner
Expand All @@ -124,23 +104,6 @@ func (h *infraRuleJob) Run() (_ scan.Results, err error) {
return h.rule.Evaluate(h.state), err
}

func (h *hclModuleRuleJob) Run() (results scan.Results, err error) {
defer func() {
if panicErr := recover(); panicErr != nil {
err = fmt.Errorf("%s\n%s", panicErr, string(runtimeDebug.Stack()))
}
}()
customCheck := h.rule.GetRule().CustomChecks.Terraform
for _, block := range h.module.GetBlocks() {
if !isCustomCheckRequiredForBlock(customCheck, block) {
continue
}
results = append(results, customCheck.Check(block, h.module)...)
}
results.SetRule(h.rule.GetRule())
return
}

func (h *regoJob) Run() (results scan.Results, err error) {
regoResults, err := h.scanner.ScanInput(context.TODO(), rego.Input{
Contents: h.state.ToRego(),
Expand All @@ -152,100 +115,6 @@ func (h *regoJob) Run() (results scan.Results, err error) {
return regoResults, nil
}

// nolint
func isCustomCheckRequiredForBlock(custom *scan.TerraformCustomCheck, b *terraform.Block) bool {

var found bool
for _, requiredType := range custom.RequiredTypes {
if b.Type() == requiredType {
found = true
break
}
}
if !found && len(custom.RequiredTypes) > 0 {
return false
}

found = false
for _, requiredLabel := range custom.RequiredLabels {
if requiredLabel == "*" || (len(b.Labels()) > 0 && wildcardMatch(requiredLabel, b.TypeLabel())) {
found = true
break
}
}
if !found && len(custom.RequiredLabels) > 0 {
return false
}

found = false
if len(custom.RequiredSources) > 0 && b.Type() == terraform.TypeModule.Name() {
if sourceAttr := b.GetAttribute("source"); sourceAttr.IsNotNil() {
values := sourceAttr.AsStringValues().AsStrings()
if len(values) == 0 {
return false
}
sourcePath := values[0]

// resolve module source path to path relative to cwd
if strings.HasPrefix(sourcePath, ".") {
sourcePath = cleanPathRelativeToWorkingDir(filepath.Dir(b.GetMetadata().Range().GetFilename()), sourcePath)
}

for _, requiredSource := range custom.RequiredSources {
if requiredSource == "*" || wildcardMatch(requiredSource, sourcePath) {
found = true
break
}
}
}
return found
}

return true
}

func cleanPathRelativeToWorkingDir(dir, path string) string {
absPath := filepath.Clean(filepath.Join(dir, path))
wDir, err := os.Getwd()
if err != nil {
return absPath
}
relPath, err := filepath.Rel(wDir, absPath)
if err != nil {
return absPath
}
return relPath
}

func wildcardMatch(pattern, subject string) bool {
if pattern == "" {
return false
}
parts := strings.Split(pattern, "*")
var lastIndex int
for i, part := range parts {
if part == "" {
continue
}
if i == 0 {
if !strings.HasPrefix(subject, part) {
return false
}
}
if i == len(parts)-1 {
if !strings.HasSuffix(subject, part) {
return false
}
}
newIndex := strings.Index(subject, part)
if newIndex < lastIndex {
return false
}
lastIndex = newIndex
}
return true
}

type Worker struct {
incoming <-chan Job
mu sync.Mutex
Expand Down
Loading

0 comments on commit f5bdc79

Please sign in to comment.