feat: add the occurrences field #1383
Conversation
nikpivkin
force-pushed
the
nik-report-resource
branch
from
022b942
to
aa18860
Compare
|
@simar7 I followed the logic in "occurrences": [
{
"resource": "aws_security_group_rule.ingress_with_cidr_blocks[0]",
"filename": "terraform-aws-modules/security-group/aws/main.tf",
"start_line": 191,
"end_line": 227
},
{
"resource": "module.aws-security-groups[\"db1\"]",
"filename": "sg.tf",
"start_line": 1,
"end_line": 13
}
], |
could you explain what you mean by first occurrence? |
|
@simar7 For example, if the metadata of the resource will refer to the following sources:
|
Are they unique misconfigurations? If so, we should report them all at once. |
|
@simar7 No, it refers to one misconfiguration. |
Got it. So in the table output we will still see one misconfiguration right? If so, we should include all occurrences that are related to one misconfiguration. |
simar7
force-pushed
the
nik-report-resource
branch
from
625d845
to
afc8815
Compare
| func (r *Result) Occurrences() []Occurrence { | ||
| var occurrences []Occurrence | ||
|
|
||
| mod := &r.metadata | ||
|
|
||
| for { | ||
| mod = mod.Parent() | ||
| if mod == nil { | ||
| break | ||
| } | ||
| parentRange := mod.Range() | ||
| occurrences = append(occurrences, Occurrence{ | ||
| Resource: mod.Reference(), | ||
| Filename: parentRange.GetFilename(), | ||
| StartLine: parentRange.GetStartLine(), | ||
| EndLine: parentRange.GetEndLine(), | ||
| }) | ||
| } | ||
| return occurrences | ||
| } |
There was a problem hiding this comment.
Can we add a test for this? We can probably add it in pkg/scanners/cloud/aws/scanner_test.go.
There was a problem hiding this comment.
@simar7 How good is this place for the test? this file refers to tests of aws services. Since the method is public and converts the result to another structure, maybe it's worth adding it to pkg/scan/result_test.go?
|
@simar7 Do you think this will close this issue? |
Yeah good catch. I think so, it satisfies the ask. |
simar7
force-pushed
the
nik-report-resource
branch
from
f51eb51
to
49aee1f
Compare
simar7
force-pushed
the
nik-report-resource
branch
from
49aee1f
to
bd06b9a
Compare
Added the
occurrencesfield. Based on this field, we can display a list of occurrences in reports.See aquasecurity/trivy#4581
Example of json output:
{ "results": [ { "rule_id": "AVD-AWS-0107", "long_id": "aws-ec2-no-public-ingress-sgr", "rule_description": "An ingress security group rule allows traffic from /0.", "rule_provider": "aws", "rule_service": "ec2", "impact": "Your port exposed to the internet", "resolution": "Set a more restrictive cidr range", "links": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html" ], "description": "Security group rule allows ingress from public internet.", "severity": "CRITICAL", "warning": false, "status": 0, "resource": "module.aws-security-groups[\"db1\"]", "occurrences": [ { "resource": "aws_security_group_rule.ingress_with_cidr_blocks[0]", "filename": "terraform-aws-modules/security-group/aws/main.tf", "start_line": 191, "end_line": 227 }, { "resource": "module.aws-security-groups[\"db1\"]", "filename": "sg.tf", "start_line": 1, "end_line": 13 } ], "location": { "filename": "terraform-aws-modules/security-group/aws/main.tf", "start_line": 197, "end_line": 204 } } ] }