From d597b1ae866943ff19d8f0c9e9c1ffef6c68bead Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 15 Jul 2024 14:24:31 +0700 Subject: [PATCH 1/2] refactor(checks): migrate Oracle to Rego Signed-off-by: Nikita Pivkin --- avd_docs/oracle/compute/AVD-OCI-0001/docs.md | 3 +- checks/cloud/oracle/compute/no_public_ip.go | 3 +- checks/cloud/oracle/compute/no_public_ip.rego | 41 ++++++++++++ .../cloud/oracle/compute/no_public_ip_test.go | 65 ------------------- .../oracle/compute/no_public_ip_test.rego | 20 ++++++ 5 files changed, 65 insertions(+), 67 deletions(-) create mode 100644 checks/cloud/oracle/compute/no_public_ip.rego delete mode 100644 checks/cloud/oracle/compute/no_public_ip_test.go create mode 100644 checks/cloud/oracle/compute/no_public_ip_test.rego diff --git a/avd_docs/oracle/compute/AVD-OCI-0001/docs.md b/avd_docs/oracle/compute/AVD-OCI-0001/docs.md index da437962..923abdfe 100644 --- a/avd_docs/oracle/compute/AVD-OCI-0001/docs.md +++ b/avd_docs/oracle/compute/AVD-OCI-0001/docs.md @@ -3,8 +3,9 @@ Compute instance requests an IP reservation from a public pool The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP. + ### Impact -The compute instance has the ability to be reached from outside + {{ remediationActions }} diff --git a/checks/cloud/oracle/compute/no_public_ip.go b/checks/cloud/oracle/compute/no_public_ip.go index 2b055b61..628fdc59 100755 --- a/checks/cloud/oracle/compute/no_public_ip.go +++ b/checks/cloud/oracle/compute/no_public_ip.go @@ -27,7 +27,8 @@ The compute instance has the ability to be reached from outside, you might want Links: terraformNoPublicIpLinks, RemediationMarkdown: terraformNoPublicIpRemediationMarkdown, }, - Severity: severity.Critical, + Severity: severity.Critical, + Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, reservation := range s.Oracle.Compute.AddressReservations { diff --git a/checks/cloud/oracle/compute/no_public_ip.rego b/checks/cloud/oracle/compute/no_public_ip.rego new file mode 100644 index 00000000..9e741fd6 --- /dev/null +++ b/checks/cloud/oracle/compute/no_public_ip.rego @@ -0,0 +1,41 @@ +# METADATA +# title: Compute instance requests an IP reservation from a public pool +# description: | +# Compute instance requests an IP reservation from a public pool +# +# The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP. +# scope: package +# schemas: +# - input: schema["cloud"] +# custom: +# id: AVD-OCI-0001 +# avd_id: AVD-OCI-0001 +# provider: oracle +# service: compute +# severity: CRITICAL +# short_code: no-public-ip +# recommended_action: Reconsider the use of an public IP +# input: +# selector: +# - type: cloud +# subtypes: +# - service: compute +# provider: oracle +# terraform: +# links: +# - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_ip_address_reservation +# - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_instance +# good_examples: checks/cloud/oracle/compute/no_public_ip.tf.go +# bad_examples: checks/cloud/oracle/compute/no_public_ip.tf.go +package builtin.oracle.compute.oracle0001 + +import rego.v1 + +deny contains res if { + some reservation in input.oracle.compute.addressreservations + + # TODO: future improvement: we need to see what this IP is used for before flagging + reservation.pool.value == "public-ippool" + + res := result.new("Reservation made for public IP address.", reservation.pool) +} diff --git a/checks/cloud/oracle/compute/no_public_ip_test.go b/checks/cloud/oracle/compute/no_public_ip_test.go deleted file mode 100644 index 29c84399..00000000 --- a/checks/cloud/oracle/compute/no_public_ip_test.go +++ /dev/null @@ -1,65 +0,0 @@ -package compute - -import ( - "testing" - - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" - - "github.com/aquasecurity/trivy/pkg/iac/state" - - "github.com/aquasecurity/trivy/pkg/iac/providers/oracle" - "github.com/aquasecurity/trivy/pkg/iac/scan" - - "github.com/stretchr/testify/assert" -) - -func TestCheckNoPublicIp(t *testing.T) { - tests := []struct { - name string - input oracle.Compute - expected bool - }{ - { - name: "Compute instance public reservation pool", - input: oracle.Compute{ - AddressReservations: []oracle.AddressReservation{ - { - Metadata: trivyTypes.NewTestMetadata(), - Pool: trivyTypes.String("public-ippool", trivyTypes.NewTestMetadata()), - }, - }, - }, - expected: true, - }, - { - name: "Compute instance cloud reservation pool", - input: oracle.Compute{ - AddressReservations: []oracle.AddressReservation{ - { - Metadata: trivyTypes.NewTestMetadata(), - Pool: trivyTypes.String("cloud-ippool", trivyTypes.NewTestMetadata()), - }, - }, - }, - expected: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - var testState state.State - testState.Oracle.Compute = test.input - results := CheckNoPublicIp.Evaluate(&testState) - var found bool - for _, result := range results { - if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIp.LongID() { - found = true - } - } - if test.expected { - assert.True(t, found, "Rule should have been found") - } else { - assert.False(t, found, "Rule should not have been found") - } - }) - } -} diff --git a/checks/cloud/oracle/compute/no_public_ip_test.rego b/checks/cloud/oracle/compute/no_public_ip_test.rego new file mode 100644 index 00000000..3d79116c --- /dev/null +++ b/checks/cloud/oracle/compute/no_public_ip_test.rego @@ -0,0 +1,20 @@ +package builtin.oracle.compute.oracle0001_test + +import rego.v1 + +import data.builtin.oracle.compute.oracle0001 as check +import data.lib.test + +test_deny_pool_is_public if { + inp := {"oracle": {"compute": {"addressreservations": [{"pool": {"value": "public-ippool"}}]}}} + + res := check.deny with input as inp + count(res) == 1 +} + +test_allow_pool_is_cloud if { + inp := {"oracle": {"compute": {"addressreservations": [{"pool": {"value": "cloud-ippool"}}]}}} + + res := check.deny with input as inp + res == set() +} From cc9984d347ef459ea95c3d61d7bb460c39aaa038 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 21 Aug 2024 09:57:27 +0600 Subject: [PATCH 2/2] test: add functional tests Signed-off-by: Nikita Pivkin --- test/rego/oracle_test.go | 36 +++++++++++++++++++++++++++++++++++ test/rego/rego_checks_test.go | 8 +++++--- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 test/rego/oracle_test.go diff --git a/test/rego/oracle_test.go b/test/rego/oracle_test.go new file mode 100644 index 00000000..17dfcee5 --- /dev/null +++ b/test/rego/oracle_test.go @@ -0,0 +1,36 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/oracle" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +var oracleTestCases = testCases{ + "AVD-OCI-0001": { + { + name: "Compute instance public reservation pool", + input: state.State{Oracle: oracle.Oracle{Compute: oracle.Compute{ + AddressReservations: []oracle.AddressReservation{ + { + Metadata: trivyTypes.NewTestMetadata(), + Pool: trivyTypes.String("public-ippool", trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: true, + }, + { + name: "Compute instance cloud reservation pool", + input: state.State{Oracle: oracle.Oracle{Compute: oracle.Compute{ + AddressReservations: []oracle.AddressReservation{ + { + Metadata: trivyTypes.NewTestMetadata(), + Pool: trivyTypes.String("cloud-ippool", trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: false, + }, + }, +} diff --git a/test/rego/rego_checks_test.go b/test/rego/rego_checks_test.go index 182d84f9..09646899 100644 --- a/test/rego/rego_checks_test.go +++ b/test/rego/rego_checks_test.go @@ -61,15 +61,17 @@ func TestRegoChecks(t *testing.T) { azureAuthorizationTestCases, azureContainerTestCases, - googleDnsTestCases, + googleDnsTestCases, googleKmsTestCases, googleBigQueryTestCases, - githubTestCases, + githubTestCases, - nifcloudDnsTestCases, + nifcloudDnsTestCases, nifcloudNetworkTestCases, nifcloudSslCertificateTestCases, + + oracleTestCases, ) regoScanner := rego.NewScanner(trivyTypes.SourceCloud)