fix(cloudformation): fix some resources

aquasecurity · Jan 17, 2024 · 97e40eb · 97e40eb
1 parent 78e7ebf
commit 97e40eb
Show file tree

Hide file tree

Showing 10 changed files with 406 additions and 93 deletions.
diff --git a/internal/adapters/cloudformation/aws/config/adapt_test.go b/internal/adapters/cloudformation/aws/config/adapt_test.go
@@ -0,0 +1,71 @@
+package config
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aquasecurity/defsec/pkg/providers/aws/config"
+	"github.com/aquasecurity/defsec/pkg/types"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser"
+	"github.com/aquasecurity/trivy-iac/test/testutil"
+)
+
+func TestAdapt(t *testing.T) {
+	tests := []struct {
+		name     string
+		source   string
+		expected config.Config
+	}{
+		{
+			name: "Config aggregator with AccountAggregationSources",
+			source: `AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  ConfigurationAggregator:
+    Type: AWS::Config::ConfigurationAggregator
+    Properties:
+      AccountAggregationSources:
+        - AllAwsRegions: "true"
+`,
+			expected: config.Config{
+				ConfigurationAggregrator: config.ConfigurationAggregrator{
+					Metadata:         types.NewTestMetadata(),
+					SourceAllRegions: types.Bool(true, types.NewTestMetadata()),
+				},
+			},
+		},
+		{
+			name: "Config aggregator with OrganizationAggregationSource",
+			source: `AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  ConfigurationAggregator:
+    Type: AWS::Config::ConfigurationAggregator
+    Properties:
+      OrganizationAggregationSource:
+        AllAwsRegions: "true"
+`,
+			expected: config.Config{
+				ConfigurationAggregrator: config.ConfigurationAggregrator{
+					Metadata:         types.NewTestMetadata(),
+					SourceAllRegions: types.Bool(true, types.NewTestMetadata()),
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fs := testutil.CreateFS(t, map[string]string{
+				"template.yaml": tt.source,
+			})
+
+			p := parser.New()
+			fctx, err := p.ParseFile(context.TODO(), fs, "template.yaml")
+			require.NoError(t, err)
+
+			testutil.AssertDefsecEqual(t, tt.expected, Adapt(*fctx))
+		})
+	}
+
+}
diff --git a/internal/adapters/cloudformation/aws/config/aggregator.go b/internal/adapters/cloudformation/aws/config/aggregator.go
@@ -27,24 +27,15 @@ func getConfigurationAggregator(ctx parser.FileContext) config.ConfigurationAggr
 
 func isSourcingAllRegions(r *parser.Resource) defsecTypes.BoolValue {
 	accountProp := r.GetProperty("AccountAggregationSources")
-	orgProp := r.GetProperty("OrganizationAggregationSource")
 
 	if accountProp.IsNotNil() && accountProp.IsList() {
 		for _, a := range accountProp.AsList() {
 			regionsProp := a.GetProperty("AllAwsRegions")
-			if regionsProp.IsNil() || regionsProp.IsBool() {
-				return regionsProp.AsBoolValue()
+			if regionsProp.IsNotNil() {
+				return a.GetBoolProperty("AllAwsRegions")
 			}
 		}
 	}
 
-	if orgProp.IsNotNil() {
-		regionsProp := orgProp.GetProperty("AllAwsRegions")
-		if regionsProp.IsBool() {
-			return regionsProp.AsBoolValue()
-		}
-	}
-
-	// nothing is set or resolvable so its got to be false
-	return defsecTypes.BoolDefault(false, r.Metadata())
+	return r.GetBoolProperty("OrganizationAggregationSource.AllAwsRegions")
 }
diff --git a/internal/adapters/cloudformation/aws/documentdb/cluster.go b/internal/adapters/cloudformation/aws/documentdb/cluster.go
@@ -16,7 +16,7 @@ func getClusters(ctx parser.FileContext) (clusters []documentdb.Cluster) {
 			Identifier:            r.GetStringProperty("DBClusterIdentifier"),
 			EnabledLogExports:     getLogExports(r),
 			Instances:             nil,
-			BackupRetentionPeriod: r.GetIntProperty("BackupRetentionPeriod"),
+			BackupRetentionPeriod: r.GetIntProperty("BackupRetentionPeriod", 1),
 			StorageEncrypted:      r.GetBoolProperty("StorageEncrypted"),
 			KMSKeyID:              r.GetStringProperty("KmsKeyId"),
 		}

diff --git a/internal/adapters/cloudformation/aws/ec2/adatp_test.go b/internal/adapters/cloudformation/aws/ec2/adatp_test.go
@@ -0,0 +1,66 @@
+package ec2
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aquasecurity/defsec/pkg/providers/aws/ec2"
+	"github.com/aquasecurity/defsec/pkg/types"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser"
+	"github.com/aquasecurity/trivy-iac/test/testutil"
+)
+
+func TestAdapt(t *testing.T) {
+	tests := []struct {
+		name     string
+		source   string
+		expected ec2.EC2
+	}{
+		{
+			name: "EC2 instance",
+			source: `AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  MyEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      ImageId: "ami-79fd7eee"
+      KeyName: "testkey"
+      BlockDeviceMappings:
+      - DeviceName: "/dev/sdm"
+        Ebs:
+          VolumeType: "io1"
+          Iops: "200"
+          DeleteOnTermination: "false"
+          VolumeSize: "20"
+          Encrypted: "true"`,
+			expected: ec2.EC2{
+				Instances: []ec2.Instance{
+					{
+						Metadata: types.NewTestMetadata(),
+						MetadataOptions: ec2.MetadataOptions{
+							HttpEndpoint: types.StringDefault("enabled", types.NewTestMetadata()),
+							HttpTokens:   types.StringDefault("optional", types.NewTestMetadata()),
+						},
+						RootBlockDevice: &ec2.BlockDevice{
+							Metadata:  types.NewTestMetadata(),
+							Encrypted: types.Bool(true, types.NewTestMetadata()),
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fs := testutil.CreateFS(t, map[string]string{
+				"template.yaml": tt.source,
+			})
+			p := parser.New()
+			fctx, err := p.ParseFile(context.TODO(), fs, "template.yaml")
+			require.NoError(t, err)
+			testutil.AssertDefsecEqual(t, tt.expected, Adapt(*fctx))
+		})
+	}
+}
diff --git a/internal/adapters/cloudformation/aws/ec2/instance.go b/internal/adapters/cloudformation/aws/ec2/instance.go
@@ -50,17 +50,9 @@ func getBlockDevices(r *parser.Resource) []*ec2.BlockDevice {
 	}
 
 	for _, d := range devicesProp.AsList() {
-		encrypted := d.GetProperty("Ebs.Encrypted")
-		var result defsecTypes.BoolValue
-		if encrypted.IsNil() {
-			result = defsecTypes.BoolDefault(false, d.Metadata())
-		} else {
-			result = encrypted.AsBoolValue()
-		}
-
 		device := &ec2.BlockDevice{
 			Metadata:  d.Metadata(),
-			Encrypted: result,
+			Encrypted: d.GetBoolProperty("Ebs.Encrypted"),
 		}
 
 		blockDevices = append(blockDevices, device)

diff --git a/internal/adapters/cloudformation/aws/elb/adapt_test.go b/internal/adapters/cloudformation/aws/elb/adapt_test.go
@@ -0,0 +1,73 @@
+package elb
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aquasecurity/defsec/pkg/providers/aws/elb"
+	"github.com/aquasecurity/defsec/pkg/types"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser"
+	"github.com/aquasecurity/trivy-iac/test/testutil"
+)
+
+func TestAdapt(t *testing.T) {
+	tests := []struct {
+		name     string
+		source   string
+		expected elb.ELB
+	}{
+		{
+			name: "LoadBalancer",
+			source: `AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  LoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    DependsOn:
+      - ALBLogsBucketPermission
+    Properties:
+      Name: "k8s-dev"
+      IpAddressType: ipv4
+      LoadBalancerAttributes:
+        - Key: routing.http2.enabled
+          Value: "true"
+        - Key: deletion_protection.enabled
+          Value: "true"
+        - Key: routing.http.drop_invalid_header_fields.enabled
+          Value: "true"
+        - Key: access_logs.s3.enabled
+          Value: "true"
+      Tags:
+        - Key: ingress.k8s.aws/resource
+          Value: LoadBalancer
+        - Key: elbv2.k8s.aws/cluster
+          Value: "biomage-dev"
+      Type: application
+`,
+			expected: elb.ELB{
+				LoadBalancers: []elb.LoadBalancer{
+					{
+						Metadata:                types.NewTestMetadata(),
+						Type:                    types.String("application", types.NewTestMetadata()),
+						DropInvalidHeaderFields: types.Bool(true, types.NewTestMetadata()),
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fs := testutil.CreateFS(t, map[string]string{
+				"template.yaml": tt.source,
+			})
+
+			p := parser.New()
+			fctx, err := p.ParseFile(context.TODO(), fs, "template.yaml")
+			require.NoError(t, err)
+
+			testutil.AssertDefsecEqual(t, tt.expected, Adapt(*fctx))
+		})
+	}
+}
diff --git a/internal/adapters/cloudformation/aws/elb/loadbalancer.go b/internal/adapters/cloudformation/aws/elb/loadbalancer.go
@@ -72,16 +72,8 @@ func checkForDropInvalidHeaders(r *parser.Resource) types.BoolValue {
 	}
 
 	for _, attr := range attributesProp.AsList() {
-		if attr.IsNotMap() {
-			continue
-		}
-
-		if attr.AsMap()["Key"].AsString() == "routing.http.drop_invalid_header_fields.enabled" {
-			val := attr.AsMap()["Value"]
-			if val.IsBool() {
-				return val.AsBoolValue()
-			}
-
+		if attr.GetStringProperty("Key").Value() == "routing.http.drop_invalid_header_fields.enabled" {
+			return attr.GetBoolProperty("Value")
 		}
 	}