Merge branch 'main' into rego-iam-doc

aquasecurity · Jan 24, 2024 · f96b6e0 · f96b6e0
2 parents fe8bb0d + 5036369
commit f96b6e0
Show file tree

Hide file tree

Showing 73 changed files with 404 additions and 11,382 deletions.
diff --git a/.github/workflows/verify-schema.yml b/.github/workflows/verify-schema.yml
diff --git a/Makefile b/Makefile
@@ -12,10 +12,6 @@ update-aws-deps:
 	@grep aws-sdk-go-v2 go.mod | grep -v '// indirect' | sed 's/^[\t\s]*//g' | sed 's/\s.*//g' | xargs go get
 	@go mod tidy
 
-.PHONY: schema
-schema:
-	go run ./cmd/schema generate
-
 .PHONY: docs
 docs:
 	go run ./cmd/avd_generator

diff --git a/cmd/avd_generator/main.go b/cmd/avd_generator/main.go
@@ -12,11 +12,10 @@ import (
 	"text/template"
 
 	"github.com/aquasecurity/defsec/pkg/framework"
+	_ "github.com/aquasecurity/defsec/pkg/rego"
+	registered "github.com/aquasecurity/defsec/pkg/rules"
+	types "github.com/aquasecurity/defsec/pkg/types/rules"
 	policies "github.com/aquasecurity/trivy-policies"
-
-	_ "github.com/aquasecurity/trivy-iac/pkg/rego"
-	registered "github.com/aquasecurity/trivy-iac/pkg/rules"
-	"github.com/aquasecurity/trivy-iac/pkg/types"
 )
 
 func main() {

diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go
@@ -8,11 +8,10 @@ import (
 	"runtime"
 	"testing"
 
+	"github.com/aquasecurity/defsec/pkg/framework"
+	registered "github.com/aquasecurity/defsec/pkg/rules"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/defsec/pkg/framework"
-	registered "github.com/aquasecurity/trivy-iac/pkg/rules"
 )
 
 func init() { // change the pwd for the test to top level defesc dir

diff --git a/cmd/schema/main.go b/cmd/schema/main.go
diff --git a/go.mod b/go.mod
@@ -6,10 +6,10 @@ require (
 	github.com/BurntSushi/toml v1.3.2
 	github.com/Masterminds/semver v1.5.0
 	github.com/apparentlymart/go-cidr v1.1.0
-	github.com/aquasecurity/defsec v0.93.2-0.20240104002958-968b8f115bc0
+	github.com/aquasecurity/defsec v0.94.1
 	github.com/aquasecurity/trivy-policies v0.8.0
 	github.com/aws/smithy-go v1.19.0
-	github.com/bmatcuk/doublestar/v4 v4.6.0
+	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/google/uuid v1.5.0
 	github.com/hashicorp/go-getter v1.7.3
 	github.com/hashicorp/go-uuid v1.0.3
@@ -18,11 +18,8 @@ require (
 	github.com/liamg/jfather v0.0.7
 	github.com/liamg/memoryfs v1.6.0
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moby/buildkit v0.11.6
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.60.0
-	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.8.4
 	github.com/zclconf/go-cty v1.13.0
 	github.com/zclconf/go-cty-yaml v1.0.3
@@ -136,6 +133,7 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
@@ -145,6 +143,7 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/open-policy-agent/opa v0.60.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/owenrumney/squealer v1.2.1 // indirect
@@ -165,6 +164,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect

diff --git a/go.sum b/go.sum
@@ -254,8 +254,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
-github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc=
-github.com/bmatcuk/doublestar/v4 v4.6.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
+github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
 github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng=
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ=

diff --git a/internal/adapters/cloudformation/aws/ec2/adapt_test.go b/internal/adapters/cloudformation/aws/ec2/adapt_test.go
@@ -19,7 +19,7 @@ func TestAdapt(t *testing.T) {
 		expected ec2.EC2
 	}{
 		{
-			name: "EC2 instance",
+			name: "ec2 instance",
 			source: `AWSTemplateFormatVersion: 2010-09-09
 Resources:
   MyEC2Instance:
@@ -34,7 +34,10 @@ Resources:
           Iops: "200"
           DeleteOnTermination: "false"
           VolumeSize: "20"
-          Encrypted: "true"`,
+          Encrypted: true
+      - DeviceName: "/dev/sdk"
+        NoDevice: {}
+`,
 			expected: ec2.EC2{
 				Instances: []ec2.Instance{
 					{
@@ -45,22 +48,129 @@ Resources:
 						},
 						RootBlockDevice: &ec2.BlockDevice{
 							Metadata:  types.NewTestMetadata(),
-							Encrypted: types.Bool(true, types.NewTestMetadata()),
+							Encrypted: types.BoolDefault(true, types.NewTestMetadata()),
+						},
+						EBSBlockDevices: []*ec2.BlockDevice{
+							{
+								Metadata:  types.NewTestMetadata(),
+								Encrypted: types.BoolDefault(false, types.NewTestMetadata()),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "ec2 instance with launch template, ref to name",
+			source: `AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  MyLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+        LaunchTemplateName: MyTemplate
+        LaunchTemplateData:
+          MetadataOptions:
+            HttpEndpoint: enabled
+            HttpTokens: required
+  MyEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      ImageId: "ami-79fd7eee"
+      LaunchTemplate:
+        LaunchTemplateName: MyTemplate
+`,
+			expected: ec2.EC2{
+				LaunchTemplates: []ec2.LaunchTemplate{
+					{
+						Metadata: types.NewTestMetadata(),
+						Name:     types.String("MyTemplate", types.NewTestMetadata()),
+						Instance: ec2.Instance{
+							Metadata: types.NewTestMetadata(),
+							MetadataOptions: ec2.MetadataOptions{
+								HttpEndpoint: types.String("enabled", types.NewTestMetadata()),
+								HttpTokens:   types.String("required", types.NewTestMetadata()),
+							},
+						},
+					},
+				},
+				Instances: []ec2.Instance{
+					{
+						Metadata: types.NewTestMetadata(),
+						MetadataOptions: ec2.MetadataOptions{
+							HttpEndpoint: types.String("enabled", types.NewTestMetadata()),
+							HttpTokens:   types.String("required", types.NewTestMetadata()),
+						},
+						RootBlockDevice: &ec2.BlockDevice{
+							Metadata:  types.NewTestMetadata(),
+							Encrypted: types.Bool(false, types.NewTestMetadata()),
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "ec2 instance with launch template, ref to id",
+			source: `AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  MyLaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+        LaunchTemplateName: MyTemplate
+        LaunchTemplateData:
+          MetadataOptions:
+            HttpEndpoint: enabled
+            HttpTokens: required
+  MyEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      ImageId: "ami-79fd7eee"
+      LaunchTemplate:
+        LaunchTemplateId: !Ref MyLaunchTemplate
+`,
+			expected: ec2.EC2{
+				LaunchTemplates: []ec2.LaunchTemplate{
+					{
+						Metadata: types.NewTestMetadata(),
+						Name:     types.String("MyTemplate", types.NewTestMetadata()),
+						Instance: ec2.Instance{
+							Metadata: types.NewTestMetadata(),
+							MetadataOptions: ec2.MetadataOptions{
+								HttpEndpoint: types.String("enabled", types.NewTestMetadata()),
+								HttpTokens:   types.String("required", types.NewTestMetadata()),
+							},
+						},
+					},
+				},
+				Instances: []ec2.Instance{
+					{
+						Metadata: types.NewTestMetadata(),
+						MetadataOptions: ec2.MetadataOptions{
+							HttpEndpoint: types.String("enabled", types.NewTestMetadata()),
+							HttpTokens:   types.String("required", types.NewTestMetadata()),
+						},
+						RootBlockDevice: &ec2.BlockDevice{
+							Metadata:  types.NewTestMetadata(),
+							Encrypted: types.Bool(false, types.NewTestMetadata()),
 						},
 					},
 				},
 			},
 		},
 	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fs := testutil.CreateFS(t, map[string]string{
-				"template.yaml": tt.source,
+
+			fsys := testutil.CreateFS(t, map[string]string{
+				"main.yaml": tt.source,
 			})
-			p := parser.New()
-			fctx, err := p.ParseFile(context.TODO(), fs, "template.yaml")
+
+			fctx, err := parser.New().ParseFile(context.TODO(), fsys, "main.yaml")
 			require.NoError(t, err)
-			testutil.AssertDefsecEqual(t, tt.expected, Adapt(*fctx))
+
+			adapted := Adapt(*fctx)
+			testutil.AssertDefsecEqual(t, tt.expected, adapted)
 		})
 	}
+
 }