Merge pull request #112 from aquasecurity/liamg-metadata-hierarchies

Rework metadata to be hierarchical
aquasecurity · Jan 27, 2022 · 9c394e8 · 9c394e8
2 parents 4291584 + e0a344a
commit 9c394e8
Show file tree

Hide file tree

Showing 111 changed files with 56 additions and 194 deletions.
diff --git a/formatters/checkstyle.go b/formatters/checkstyle.go
@@ -41,10 +41,7 @@ func outputCheckStyle(b configurableFormatter, results []rules.Result) error {
 			link = links[0]
 		}
 
-		rng := res.CodeBlockMetadata().Range()
-		if res.IssueBlockMetadata() != nil {
-			rng = res.IssueBlockMetadata().Range()
-		}
+		rng := res.Metadata().Range()
 
 		files[rng.GetFilename()] = append(
 			files[rng.GetFilename()],

diff --git a/formatters/csv.go b/formatters/csv.go
@@ -21,10 +21,7 @@ func outputCSV(b configurableFormatter, results []rules.Result) error {
 			link = links[0]
 		}
 
-		rng := res.CodeBlockMetadata().Range()
-		if res.IssueBlockMetadata() != nil {
-			rng = res.IssueBlockMetadata().Range()
-		}
+		rng := res.Metadata().Range()
 
 		records = append(records, []string{
 			rng.GetFilename(),

diff --git a/formatters/default.go b/formatters/default.go
@@ -77,15 +77,13 @@ func printResult(b configurableFormatter, res rules.Result, i int) {
 		res.Description(),
 	)
 
-	rng := res.CodeBlockMetadata().Range()
-	if res.IssueBlockMetadata() != nil {
-		rng = res.IssueBlockMetadata().Range()
+	innerRange := res.Metadata().Range()
+	lineInfo := fmt.Sprintf("Lines %d-%d", innerRange.GetStartLine(), innerRange.GetEndLine())
+	if !innerRange.IsMultiLine() {
+		lineInfo = fmt.Sprintf("Line %d", innerRange.GetStartLine())
 	}
-	lineInfo := fmt.Sprintf("Line %d", rng.GetStartLine())
-	if rng.GetStartLine() < rng.GetEndLine() {
-		lineInfo = fmt.Sprintf("Lines %d-%d", rng.GetStartLine(), rng.GetEndLine())
-	}
-	filename := rng.GetFilename()
+
+	filename := innerRange.GetFilename()
 	if relative, err := filepath.Rel(b.BaseDir(), filename); err == nil {
 		filename = relative
 	}
@@ -167,13 +165,15 @@ func printCodeLine(w io.Writer, i int, code string) {
 
 func highlightCode(b configurableFormatter, result rules.Result) error {
 
-	outerRange := result.CodeBlockMetadata().Range()
-	innerRange := outerRange
-	if result.IssueBlockMetadata() != nil {
-		innerRange = result.IssueBlockMetadata().Range()
+	innerRange := result.Range()
+	outerRange := innerRange
+	if !innerRange.IsMultiLine() {
+		if parent := result.Metadata().Parent(); parent != nil {
+			outerRange = parent.Range()
+		}
 	}
 
-	content, err := ioutil.ReadFile(outerRange.GetFilename())
+	content, err := ioutil.ReadFile(innerRange.GetFilename())
 	if err != nil {
 		return err
 	}

diff --git a/formatters/junit.go b/formatters/junit.go
@@ -49,7 +49,7 @@ func outputJUnit(b configurableFormatter, results []rules.Result) error {
 	}
 
 	for _, res := range results {
-		rng := res.NarrowestRange()
+		rng := res.Range()
 		output.TestCases = append(output.TestCases,
 			jUnitTestCase{
 				Classname: rng.GetFilename(),
@@ -73,14 +73,14 @@ func outputJUnit(b configurableFormatter, results []rules.Result) error {
 // highlight the lines of code which caused a problem, if available
 func highlightCodeJunit(res rules.Result) string {
 
-	data, err := ioutil.ReadFile(res.NarrowestRange().GetFilename())
+	data, err := ioutil.ReadFile(res.Range().GetFilename())
 	if err != nil {
 		return ""
 	}
 
 	lines := append([]string{""}, strings.Split(string(data), "\n")...)
 
-	rng := res.NarrowestRange()
+	rng := res.Range()
 
 	start := rng.GetStartLine() - 3
 	if start <= 0 {
@@ -123,7 +123,7 @@ func buildFailure(b configurableFormatter, res rules.Result) *jUnitFailure {
 	return &jUnitFailure{
 		Message: res.Description(),
 		Contents: fmt.Sprintf("%s\n%s\n%s",
-			res.NarrowestRange().String(),
+			res.Range().String(),
 			highlightCodeJunit(res),
 			link,
 		),

diff --git a/formatters/sarif.go b/formatters/sarif.go
@@ -34,8 +34,7 @@ func outputSARIF(b configurableFormatter, results []rules.Result) error {
 			rule.WithHelpURI(links[0])
 		}
 
-		rng := res.NarrowestRange()
-
+		rng := res.Range()
 		relativePath, err := filepath.Rel(baseDir, rng.GetFilename())
 		if err != nil {
 			return err

diff --git a/rules/aws/apigateway/enable_access_logging.go b/rules/aws/apigateway/enable_access_logging.go
@@ -43,7 +43,6 @@ var CheckEnableAccessLogging = rules.Register(
 				if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
 					results.Add(
 						"Access logging is not configured.",
-						&stage,
 						stage.AccessLogging.CloudwatchLogGroupARN,
 					)
 				} else {

diff --git a/rules/aws/apigateway/enable_cache_encryption.go b/rules/aws/apigateway/enable_cache_encryption.go
@@ -39,7 +39,6 @@ var CheckEnableCacheEncryption = rules.Register(
 				if stage.RESTMethodSettings.CacheDataEncrypted.IsFalse() {
 					results.Add(
 						"Cache data is not encrypted.",
-						&stage,
 						stage.RESTMethodSettings.CacheDataEncrypted,
 					)
 				} else {

diff --git a/rules/aws/apigateway/enable_tracing.go b/rules/aws/apigateway/enable_tracing.go
@@ -42,7 +42,6 @@ var CheckEnableTracing = rules.Register(
 				if stage.XRayTracingEnabled.IsFalse() {
 					results.Add(
 						"X-Ray tracing is not enabled,",
-						&stage,
 						stage.XRayTracingEnabled,
 					)
 				} else {

diff --git a/rules/aws/apigateway/no_public_access.go b/rules/aws/apigateway/no_public_access.go
@@ -42,7 +42,6 @@ var CheckNoPublicAccess = rules.Register(
 				if method.AuthorizationType.EqualTo(apigateway.AuthorizationNone) {
 					results.Add(
 						"Authorization is not enabled for this method.",
-						&method,
 						method.AuthorizationType,
 					)
 				} else {

diff --git a/rules/aws/apigateway/use_secure_tls_policy.go b/rules/aws/apigateway/use_secure_tls_policy.go
@@ -33,7 +33,6 @@ var CheckUseSecureTlsPolicy = rules.Register(
 			if domain.SecurityPolicy.NotEqualTo("TLS_1_2") {
 				results.Add(
 					"Domain name is configured with an outdated TLS policy.",
-					&domain,
 					domain.SecurityPolicy,
 				)
 			} else {

diff --git a/rules/aws/athena/enable_at_rest_encryption.go b/rules/aws/athena/enable_at_rest_encryption.go
@@ -43,7 +43,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if workgroup.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
 				results.Add(
 					"Workgroup does not have encryption configured.",
-					&workgroup,
 					workgroup.Encryption.Type,
 				)
 			} else {
@@ -57,7 +56,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if database.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
 				results.Add(
 					"Database does not have encryption configured.",
-					&database,
 					database.Encryption.Type,
 				)
 			} else {

diff --git a/rules/aws/athena/no_encryption_override.go b/rules/aws/athena/no_encryption_override.go
@@ -42,7 +42,6 @@ var CheckNoEncryptionOverride = rules.Register(
 			if workgroup.EnforceConfiguration.IsFalse() {
 				results.Add(
 					"The workgroup configuration is not enforced.",
-					&workgroup,
 					workgroup.EnforceConfiguration,
 				)
 			}

diff --git a/rules/aws/autoscaling/enable_at_rest_encryption.go b/rules/aws/autoscaling/enable_at_rest_encryption.go
@@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if launchConfig.RootBlockDevice != nil && launchConfig.RootBlockDevice.Encrypted.IsFalse() {
 				results.Add(
 					"Root block device is not encrypted.",
-					&launchConfig,
 					launchConfig.RootBlockDevice.Encrypted,
 				)
 			} else {
@@ -49,7 +48,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 				if device.Encrypted.IsFalse() {
 					results.Add(
 						"EBS block device is not encrypted.",
-						&device,
 						device.Encrypted,
 					)
 				} else {

diff --git a/rules/aws/autoscaling/no_public_ip.go b/rules/aws/autoscaling/no_public_ip.go
@@ -39,7 +39,6 @@ var CheckNoPublicIp = rules.Register(
 			if launchConfig.AssociatePublicIP.IsTrue() {
 				results.Add(
 					"Launch configuration associates public IP address.",
-					&launchConfig,
 					launchConfig.AssociatePublicIP,
 				)
 			} else {

diff --git a/rules/aws/autoscaling/no_sensitive_info.go b/rules/aws/autoscaling/no_sensitive_info.go
@@ -35,7 +35,6 @@ var CheckNoSensitiveInfo = rules.Register(
 			if result := scanner.Scan(launchConfig.UserData.Value()); result.TransgressionFound {
 				results.Add(
 					fmt.Sprintf("Sensitive data found in user data: %s", result.Description),
-					&launchConfig,
 					launchConfig.UserData,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enable_logging.go b/rules/aws/cloudfront/enable_logging.go
@@ -39,7 +39,6 @@ var CheckEnableLogging = rules.Register(
 			if dist.Logging.Bucket.IsEmpty() {
 				results.Add(
 					"Distribution does not have logging enabled.",
-					&dist,
 					dist.Logging.Bucket,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enable_waf.go b/rules/aws/cloudfront/enable_waf.go
@@ -39,7 +39,6 @@ var CheckEnableWaf = rules.Register(
 			if dist.WAFID.IsEmpty() {
 				results.Add(
 					"Distribution does not utilise a WAF.",
-					&dist,
 					dist.WAFID,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enforce_https.go b/rules/aws/cloudfront/enforce_https.go
@@ -42,7 +42,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
 			if dist.DefaultCacheBehaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
 				results.Add(
 					"Distribution allows unencrypted communications.",
-					&dist,
 					dist.DefaultCacheBehaviour.ViewerProtocolPolicy,
 				)
 			} else {
@@ -52,7 +51,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
 				if behaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
 					results.Add(
 						"Distribution allows unencrypted communications.",
-						&behaviour,
 						behaviour.ViewerProtocolPolicy,
 					)
 				} else {

diff --git a/rules/aws/cloudfront/use_secure_tls_policy.go b/rules/aws/cloudfront/use_secure_tls_policy.go
@@ -40,7 +40,6 @@ var CheckUseSecureTlsPolicy = rules.Register(
 			if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
 				results.Add(
 					"Distribution allows unencrypted communications.",
-					&dist,
 					dist.ViewerCertificate.MinimumProtocolVersion,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_all_regions.go b/rules/aws/cloudtrail/enable_all_regions.go
@@ -39,7 +39,6 @@ var CheckEnableAllRegions = rules.Register(
 			if trail.IsMultiRegion.IsFalse() {
 				results.Add(
 					"Trail is not enabled across all regions.",
-					&trail,
 					trail.IsMultiRegion,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_at_rest_encryption.go b/rules/aws/cloudtrail/enable_at_rest_encryption.go
@@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if trail.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Trail is not encrypted.",
-					&trail,
 					trail.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_log_validation.go b/rules/aws/cloudtrail/enable_log_validation.go
@@ -39,7 +39,6 @@ var CheckEnableLogValidation = rules.Register(
 			if trail.EnableLogFileValidation.IsFalse() {
 				results.Add(
 					"Trail does not have log validation enabled.",
-					&trail,
 					trail.EnableLogFileValidation,
 				)
 			} else {

diff --git a/rules/aws/cloudwatch/log_group_customer_key.go b/rules/aws/cloudwatch/log_group_customer_key.go
@@ -39,7 +39,6 @@ var CheckLogGroupCustomerKey = rules.Register(
 			if group.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Log group is not encrypted.",
-					&group,
 					group.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/codebuild/enable_encryption.go b/rules/aws/codebuild/enable_encryption.go
@@ -40,7 +40,6 @@ var CheckEnableEncryption = rules.Register(
 			if project.ArtifactSettings.EncryptionEnabled.IsFalse() {
 				results.Add(
 					"Encryption is not enabled for project artifacts.",
-					&project,
 					project.ArtifactSettings.EncryptionEnabled,
 				)
 			} else {
@@ -51,7 +50,6 @@ var CheckEnableEncryption = rules.Register(
 				if setting.EncryptionEnabled.IsFalse() {
 					results.Add(
 						"Encryption is not enabled for secondary project artifacts.",
-						&setting,
 						setting.EncryptionEnabled,
 					)
 				} else {

diff --git a/rules/aws/documentdb/enable_storage_encryption.go b/rules/aws/documentdb/enable_storage_encryption.go
@@ -37,7 +37,6 @@ var CheckEnableStorageEncryption = rules.Register(
 			if cluster.StorageEncrypted.IsFalse() {
 				results.Add(
 					"Cluster storage does not have encryption enabled.",
-					&cluster,
 					cluster.StorageEncrypted,
 				)
 			} else {

diff --git a/rules/aws/documentdb/encryption_customer_key.go b/rules/aws/documentdb/encryption_customer_key.go
@@ -37,7 +37,6 @@ var CheckEncryptionCustomerKey = rules.Register(
 			if cluster.IsManaged() && cluster.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Cluster encryption does not use a customer-managed KMS key.",
-					&cluster,
 					cluster.KMSKeyID,
 				)
 			} else {
@@ -50,7 +49,6 @@ var CheckEncryptionCustomerKey = rules.Register(
 				if instance.KMSKeyID.IsEmpty() {
 					results.Add(
 						"Instance encryption does not use a customer-managed KMS key.",
-						&instance,
 						instance.KMSKeyID,
 					)
 				} else {

diff --git a/rules/aws/ecr/enable_image_scans.go b/rules/aws/ecr/enable_image_scans.go
@@ -39,7 +39,6 @@ var CheckEnableImageScans = rules.Register(
 			if repo.ImageScanning.ScanOnPush.IsFalse() {
 				results.Add(
 					"Image scanning is not enabled.",
-					&repo,
 					repo.ImageScanning.ScanOnPush,
 				)
 			} else {

diff --git a/rules/aws/ecr/enforce_immutable_repository.go b/rules/aws/ecr/enforce_immutable_repository.go
@@ -41,7 +41,6 @@ This can be done by setting <code>image_tab_mutability</code> to <code>IMMUTABLE
 			if repo.ImageTagsImmutable.IsFalse() {
 				results.Add(
 					"Repository tags are mutable.",
-					&repo,
 					repo.ImageTagsImmutable,
 				)
 			} else {

diff --git a/rules/aws/ecr/no_public_access.go b/rules/aws/ecr/no_public_access.go
@@ -63,7 +63,6 @@ var CheckNoPublicAccess = rules.Register(
 						foundIssue = true
 						results.Add(
 							"Policy provides public access to the ECR repository.",
-							&repo,
 							policyDocument,
 						)
 					} else {
@@ -72,7 +71,6 @@ var CheckNoPublicAccess = rules.Register(
 								foundIssue = true
 								results.Add(
 									"Policy provides public access to the ECR repository.",
-									&repo,
 									policyDocument,
 								)
 							}

diff --git a/rules/aws/ecr/repository_customer_key.go b/rules/aws/ecr/repository_customer_key.go
@@ -40,13 +40,11 @@ var CheckRepositoryCustomerKey = rules.Register(
 			if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) {
 				results.Add(
 					"Repository is not encrypted using KMS.",
-					&repo,
 					repo.Encryption.Type,
 				)
 			} else if repo.Encryption.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Repository encryption does not use a customer managed KMS key.",
-					&repo,
 					repo.Encryption.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/ecs/enable_container_insight.go b/rules/aws/ecs/enable_container_insight.go
@@ -39,7 +39,6 @@ var CheckEnableContainerInsight = rules.Register(
 			if cluster.Settings.ContainerInsightsEnabled.IsFalse() {
 				results.Add(
 					"Cluster does not have container insights enabled.",
-					&cluster,
 					cluster.Settings.ContainerInsightsEnabled,
 				)
 			} else {

diff --git a/rules/aws/ecs/enable_in_transit_encryption.go b/rules/aws/ecs/enable_in_transit_encryption.go
@@ -41,7 +41,6 @@ var CheckEnableInTransitEncryption = rules.Register(
 				if volume.EFSVolumeConfiguration.TransitEncryptionEnabled.IsFalse() {
 					results.Add(
 						"Task definition includes a volume which does not have in-transit-encryption enabled.",
-						&volume,
 						volume.EFSVolumeConfiguration.TransitEncryptionEnabled,
 					)
 				} else {

diff --git a/rules/aws/ecs/no_plaintext_secrets.go b/rules/aws/ecs/no_plaintext_secrets.go
@@ -53,7 +53,6 @@ var CheckNoPlaintextSecrets = rules.Register(
 				if result := scanner.Scan(val); result.TransgressionFound || security.IsSensitiveAttribute(key) {
 					results.Add(
 						fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description),
-						&definition,
 						definition.ContainerDefinitions,
 					)
 				} else {

diff --git a/rules/aws/efs/enable_at_rest_encryption.go b/rules/aws/efs/enable_at_rest_encryption.go
@@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if fs.Encrypted.IsFalse() {
 				results.Add(
 					"File system is not encrypted.",
-					&fs,
 					fs.Encrypted,
 				)
 			} else {