From e0a344aeffdc413da5b4413db85f593e0db92e13 Mon Sep 17 00:00:00 2001 From: Liam Galvin Date: Wed, 26 Jan 2022 20:37:28 +0000 Subject: [PATCH] Rework metadata to be hierarchical --- formatters/checkstyle.go | 5 +- formatters/csv.go | 5 +- formatters/default.go | 26 +++++----- formatters/junit.go | 8 +-- formatters/sarif.go | 3 +- rules/aws/apigateway/enable_access_logging.go | 1 - .../aws/apigateway/enable_cache_encryption.go | 1 - rules/aws/apigateway/enable_tracing.go | 1 - rules/aws/apigateway/no_public_access.go | 1 - rules/aws/apigateway/use_secure_tls_policy.go | 1 - rules/aws/athena/enable_at_rest_encryption.go | 2 - rules/aws/athena/no_encryption_override.go | 1 - .../autoscaling/enable_at_rest_encryption.go | 2 - rules/aws/autoscaling/no_public_ip.go | 1 - rules/aws/autoscaling/no_sensitive_info.go | 1 - rules/aws/cloudfront/enable_logging.go | 1 - rules/aws/cloudfront/enable_waf.go | 1 - rules/aws/cloudfront/enforce_https.go | 2 - rules/aws/cloudfront/use_secure_tls_policy.go | 1 - rules/aws/cloudtrail/enable_all_regions.go | 1 - .../cloudtrail/enable_at_rest_encryption.go | 1 - rules/aws/cloudtrail/enable_log_validation.go | 1 - .../aws/cloudwatch/log_group_customer_key.go | 1 - rules/aws/codebuild/enable_encryption.go | 2 - .../documentdb/enable_storage_encryption.go | 1 - .../aws/documentdb/encryption_customer_key.go | 2 - rules/aws/ecr/enable_image_scans.go | 1 - rules/aws/ecr/enforce_immutable_repository.go | 1 - rules/aws/ecr/no_public_access.go | 2 - rules/aws/ecr/repository_customer_key.go | 2 - rules/aws/ecs/enable_container_insight.go | 1 - rules/aws/ecs/enable_in_transit_encryption.go | 1 - rules/aws/ecs/no_plaintext_secrets.go | 1 - rules/aws/efs/enable_at_rest_encryption.go | 1 - rules/aws/eks/enable_control_plane_logging.go | 5 -- rules/aws/eks/encrypt_secrets.go | 2 - rules/aws/eks/no_public_cluster_access.go | 1 - .../add_description_for_security_group.go | 1 - .../elasticache/enable_at_rest_encryption.go | 1 - .../elasticache/enable_backup_retention.go | 1 - .../enable_in_transit_encryption.go | 1 - .../elasticsearch/enable_domain_encryption.go | 1 - .../elasticsearch/enable_domain_logging.go | 1 - .../enable_in_transit_encryption.go | 1 - rules/aws/elasticsearch/enforce_https.go | 1 - .../elasticsearch/use_secure_tls_policy.go | 1 - rules/aws/elb/alb_not_public.go | 1 - rules/aws/elb/drop_invalid_headers.go | 1 - rules/aws/elb/http_not_used.go | 1 - rules/aws/elb/use_secure_tls_policy.go | 1 - rules/aws/iam/no_password_reuse.go | 1 - .../aws/iam/require_lowercase_in_passwords.go | 1 - rules/aws/iam/require_numbers_in_passwords.go | 1 - rules/aws/iam/require_symbols_in_passwords.go | 1 - .../aws/iam/require_uppercase_in_passwords.go | 1 - rules/aws/iam/set_max_password_age.go | 1 - rules/aws/iam/set_minimum_password_length.go | 1 - .../kinesis/enable_in_transit_encryption.go | 2 - rules/aws/kms/auto_rotate_keys.go | 1 - rules/aws/lambda/enable_tracing.go | 1 - rules/aws/lambda/restrict_source_arn.go | 1 - rules/aws/mq/enable_audit_logging.go | 1 - rules/aws/mq/enable_general_logging.go | 1 - rules/aws/mq/no_public_access.go | 1 - rules/aws/msk/enable_in_transit_encryption.go | 2 - rules/aws/msk/enable_logging.go | 1 - rules/aws/neptune/enable_log_export.go | 1 - .../aws/neptune/enable_storage_encryption.go | 1 - rules/aws/neptune/encryption_customer_key.go | 1 - rules/aws/rds/enable_performance_insights.go | 4 -- rules/aws/rds/encrypt_cluster_storage_data.go | 2 - .../aws/rds/encrypt_instance_storage_data.go | 1 - rules/aws/rds/no_public_db_access.go | 2 - rules/aws/rds/specify_backup_retention.go | 2 - .../add_description_to_security_group.go | 1 - rules/aws/redshift/encryption_customer_key.go | 2 - rules/aws/redshift/use_vpc.go | 1 - rules/aws/s3/block_public_acls.go | 1 - rules/aws/s3/block_public_policy.go | 1 - rules/aws/s3/enable_bucket_encryption.go | 1 - rules/aws/s3/enable_bucket_logging.go | 1 - rules/aws/s3/enable_versioning.go | 1 - rules/aws/s3/ignore_public_acls.go | 1 - rules/aws/s3/no_public_access_with_acl.go | 2 - rules/aws/s3/no_public_buckets.go | 1 - rules/aws/sam/api_use_secure_tls_policy.go | 1 - rules/aws/sam/enable_api_access_logging.go | 1 - rules/aws/sam/enable_api_cache_encryption.go | 1 - rules/aws/sam/enable_api_tracing.go | 1 - rules/aws/sam/enable_function_tracing.go | 1 - .../aws/sam/enable_http_api_access_logging.go | 1 - rules/aws/sam/enable_state_machine_logging.go | 1 - rules/aws/sam/enable_state_machine_tracing.go | 1 - rules/aws/sam/enable_table_encryption.go | 1 - rules/aws/sns/enable_topic_encryption.go | 1 - rules/aws/sqs/enable_queue_encryption.go | 1 - .../sqs/no_wildcards_in_policy_documents.go | 1 - rules/aws/ssm/secret_use_customer_key.go | 2 - .../vpc/add_description_to_security_group.go | 2 - .../add_description_to_security_group_rule.go | 1 - rules/aws/vpc/no_excessive_port_access.go | 1 - rules/aws/vpc/no_public_egress_sgr.go | 1 - rules/aws/vpc/no_public_ingress_acl.go | 1 - rules/aws/vpc/no_public_ingress_sgr.go | 1 - .../aws/workspaces/enable_disk_encryption.go | 2 - rules/azure/keyvault/no_purge.go | 2 +- rules/flat.go | 7 +-- .../actions/no_plain_text_action_secrets.go | 1 - rules/result.go | 49 ++++++------------- types/metadata.go | 14 ++++++ types/range.go | 5 ++ 111 files changed, 56 insertions(+), 194 deletions(-) diff --git a/formatters/checkstyle.go b/formatters/checkstyle.go index 3e32c8239..1f1c8c571 100644 --- a/formatters/checkstyle.go +++ b/formatters/checkstyle.go @@ -41,10 +41,7 @@ func outputCheckStyle(b configurableFormatter, results []rules.Result) error { link = links[0] } - rng := res.CodeBlockMetadata().Range() - if res.IssueBlockMetadata() != nil { - rng = res.IssueBlockMetadata().Range() - } + rng := res.Metadata().Range() files[rng.GetFilename()] = append( files[rng.GetFilename()], diff --git a/formatters/csv.go b/formatters/csv.go index 9c0f15aff..56f2f4121 100644 --- a/formatters/csv.go +++ b/formatters/csv.go @@ -21,10 +21,7 @@ func outputCSV(b configurableFormatter, results []rules.Result) error { link = links[0] } - rng := res.CodeBlockMetadata().Range() - if res.IssueBlockMetadata() != nil { - rng = res.IssueBlockMetadata().Range() - } + rng := res.Metadata().Range() records = append(records, []string{ rng.GetFilename(), diff --git a/formatters/default.go b/formatters/default.go index b414c56ab..9adfe19c9 100644 --- a/formatters/default.go +++ b/formatters/default.go @@ -77,15 +77,13 @@ func printResult(b configurableFormatter, res rules.Result, i int) { res.Description(), ) - rng := res.CodeBlockMetadata().Range() - if res.IssueBlockMetadata() != nil { - rng = res.IssueBlockMetadata().Range() + innerRange := res.Metadata().Range() + lineInfo := fmt.Sprintf("Lines %d-%d", innerRange.GetStartLine(), innerRange.GetEndLine()) + if !innerRange.IsMultiLine() { + lineInfo = fmt.Sprintf("Line %d", innerRange.GetStartLine()) } - lineInfo := fmt.Sprintf("Line %d", rng.GetStartLine()) - if rng.GetStartLine() < rng.GetEndLine() { - lineInfo = fmt.Sprintf("Lines %d-%d", rng.GetStartLine(), rng.GetEndLine()) - } - filename := rng.GetFilename() + + filename := innerRange.GetFilename() if relative, err := filepath.Rel(b.BaseDir(), filename); err == nil { filename = relative } @@ -167,13 +165,15 @@ func printCodeLine(w io.Writer, i int, code string) { func highlightCode(b configurableFormatter, result rules.Result) error { - outerRange := result.CodeBlockMetadata().Range() - innerRange := outerRange - if result.IssueBlockMetadata() != nil { - innerRange = result.IssueBlockMetadata().Range() + innerRange := result.Range() + outerRange := innerRange + if !innerRange.IsMultiLine() { + if parent := result.Metadata().Parent(); parent != nil { + outerRange = parent.Range() + } } - content, err := ioutil.ReadFile(outerRange.GetFilename()) + content, err := ioutil.ReadFile(innerRange.GetFilename()) if err != nil { return err } diff --git a/formatters/junit.go b/formatters/junit.go index 4c5e39631..63926cfe8 100644 --- a/formatters/junit.go +++ b/formatters/junit.go @@ -49,7 +49,7 @@ func outputJUnit(b configurableFormatter, results []rules.Result) error { } for _, res := range results { - rng := res.NarrowestRange() + rng := res.Range() output.TestCases = append(output.TestCases, jUnitTestCase{ Classname: rng.GetFilename(), @@ -73,14 +73,14 @@ func outputJUnit(b configurableFormatter, results []rules.Result) error { // highlight the lines of code which caused a problem, if available func highlightCodeJunit(res rules.Result) string { - data, err := ioutil.ReadFile(res.NarrowestRange().GetFilename()) + data, err := ioutil.ReadFile(res.Range().GetFilename()) if err != nil { return "" } lines := append([]string{""}, strings.Split(string(data), "\n")...) - rng := res.NarrowestRange() + rng := res.Range() start := rng.GetStartLine() - 3 if start <= 0 { @@ -123,7 +123,7 @@ func buildFailure(b configurableFormatter, res rules.Result) *jUnitFailure { return &jUnitFailure{ Message: res.Description(), Contents: fmt.Sprintf("%s\n%s\n%s", - res.NarrowestRange().String(), + res.Range().String(), highlightCodeJunit(res), link, ), diff --git a/formatters/sarif.go b/formatters/sarif.go index cd69c2b24..bd54988b3 100644 --- a/formatters/sarif.go +++ b/formatters/sarif.go @@ -34,8 +34,7 @@ func outputSARIF(b configurableFormatter, results []rules.Result) error { rule.WithHelpURI(links[0]) } - rng := res.NarrowestRange() - + rng := res.Range() relativePath, err := filepath.Rel(baseDir, rng.GetFilename()) if err != nil { return err diff --git a/rules/aws/apigateway/enable_access_logging.go b/rules/aws/apigateway/enable_access_logging.go index 7c5dc2ace..cbf23ec1c 100755 --- a/rules/aws/apigateway/enable_access_logging.go +++ b/rules/aws/apigateway/enable_access_logging.go @@ -43,7 +43,6 @@ var CheckEnableAccessLogging = rules.Register( if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", - &stage, stage.AccessLogging.CloudwatchLogGroupARN, ) } else { diff --git a/rules/aws/apigateway/enable_cache_encryption.go b/rules/aws/apigateway/enable_cache_encryption.go index b84a8c64e..7de1a0181 100755 --- a/rules/aws/apigateway/enable_cache_encryption.go +++ b/rules/aws/apigateway/enable_cache_encryption.go @@ -39,7 +39,6 @@ var CheckEnableCacheEncryption = rules.Register( if stage.RESTMethodSettings.CacheDataEncrypted.IsFalse() { results.Add( "Cache data is not encrypted.", - &stage, stage.RESTMethodSettings.CacheDataEncrypted, ) } else { diff --git a/rules/aws/apigateway/enable_tracing.go b/rules/aws/apigateway/enable_tracing.go index 7d5c71939..bd36d80c6 100755 --- a/rules/aws/apigateway/enable_tracing.go +++ b/rules/aws/apigateway/enable_tracing.go @@ -42,7 +42,6 @@ var CheckEnableTracing = rules.Register( if stage.XRayTracingEnabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", - &stage, stage.XRayTracingEnabled, ) } else { diff --git a/rules/aws/apigateway/no_public_access.go b/rules/aws/apigateway/no_public_access.go index 20da65c4a..547b992ea 100755 --- a/rules/aws/apigateway/no_public_access.go +++ b/rules/aws/apigateway/no_public_access.go @@ -42,7 +42,6 @@ var CheckNoPublicAccess = rules.Register( if method.AuthorizationType.EqualTo(apigateway.AuthorizationNone) { results.Add( "Authorization is not enabled for this method.", - &method, method.AuthorizationType, ) } else { diff --git a/rules/aws/apigateway/use_secure_tls_policy.go b/rules/aws/apigateway/use_secure_tls_policy.go index 46b755cd4..bfdc2df04 100755 --- a/rules/aws/apigateway/use_secure_tls_policy.go +++ b/rules/aws/apigateway/use_secure_tls_policy.go @@ -33,7 +33,6 @@ var CheckUseSecureTlsPolicy = rules.Register( if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", - &domain, domain.SecurityPolicy, ) } else { diff --git a/rules/aws/athena/enable_at_rest_encryption.go b/rules/aws/athena/enable_at_rest_encryption.go index 4c8c4448a..7b5069880 100755 --- a/rules/aws/athena/enable_at_rest_encryption.go +++ b/rules/aws/athena/enable_at_rest_encryption.go @@ -43,7 +43,6 @@ var CheckEnableAtRestEncryption = rules.Register( if workgroup.Encryption.Type.EqualTo(athena.EncryptionTypeNone) { results.Add( "Workgroup does not have encryption configured.", - &workgroup, workgroup.Encryption.Type, ) } else { @@ -57,7 +56,6 @@ var CheckEnableAtRestEncryption = rules.Register( if database.Encryption.Type.EqualTo(athena.EncryptionTypeNone) { results.Add( "Database does not have encryption configured.", - &database, database.Encryption.Type, ) } else { diff --git a/rules/aws/athena/no_encryption_override.go b/rules/aws/athena/no_encryption_override.go index 0eb1e5840..b0213fa76 100755 --- a/rules/aws/athena/no_encryption_override.go +++ b/rules/aws/athena/no_encryption_override.go @@ -42,7 +42,6 @@ var CheckNoEncryptionOverride = rules.Register( if workgroup.EnforceConfiguration.IsFalse() { results.Add( "The workgroup configuration is not enforced.", - &workgroup, workgroup.EnforceConfiguration, ) } diff --git a/rules/aws/autoscaling/enable_at_rest_encryption.go b/rules/aws/autoscaling/enable_at_rest_encryption.go index 4ca4f4c27..4497554db 100755 --- a/rules/aws/autoscaling/enable_at_rest_encryption.go +++ b/rules/aws/autoscaling/enable_at_rest_encryption.go @@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register( if launchConfig.RootBlockDevice != nil && launchConfig.RootBlockDevice.Encrypted.IsFalse() { results.Add( "Root block device is not encrypted.", - &launchConfig, launchConfig.RootBlockDevice.Encrypted, ) } else { @@ -49,7 +48,6 @@ var CheckEnableAtRestEncryption = rules.Register( if device.Encrypted.IsFalse() { results.Add( "EBS block device is not encrypted.", - &device, device.Encrypted, ) } else { diff --git a/rules/aws/autoscaling/no_public_ip.go b/rules/aws/autoscaling/no_public_ip.go index f43b2d9e4..04e269479 100755 --- a/rules/aws/autoscaling/no_public_ip.go +++ b/rules/aws/autoscaling/no_public_ip.go @@ -39,7 +39,6 @@ var CheckNoPublicIp = rules.Register( if launchConfig.AssociatePublicIP.IsTrue() { results.Add( "Launch configuration associates public IP address.", - &launchConfig, launchConfig.AssociatePublicIP, ) } else { diff --git a/rules/aws/autoscaling/no_sensitive_info.go b/rules/aws/autoscaling/no_sensitive_info.go index 74629a864..7f781914c 100755 --- a/rules/aws/autoscaling/no_sensitive_info.go +++ b/rules/aws/autoscaling/no_sensitive_info.go @@ -35,7 +35,6 @@ var CheckNoSensitiveInfo = rules.Register( if result := scanner.Scan(launchConfig.UserData.Value()); result.TransgressionFound { results.Add( fmt.Sprintf("Sensitive data found in user data: %s", result.Description), - &launchConfig, launchConfig.UserData, ) } else { diff --git a/rules/aws/cloudfront/enable_logging.go b/rules/aws/cloudfront/enable_logging.go index e2e3b8e7d..9317dfc24 100755 --- a/rules/aws/cloudfront/enable_logging.go +++ b/rules/aws/cloudfront/enable_logging.go @@ -39,7 +39,6 @@ var CheckEnableLogging = rules.Register( if dist.Logging.Bucket.IsEmpty() { results.Add( "Distribution does not have logging enabled.", - &dist, dist.Logging.Bucket, ) } else { diff --git a/rules/aws/cloudfront/enable_waf.go b/rules/aws/cloudfront/enable_waf.go index 0c482f602..40930ba85 100755 --- a/rules/aws/cloudfront/enable_waf.go +++ b/rules/aws/cloudfront/enable_waf.go @@ -39,7 +39,6 @@ var CheckEnableWaf = rules.Register( if dist.WAFID.IsEmpty() { results.Add( "Distribution does not utilise a WAF.", - &dist, dist.WAFID, ) } else { diff --git a/rules/aws/cloudfront/enforce_https.go b/rules/aws/cloudfront/enforce_https.go index 677ab7a56..891dcb5c8 100755 --- a/rules/aws/cloudfront/enforce_https.go +++ b/rules/aws/cloudfront/enforce_https.go @@ -42,7 +42,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning if dist.DefaultCacheBehaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) { results.Add( "Distribution allows unencrypted communications.", - &dist, dist.DefaultCacheBehaviour.ViewerProtocolPolicy, ) } else { @@ -52,7 +51,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning if behaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) { results.Add( "Distribution allows unencrypted communications.", - &behaviour, behaviour.ViewerProtocolPolicy, ) } else { diff --git a/rules/aws/cloudfront/use_secure_tls_policy.go b/rules/aws/cloudfront/use_secure_tls_policy.go index d6eab345d..d67105099 100755 --- a/rules/aws/cloudfront/use_secure_tls_policy.go +++ b/rules/aws/cloudfront/use_secure_tls_policy.go @@ -40,7 +40,6 @@ var CheckUseSecureTlsPolicy = rules.Register( if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) { results.Add( "Distribution allows unencrypted communications.", - &dist, dist.ViewerCertificate.MinimumProtocolVersion, ) } else { diff --git a/rules/aws/cloudtrail/enable_all_regions.go b/rules/aws/cloudtrail/enable_all_regions.go index 7f1f2a8d8..afc6f0a74 100755 --- a/rules/aws/cloudtrail/enable_all_regions.go +++ b/rules/aws/cloudtrail/enable_all_regions.go @@ -39,7 +39,6 @@ var CheckEnableAllRegions = rules.Register( if trail.IsMultiRegion.IsFalse() { results.Add( "Trail is not enabled across all regions.", - &trail, trail.IsMultiRegion, ) } else { diff --git a/rules/aws/cloudtrail/enable_at_rest_encryption.go b/rules/aws/cloudtrail/enable_at_rest_encryption.go index b8773694f..7bb7a2341 100755 --- a/rules/aws/cloudtrail/enable_at_rest_encryption.go +++ b/rules/aws/cloudtrail/enable_at_rest_encryption.go @@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register( if trail.KMSKeyID.IsEmpty() { results.Add( "Trail is not encrypted.", - &trail, trail.KMSKeyID, ) } else { diff --git a/rules/aws/cloudtrail/enable_log_validation.go b/rules/aws/cloudtrail/enable_log_validation.go index 3221355a5..bdd4b0fdf 100755 --- a/rules/aws/cloudtrail/enable_log_validation.go +++ b/rules/aws/cloudtrail/enable_log_validation.go @@ -39,7 +39,6 @@ var CheckEnableLogValidation = rules.Register( if trail.EnableLogFileValidation.IsFalse() { results.Add( "Trail does not have log validation enabled.", - &trail, trail.EnableLogFileValidation, ) } else { diff --git a/rules/aws/cloudwatch/log_group_customer_key.go b/rules/aws/cloudwatch/log_group_customer_key.go index e68d5628c..9bf09314c 100755 --- a/rules/aws/cloudwatch/log_group_customer_key.go +++ b/rules/aws/cloudwatch/log_group_customer_key.go @@ -39,7 +39,6 @@ var CheckLogGroupCustomerKey = rules.Register( if group.KMSKeyID.IsEmpty() { results.Add( "Log group is not encrypted.", - &group, group.KMSKeyID, ) } else { diff --git a/rules/aws/codebuild/enable_encryption.go b/rules/aws/codebuild/enable_encryption.go index ac2d23a42..d8628c423 100755 --- a/rules/aws/codebuild/enable_encryption.go +++ b/rules/aws/codebuild/enable_encryption.go @@ -40,7 +40,6 @@ var CheckEnableEncryption = rules.Register( if project.ArtifactSettings.EncryptionEnabled.IsFalse() { results.Add( "Encryption is not enabled for project artifacts.", - &project, project.ArtifactSettings.EncryptionEnabled, ) } else { @@ -51,7 +50,6 @@ var CheckEnableEncryption = rules.Register( if setting.EncryptionEnabled.IsFalse() { results.Add( "Encryption is not enabled for secondary project artifacts.", - &setting, setting.EncryptionEnabled, ) } else { diff --git a/rules/aws/documentdb/enable_storage_encryption.go b/rules/aws/documentdb/enable_storage_encryption.go index a1d84fa56..95b640126 100755 --- a/rules/aws/documentdb/enable_storage_encryption.go +++ b/rules/aws/documentdb/enable_storage_encryption.go @@ -37,7 +37,6 @@ var CheckEnableStorageEncryption = rules.Register( if cluster.StorageEncrypted.IsFalse() { results.Add( "Cluster storage does not have encryption enabled.", - &cluster, cluster.StorageEncrypted, ) } else { diff --git a/rules/aws/documentdb/encryption_customer_key.go b/rules/aws/documentdb/encryption_customer_key.go index 77b514cff..b144d170a 100755 --- a/rules/aws/documentdb/encryption_customer_key.go +++ b/rules/aws/documentdb/encryption_customer_key.go @@ -37,7 +37,6 @@ var CheckEncryptionCustomerKey = rules.Register( if cluster.IsManaged() && cluster.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption does not use a customer-managed KMS key.", - &cluster, cluster.KMSKeyID, ) } else { @@ -50,7 +49,6 @@ var CheckEncryptionCustomerKey = rules.Register( if instance.KMSKeyID.IsEmpty() { results.Add( "Instance encryption does not use a customer-managed KMS key.", - &instance, instance.KMSKeyID, ) } else { diff --git a/rules/aws/ecr/enable_image_scans.go b/rules/aws/ecr/enable_image_scans.go index 667c63b6d..7869919bf 100755 --- a/rules/aws/ecr/enable_image_scans.go +++ b/rules/aws/ecr/enable_image_scans.go @@ -39,7 +39,6 @@ var CheckEnableImageScans = rules.Register( if repo.ImageScanning.ScanOnPush.IsFalse() { results.Add( "Image scanning is not enabled.", - &repo, repo.ImageScanning.ScanOnPush, ) } else { diff --git a/rules/aws/ecr/enforce_immutable_repository.go b/rules/aws/ecr/enforce_immutable_repository.go index a64bf7d05..2282ff24c 100755 --- a/rules/aws/ecr/enforce_immutable_repository.go +++ b/rules/aws/ecr/enforce_immutable_repository.go @@ -41,7 +41,6 @@ This can be done by setting image_tab_mutability to IMMUTABLE if repo.ImageTagsImmutable.IsFalse() { results.Add( "Repository tags are mutable.", - &repo, repo.ImageTagsImmutable, ) } else { diff --git a/rules/aws/ecr/no_public_access.go b/rules/aws/ecr/no_public_access.go index 1168b4bfd..8b984f3c2 100755 --- a/rules/aws/ecr/no_public_access.go +++ b/rules/aws/ecr/no_public_access.go @@ -63,7 +63,6 @@ var CheckNoPublicAccess = rules.Register( foundIssue = true results.Add( "Policy provides public access to the ECR repository.", - &repo, policyDocument, ) } else { @@ -72,7 +71,6 @@ var CheckNoPublicAccess = rules.Register( foundIssue = true results.Add( "Policy provides public access to the ECR repository.", - &repo, policyDocument, ) } diff --git a/rules/aws/ecr/repository_customer_key.go b/rules/aws/ecr/repository_customer_key.go index 5097c6e02..aafc07e28 100755 --- a/rules/aws/ecr/repository_customer_key.go +++ b/rules/aws/ecr/repository_customer_key.go @@ -40,13 +40,11 @@ var CheckRepositoryCustomerKey = rules.Register( if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) { results.Add( "Repository is not encrypted using KMS.", - &repo, repo.Encryption.Type, ) } else if repo.Encryption.KMSKeyID.IsEmpty() { results.Add( "Repository encryption does not use a customer managed KMS key.", - &repo, repo.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/ecs/enable_container_insight.go b/rules/aws/ecs/enable_container_insight.go index 000a94173..35a706e98 100755 --- a/rules/aws/ecs/enable_container_insight.go +++ b/rules/aws/ecs/enable_container_insight.go @@ -39,7 +39,6 @@ var CheckEnableContainerInsight = rules.Register( if cluster.Settings.ContainerInsightsEnabled.IsFalse() { results.Add( "Cluster does not have container insights enabled.", - &cluster, cluster.Settings.ContainerInsightsEnabled, ) } else { diff --git a/rules/aws/ecs/enable_in_transit_encryption.go b/rules/aws/ecs/enable_in_transit_encryption.go index c04e65b8d..97cfc3941 100755 --- a/rules/aws/ecs/enable_in_transit_encryption.go +++ b/rules/aws/ecs/enable_in_transit_encryption.go @@ -41,7 +41,6 @@ var CheckEnableInTransitEncryption = rules.Register( if volume.EFSVolumeConfiguration.TransitEncryptionEnabled.IsFalse() { results.Add( "Task definition includes a volume which does not have in-transit-encryption enabled.", - &volume, volume.EFSVolumeConfiguration.TransitEncryptionEnabled, ) } else { diff --git a/rules/aws/ecs/no_plaintext_secrets.go b/rules/aws/ecs/no_plaintext_secrets.go index 7f7b5971c..9092773fd 100755 --- a/rules/aws/ecs/no_plaintext_secrets.go +++ b/rules/aws/ecs/no_plaintext_secrets.go @@ -53,7 +53,6 @@ var CheckNoPlaintextSecrets = rules.Register( if result := scanner.Scan(val); result.TransgressionFound || security.IsSensitiveAttribute(key) { results.Add( fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description), - &definition, definition.ContainerDefinitions, ) } else { diff --git a/rules/aws/efs/enable_at_rest_encryption.go b/rules/aws/efs/enable_at_rest_encryption.go index 05c46b98d..03b3d7250 100755 --- a/rules/aws/efs/enable_at_rest_encryption.go +++ b/rules/aws/efs/enable_at_rest_encryption.go @@ -39,7 +39,6 @@ var CheckEnableAtRestEncryption = rules.Register( if fs.Encrypted.IsFalse() { results.Add( "File system is not encrypted.", - &fs, fs.Encrypted, ) } else { diff --git a/rules/aws/eks/enable_control_plane_logging.go b/rules/aws/eks/enable_control_plane_logging.go index 4f429c078..bc0af2a87 100755 --- a/rules/aws/eks/enable_control_plane_logging.go +++ b/rules/aws/eks/enable_control_plane_logging.go @@ -33,7 +33,6 @@ var CheckEnableControlPlaneLogging = rules.Register( if cluster.Logging.API.IsFalse() { results.Add( "Control plane API logging is not enabled.", - &cluster, cluster.Logging.API, ) } else { @@ -43,7 +42,6 @@ var CheckEnableControlPlaneLogging = rules.Register( if cluster.Logging.Audit.IsFalse() { results.Add( "Control plane audit logging is not enabled.", - &cluster, cluster.Logging.Audit, ) } else { @@ -53,7 +51,6 @@ var CheckEnableControlPlaneLogging = rules.Register( if cluster.Logging.Authenticator.IsFalse() { results.Add( "Control plane authenticator logging is not enabled.", - &cluster, cluster.Logging.Authenticator, ) } else { @@ -63,7 +60,6 @@ var CheckEnableControlPlaneLogging = rules.Register( if cluster.Logging.ControllerManager.IsFalse() { results.Add( "Control plane controller manager logging is not enabled.", - &cluster, cluster.Logging.ControllerManager, ) } else { @@ -73,7 +69,6 @@ var CheckEnableControlPlaneLogging = rules.Register( if cluster.Logging.Scheduler.IsFalse() { results.Add( "Control plane scheduler logging is not enabled.", - &cluster, cluster.Logging.Scheduler, ) } else { diff --git a/rules/aws/eks/encrypt_secrets.go b/rules/aws/eks/encrypt_secrets.go index f399bceb1..8d146c331 100755 --- a/rules/aws/eks/encrypt_secrets.go +++ b/rules/aws/eks/encrypt_secrets.go @@ -39,13 +39,11 @@ var CheckEncryptSecrets = rules.Register( if cluster.Encryption.Secrets.IsFalse() { results.Add( "Cluster does not have secret encryption enabled.", - &cluster, cluster.Encryption.Secrets, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption requires a KMS key ID, which is missing", - &cluster, cluster.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/eks/no_public_cluster_access.go b/rules/aws/eks/no_public_cluster_access.go index e46832859..b7b4fdd19 100755 --- a/rules/aws/eks/no_public_cluster_access.go +++ b/rules/aws/eks/no_public_cluster_access.go @@ -33,7 +33,6 @@ var CheckNoPublicClusterAccess = rules.Register( if cluster.PublicAccessEnabled.IsTrue() { results.Add( "Public cluster access is enabled.", - &cluster, cluster.PublicAccessEnabled, ) } else { diff --git a/rules/aws/elasticache/add_description_for_security_group.go b/rules/aws/elasticache/add_description_for_security_group.go index 55752313d..dd4be16e5 100755 --- a/rules/aws/elasticache/add_description_for_security_group.go +++ b/rules/aws/elasticache/add_description_for_security_group.go @@ -41,7 +41,6 @@ Simplifies auditing, debugging, and managing security groups.`, if sg.Description.IsEmpty() { results.Add( "Security group does not have a description.", - &sg, sg.Description, ) } else { diff --git a/rules/aws/elasticache/enable_at_rest_encryption.go b/rules/aws/elasticache/enable_at_rest_encryption.go index f05c4110b..52751a01b 100755 --- a/rules/aws/elasticache/enable_at_rest_encryption.go +++ b/rules/aws/elasticache/enable_at_rest_encryption.go @@ -33,7 +33,6 @@ var CheckEnableAtRestEncryption = rules.Register( if group.AtRestEncryptionEnabled.IsFalse() { results.Add( "Replication group does not have at-rest encryption enabled.", - &group, group.AtRestEncryptionEnabled, ) } else { diff --git a/rules/aws/elasticache/enable_backup_retention.go b/rules/aws/elasticache/enable_backup_retention.go index 58e5322f0..06177bb61 100755 --- a/rules/aws/elasticache/enable_backup_retention.go +++ b/rules/aws/elasticache/enable_backup_retention.go @@ -47,7 +47,6 @@ var CheckEnableBackupRetention = rules.Register( if cluster.SnapshotRetentionLimit.EqualTo(0) { results.Add( "Cluster snapshot retention is not enabled.", - &cluster, cluster.SnapshotRetentionLimit, ) } else { diff --git a/rules/aws/elasticache/enable_in_transit_encryption.go b/rules/aws/elasticache/enable_in_transit_encryption.go index 091f4b377..621b9f453 100755 --- a/rules/aws/elasticache/enable_in_transit_encryption.go +++ b/rules/aws/elasticache/enable_in_transit_encryption.go @@ -39,7 +39,6 @@ var CheckEnableInTransitEncryption = rules.Register( if group.TransitEncryptionEnabled.IsFalse() { results.Add( "Replication group does not have transit encryption enabled.", - &group, group.TransitEncryptionEnabled, ) } else { diff --git a/rules/aws/elasticsearch/enable_domain_encryption.go b/rules/aws/elasticsearch/enable_domain_encryption.go index d2d04bc34..032a3b821 100755 --- a/rules/aws/elasticsearch/enable_domain_encryption.go +++ b/rules/aws/elasticsearch/enable_domain_encryption.go @@ -39,7 +39,6 @@ var CheckEnableDomainEncryption = rules.Register( if domain.AtRestEncryption.Enabled.IsFalse() { results.Add( "Domain does not have at-rest encryption enabled.", - &domain, domain.AtRestEncryption.Enabled, ) } else { diff --git a/rules/aws/elasticsearch/enable_domain_logging.go b/rules/aws/elasticsearch/enable_domain_logging.go index fdcd18586..266fb0735 100755 --- a/rules/aws/elasticsearch/enable_domain_logging.go +++ b/rules/aws/elasticsearch/enable_domain_logging.go @@ -45,7 +45,6 @@ All the logs are disabled by default.`, if domain.LogPublishing.AuditEnabled.IsFalse() { results.Add( "Domain audit logging is not enabled.", - &domain, domain.LogPublishing.AuditEnabled, ) } else { diff --git a/rules/aws/elasticsearch/enable_in_transit_encryption.go b/rules/aws/elasticsearch/enable_in_transit_encryption.go index e0bc35d3a..998fdbd78 100755 --- a/rules/aws/elasticsearch/enable_in_transit_encryption.go +++ b/rules/aws/elasticsearch/enable_in_transit_encryption.go @@ -39,7 +39,6 @@ var CheckEnableInTransitEncryption = rules.Register( if domain.TransitEncryption.Enabled.IsFalse() { results.Add( "Domain does not have in-transit encryption enabled.", - &domain, domain.TransitEncryption.Enabled, ) } else { diff --git a/rules/aws/elasticsearch/enforce_https.go b/rules/aws/elasticsearch/enforce_https.go index dc7bfd03c..831898c72 100755 --- a/rules/aws/elasticsearch/enforce_https.go +++ b/rules/aws/elasticsearch/enforce_https.go @@ -41,7 +41,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning if domain.Endpoint.EnforceHTTPS.IsFalse() { results.Add( "Domain does not enforce HTTPS.", - &domain, domain.Endpoint.EnforceHTTPS, ) } else { diff --git a/rules/aws/elasticsearch/use_secure_tls_policy.go b/rules/aws/elasticsearch/use_secure_tls_policy.go index b7344a279..218cfe64f 100755 --- a/rules/aws/elasticsearch/use_secure_tls_policy.go +++ b/rules/aws/elasticsearch/use_secure_tls_policy.go @@ -39,7 +39,6 @@ var CheckUseSecureTlsPolicy = rules.Register( if domain.Endpoint.TLSPolicy.NotEqualTo("Policy-Min-TLS-1-2-2019-07") { results.Add( "Domain does not have a secure TLS policy.", - &domain, domain.Endpoint.TLSPolicy, ) } else { diff --git a/rules/aws/elb/alb_not_public.go b/rules/aws/elb/alb_not_public.go index f9295c80d..f434f2354 100755 --- a/rules/aws/elb/alb_not_public.go +++ b/rules/aws/elb/alb_not_public.go @@ -35,7 +35,6 @@ var CheckAlbNotPublic = rules.Register( if lb.Internal.IsFalse() { results.Add( "Load balancer is exposed publicly.", - &lb, lb.Internal, ) } else { diff --git a/rules/aws/elb/drop_invalid_headers.go b/rules/aws/elb/drop_invalid_headers.go index 6898fc76e..5a6350c49 100755 --- a/rules/aws/elb/drop_invalid_headers.go +++ b/rules/aws/elb/drop_invalid_headers.go @@ -39,7 +39,6 @@ By setting drop_invalid_header_fields to true, anything that doe not conform to if lb.DropInvalidHeaderFields.IsFalse() { results.Add( "Application load balancer is not set to drop invalid headers.", - &lb, lb.DropInvalidHeaderFields, ) } else { diff --git a/rules/aws/elb/http_not_used.go b/rules/aws/elb/http_not_used.go index 187c2036a..4d4560487 100755 --- a/rules/aws/elb/http_not_used.go +++ b/rules/aws/elb/http_not_used.go @@ -49,7 +49,6 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning results.Add( "Listener for application load balancer does not use HTTPS.", - &listener, listener.Protocol, ) } diff --git a/rules/aws/elb/use_secure_tls_policy.go b/rules/aws/elb/use_secure_tls_policy.go index e16edcc2c..694ddebb9 100755 --- a/rules/aws/elb/use_secure_tls_policy.go +++ b/rules/aws/elb/use_secure_tls_policy.go @@ -40,7 +40,6 @@ var CheckUseSecureTlsPolicy = rules.Register( if listener.TLSPolicy.EqualTo(outdated) { results.Add( "Listener uses an outdated TLS policy.", - &listener, listener.TLSPolicy, ) } else { diff --git a/rules/aws/iam/no_password_reuse.go b/rules/aws/iam/no_password_reuse.go index 4143081ac..7c5dbbb6f 100755 --- a/rules/aws/iam/no_password_reuse.go +++ b/rules/aws/iam/no_password_reuse.go @@ -40,7 +40,6 @@ The account password policy should be set to prevent using any of the last five if policy.ReusePreventionCount.LessThan(5) { results.Add( "Password policy allows reuse of recent passwords.", - &policy, policy.ReusePreventionCount, ) } else { diff --git a/rules/aws/iam/require_lowercase_in_passwords.go b/rules/aws/iam/require_lowercase_in_passwords.go index 2f8c0a8ec..a93f5215b 100755 --- a/rules/aws/iam/require_lowercase_in_passwords.go +++ b/rules/aws/iam/require_lowercase_in_passwords.go @@ -37,7 +37,6 @@ var CheckRequireLowercaseInPasswords = rules.Register( if policy.RequireLowercase.IsFalse() { results.Add( "Password policy does not require lowercase characters.", - &policy, policy.RequireLowercase, ) } else { diff --git a/rules/aws/iam/require_numbers_in_passwords.go b/rules/aws/iam/require_numbers_in_passwords.go index 51f5d53a6..2465ef0f7 100755 --- a/rules/aws/iam/require_numbers_in_passwords.go +++ b/rules/aws/iam/require_numbers_in_passwords.go @@ -37,7 +37,6 @@ var CheckRequireNumbersInPasswords = rules.Register( if policy.RequireNumbers.IsFalse() { results.Add( "Password policy does not require numbers.", - &policy, policy.RequireNumbers, ) } else { diff --git a/rules/aws/iam/require_symbols_in_passwords.go b/rules/aws/iam/require_symbols_in_passwords.go index b00b7301b..88020899d 100755 --- a/rules/aws/iam/require_symbols_in_passwords.go +++ b/rules/aws/iam/require_symbols_in_passwords.go @@ -37,7 +37,6 @@ var CheckRequireSymbolsInPasswords = rules.Register( if policy.RequireSymbols.IsFalse() { results.Add( "Password policy does not require symbols.", - &policy, policy.RequireSymbols, ) } else { diff --git a/rules/aws/iam/require_uppercase_in_passwords.go b/rules/aws/iam/require_uppercase_in_passwords.go index ea5203f92..49910cdbf 100755 --- a/rules/aws/iam/require_uppercase_in_passwords.go +++ b/rules/aws/iam/require_uppercase_in_passwords.go @@ -38,7 +38,6 @@ IAM account password policies should ensure that passwords content including at if policy.RequireUppercase.IsFalse() { results.Add( "Password policy does not require uppercase characters.", - &policy, policy.RequireUppercase, ) } else { diff --git a/rules/aws/iam/set_max_password_age.go b/rules/aws/iam/set_max_password_age.go index f63037856..065f8dd84 100755 --- a/rules/aws/iam/set_max_password_age.go +++ b/rules/aws/iam/set_max_password_age.go @@ -39,7 +39,6 @@ The account password policy should be set to expire passwords after 90 days or l if policy.MaxAgeDays.GreaterThan(90) { results.Add( "Password policy allows a maximum password age of greater than 90 days.", - &policy, policy.MaxAgeDays, ) } else { diff --git a/rules/aws/iam/set_minimum_password_length.go b/rules/aws/iam/set_minimum_password_length.go index 8d5ae645b..bf4b4d76c 100755 --- a/rules/aws/iam/set_minimum_password_length.go +++ b/rules/aws/iam/set_minimum_password_length.go @@ -39,7 +39,6 @@ The account password policy should be set to enforce minimum password length of if policy.MinimumLength.LessThan(14) { results.Add( "Password policy has a minimum password length of less than 14 characters.", - &policy, policy.MinimumLength, ) } else { diff --git a/rules/aws/kinesis/enable_in_transit_encryption.go b/rules/aws/kinesis/enable_in_transit_encryption.go index 246c0abbe..bd7416770 100755 --- a/rules/aws/kinesis/enable_in_transit_encryption.go +++ b/rules/aws/kinesis/enable_in_transit_encryption.go @@ -40,13 +40,11 @@ var CheckEnableInTransitEncryption = rules.Register( if stream.Encryption.Type.NotEqualTo(kinesis.EncryptionTypeKMS) { results.Add( "Stream does not use KMS encryption.", - &stream, stream.Encryption.Type, ) } else if stream.Encryption.KMSKeyID.IsEmpty() { results.Add( "Stream does not use a custom-managed KMS key.", - &stream, stream.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/kms/auto_rotate_keys.go b/rules/aws/kms/auto_rotate_keys.go index be321b1e9..6a848ea18 100755 --- a/rules/aws/kms/auto_rotate_keys.go +++ b/rules/aws/kms/auto_rotate_keys.go @@ -37,7 +37,6 @@ var CheckAutoRotateKeys = rules.Register( if key.RotationEnabled.IsFalse() { results.Add( "Key does not have rotation enabled.", - &key, key.RotationEnabled, ) } else { diff --git a/rules/aws/lambda/enable_tracing.go b/rules/aws/lambda/enable_tracing.go index e0dc88f7c..6305856f8 100755 --- a/rules/aws/lambda/enable_tracing.go +++ b/rules/aws/lambda/enable_tracing.go @@ -43,7 +43,6 @@ var CheckEnableTracing = rules.Register( if function.Tracing.Mode.NotEqualTo(lambda.TracingModeActive) && function.Tracing.Mode.NotEqualTo(lambda.TracingModePassThrough) { results.Add( "Function does not have tracing enabled.", - &function, function.Tracing.Mode, ) } else { diff --git a/rules/aws/lambda/restrict_source_arn.go b/rules/aws/lambda/restrict_source_arn.go index 678e3cdb9..b6208c369 100755 --- a/rules/aws/lambda/restrict_source_arn.go +++ b/rules/aws/lambda/restrict_source_arn.go @@ -47,7 +47,6 @@ For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this sho if permission.SourceARN.IsEmpty() { results.Add( "Lambda permission lacks source ARN for *.amazonaws.com principal.", - &function, permission.SourceARN, ) } else { diff --git a/rules/aws/mq/enable_audit_logging.go b/rules/aws/mq/enable_audit_logging.go index f695ed655..32ef5d271 100755 --- a/rules/aws/mq/enable_audit_logging.go +++ b/rules/aws/mq/enable_audit_logging.go @@ -39,7 +39,6 @@ var CheckEnableAuditLogging = rules.Register( if broker.Logging.Audit.IsFalse() { results.Add( "Broker does not have audit logging enabled.", - &broker, broker.Logging.Audit, ) } else { diff --git a/rules/aws/mq/enable_general_logging.go b/rules/aws/mq/enable_general_logging.go index 9df7df1d2..226325f8b 100755 --- a/rules/aws/mq/enable_general_logging.go +++ b/rules/aws/mq/enable_general_logging.go @@ -39,7 +39,6 @@ var CheckEnableGeneralLogging = rules.Register( if broker.Logging.General.IsFalse() { results.Add( "Broker does not have general logging enabled.", - &broker, broker.Logging.General, ) } else { diff --git a/rules/aws/mq/no_public_access.go b/rules/aws/mq/no_public_access.go index 43cc3dddb..d8b3a8320 100755 --- a/rules/aws/mq/no_public_access.go +++ b/rules/aws/mq/no_public_access.go @@ -39,7 +39,6 @@ var CheckNoPublicAccess = rules.Register( if broker.PublicAccess.IsTrue() { results.Add( "Broker has public access enabled.", - &broker, broker.PublicAccess, ) } else { diff --git a/rules/aws/msk/enable_in_transit_encryption.go b/rules/aws/msk/enable_in_transit_encryption.go index 988e6e84e..f015f852a 100755 --- a/rules/aws/msk/enable_in_transit_encryption.go +++ b/rules/aws/msk/enable_in_transit_encryption.go @@ -40,13 +40,11 @@ var CheckEnableInTransitEncryption = rules.Register( if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionPlaintext) { results.Add( "Cluster allows plaintext communication.", - &cluster, cluster.EncryptionInTransit.ClientBroker, ) } else if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionTLSOrPlaintext) { results.Add( "Cluster allows plaintext communication.", - &cluster, cluster.EncryptionInTransit.ClientBroker, ) } else { diff --git a/rules/aws/msk/enable_logging.go b/rules/aws/msk/enable_logging.go index 97f6ec021..fc227c7b7 100755 --- a/rules/aws/msk/enable_logging.go +++ b/rules/aws/msk/enable_logging.go @@ -55,7 +55,6 @@ var CheckEnableLogging = rules.Register( results.Add( "Cluster does not ship logs to any service.", - &cluster, brokerLogging.Cloudwatch.Enabled, ) } diff --git a/rules/aws/neptune/enable_log_export.go b/rules/aws/neptune/enable_log_export.go index 1f84d1181..2d13f05b6 100755 --- a/rules/aws/neptune/enable_log_export.go +++ b/rules/aws/neptune/enable_log_export.go @@ -39,7 +39,6 @@ var CheckEnableLogExport = rules.Register( if cluster.Logging.Audit.IsFalse() { results.Add( "Cluster does not have audit logging enabled.", - &cluster, cluster.Logging.Audit, ) } else { diff --git a/rules/aws/neptune/enable_storage_encryption.go b/rules/aws/neptune/enable_storage_encryption.go index 23595a25e..69459d87e 100755 --- a/rules/aws/neptune/enable_storage_encryption.go +++ b/rules/aws/neptune/enable_storage_encryption.go @@ -39,7 +39,6 @@ var CheckEnableStorageEncryption = rules.Register( if cluster.StorageEncrypted.IsFalse() { results.Add( "Cluster does not have storage encryption enabled.", - &cluster, cluster.StorageEncrypted, ) } else { diff --git a/rules/aws/neptune/encryption_customer_key.go b/rules/aws/neptune/encryption_customer_key.go index d8dcad5ac..db0737d1d 100755 --- a/rules/aws/neptune/encryption_customer_key.go +++ b/rules/aws/neptune/encryption_customer_key.go @@ -39,7 +39,6 @@ var CheckEncryptionCustomerKey = rules.Register( if cluster.KMSKeyID.IsEmpty() { results.Add( "Cluster does not encrypt data with a customer managed key.", - &cluster, cluster.KMSKeyID, ) } else { diff --git a/rules/aws/rds/enable_performance_insights.go b/rules/aws/rds/enable_performance_insights.go index e576e9c4e..6c5af2462 100755 --- a/rules/aws/rds/enable_performance_insights.go +++ b/rules/aws/rds/enable_performance_insights.go @@ -45,13 +45,11 @@ The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "` if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", - &instance, instance.PerformanceInsights.Enabled, ) } else if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Instance has performance insights enabled without encryption.", - &instance, instance.PerformanceInsights.KMSKeyID, ) } else { @@ -66,13 +64,11 @@ The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "` if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", - &instance, instance.PerformanceInsights.Enabled, ) } else if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Instance has performance insights enabled without encryption.", - &instance, instance.PerformanceInsights.KMSKeyID, ) } else { diff --git a/rules/aws/rds/encrypt_cluster_storage_data.go b/rules/aws/rds/encrypt_cluster_storage_data.go index 8c89b5b3e..5cc335d1a 100755 --- a/rules/aws/rds/encrypt_cluster_storage_data.go +++ b/rules/aws/rds/encrypt_cluster_storage_data.go @@ -44,13 +44,11 @@ When enabling encryption by setting the kms_key_id, the storage_encrypted must a if cluster.Encryption.EncryptStorage.IsFalse() { results.Add( "Cluster does not have storage encryption enabled.", - &cluster, cluster.Encryption.EncryptStorage, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not specify a customer managed key for storage encryption.", - &cluster, cluster.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/rds/encrypt_instance_storage_data.go b/rules/aws/rds/encrypt_instance_storage_data.go index 3bfb50509..51d766f8a 100755 --- a/rules/aws/rds/encrypt_instance_storage_data.go +++ b/rules/aws/rds/encrypt_instance_storage_data.go @@ -44,7 +44,6 @@ When enabling encryption by setting the kms_key_id.`, if instance.Encryption.EncryptStorage.IsFalse() { results.Add( "Instance does not have storage encryption enabled.", - &instance, instance.Encryption.EncryptStorage, ) } else { diff --git a/rules/aws/rds/no_public_db_access.go b/rules/aws/rds/no_public_db_access.go index 6696a81f6..d9b7e232e 100755 --- a/rules/aws/rds/no_public_db_access.go +++ b/rules/aws/rds/no_public_db_access.go @@ -40,7 +40,6 @@ var CheckNoPublicDbAccess = rules.Register( if instance.PublicAccess.IsTrue() { results.Add( "Cluster instance is exposed publicly.", - &instance, instance.PublicAccess, ) } else { @@ -52,7 +51,6 @@ var CheckNoPublicDbAccess = rules.Register( if instance.PublicAccess.IsTrue() { results.Add( "Instance is exposed publicly.", - &instance, instance.PublicAccess, ) } else { diff --git a/rules/aws/rds/specify_backup_retention.go b/rules/aws/rds/specify_backup_retention.go index fc1e23d6f..79603282e 100755 --- a/rules/aws/rds/specify_backup_retention.go +++ b/rules/aws/rds/specify_backup_retention.go @@ -46,7 +46,6 @@ var CheckBackupRetentionSpecified = rules.Register( if cluster.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Cluster has very low backup retention period.", - &cluster, cluster.BackupRetentionPeriodDays, ) } else { @@ -63,7 +62,6 @@ var CheckBackupRetentionSpecified = rules.Register( if instance.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Instance has very low backup retention period.", - &instance, instance.BackupRetentionPeriodDays, ) } else { diff --git a/rules/aws/redshift/add_description_to_security_group.go b/rules/aws/redshift/add_description_to_security_group.go index 4bf7cfc8f..5789acd63 100755 --- a/rules/aws/redshift/add_description_to_security_group.go +++ b/rules/aws/redshift/add_description_to_security_group.go @@ -35,7 +35,6 @@ Simplifies auditing, debugging, and managing security groups.`, if group.Description.IsEmpty() { results.Add( "Security group has no description.", - &group, group.Description, ) } else { diff --git a/rules/aws/redshift/encryption_customer_key.go b/rules/aws/redshift/encryption_customer_key.go index 1b083a7cc..684a3a09d 100755 --- a/rules/aws/redshift/encryption_customer_key.go +++ b/rules/aws/redshift/encryption_customer_key.go @@ -39,13 +39,11 @@ var CheckEncryptionCustomerKey = rules.Register( if cluster.Encryption.Enabled.IsFalse() { results.Add( "Cluster does not have encryption enabled.", - &cluster, cluster.Encryption.Enabled, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not use a customer managed encryption key.", - &cluster, cluster.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/redshift/use_vpc.go b/rules/aws/redshift/use_vpc.go index 53bd8c6c9..769b8a325 100755 --- a/rules/aws/redshift/use_vpc.go +++ b/rules/aws/redshift/use_vpc.go @@ -41,7 +41,6 @@ In order to benefit from the additional security features achieved with using an if cluster.SubnetGroupName.IsEmpty() { results.Add( "Cluster is deployed outside of a VPC.", - &cluster, cluster.SubnetGroupName, ) } else { diff --git a/rules/aws/s3/block_public_acls.go b/rules/aws/s3/block_public_acls.go index 7ca55d062..ff603ac79 100755 --- a/rules/aws/s3/block_public_acls.go +++ b/rules/aws/s3/block_public_acls.go @@ -43,7 +43,6 @@ S3 buckets should block public ACLs on buckets and any objects they contain. By } else if bucket.PublicAccessBlock.BlockPublicACLs.IsFalse() { results.Add( "Public access block does not block public ACLs", - &bucket, bucket.PublicAccessBlock.BlockPublicACLs, ) } else { diff --git a/rules/aws/s3/block_public_policy.go b/rules/aws/s3/block_public_policy.go index 5ab93a68a..7eca12a04 100755 --- a/rules/aws/s3/block_public_policy.go +++ b/rules/aws/s3/block_public_policy.go @@ -44,7 +44,6 @@ S3 bucket policy should have block public policy to prevent users from putting a } else if bucket.PublicAccessBlock.BlockPublicPolicy.IsFalse() { results.Add( "Public access block does not block public policies", - &bucket, bucket.PublicAccessBlock.BlockPublicPolicy, ) } else { diff --git a/rules/aws/s3/enable_bucket_encryption.go b/rules/aws/s3/enable_bucket_encryption.go index fc5b99f66..4c1b23d4a 100755 --- a/rules/aws/s3/enable_bucket_encryption.go +++ b/rules/aws/s3/enable_bucket_encryption.go @@ -42,7 +42,6 @@ S3 Buckets should be encrypted with customer managed KMS keys and not default AW if bucket.Encryption.Enabled.IsFalse() { results.Add( "Bucket does not have encryption enabled", - &bucket, bucket.Encryption.Enabled, ) } else { diff --git a/rules/aws/s3/enable_bucket_logging.go b/rules/aws/s3/enable_bucket_logging.go index 193e9b49c..41ae8b02b 100755 --- a/rules/aws/s3/enable_bucket_logging.go +++ b/rules/aws/s3/enable_bucket_logging.go @@ -39,7 +39,6 @@ var CheckLoggingIsEnabled = rules.Register( if !bucket.Logging.Enabled.IsTrue() && bucket.ACL.NotEqualTo("log-delivery-write") { results.Add( "Bucket does not have logging enabled", - &bucket, bucket.Logging.Enabled, ) } else { diff --git a/rules/aws/s3/enable_versioning.go b/rules/aws/s3/enable_versioning.go index 051d22512..3597d4ed3 100755 --- a/rules/aws/s3/enable_versioning.go +++ b/rules/aws/s3/enable_versioning.go @@ -43,7 +43,6 @@ With versioning you can recover more easily from both unintended user actions an if !bucket.Versioning.Enabled.IsTrue() { results.Add( "Bucket does not have versioning enabled", - &bucket, bucket.Versioning.Enabled, ) } else { diff --git a/rules/aws/s3/ignore_public_acls.go b/rules/aws/s3/ignore_public_acls.go index be577974e..8bc5e236a 100755 --- a/rules/aws/s3/ignore_public_acls.go +++ b/rules/aws/s3/ignore_public_acls.go @@ -43,7 +43,6 @@ S3 buckets should ignore public ACLs on buckets and any objects they contain. By } else if bucket.PublicAccessBlock.IgnorePublicACLs.IsFalse() { results.Add( "Public access block does not ignore public ACLs", - &bucket, bucket.PublicAccessBlock.IgnorePublicACLs, ) } else { diff --git a/rules/aws/s3/no_public_access_with_acl.go b/rules/aws/s3/no_public_access_with_acl.go index 1d5513714..37d76d4e3 100755 --- a/rules/aws/s3/no_public_access_with_acl.go +++ b/rules/aws/s3/no_public_access_with_acl.go @@ -45,13 +45,11 @@ Buckets should have logging enabled so that access can be audited. if bucket.ACL.EqualTo("authenticated-read") { results.Add( "Bucket is exposed to all AWS accounts via ACL.", - &bucket, bucket.ACL, ) } else { results.Add( fmt.Sprintf("Bucket has a public ACL: '%s'.", bucket.ACL.Value()), - &bucket, bucket.ACL, ) } diff --git a/rules/aws/s3/no_public_buckets.go b/rules/aws/s3/no_public_buckets.go index fbd6e3cf0..d2a21cc64 100755 --- a/rules/aws/s3/no_public_buckets.go +++ b/rules/aws/s3/no_public_buckets.go @@ -41,7 +41,6 @@ var CheckPublicBucketsAreRestricted = rules.Register( } else if bucket.PublicAccessBlock.RestrictPublicBuckets.IsFalse() { results.Add( "Public access block does not restrict public buckets", - &bucket, bucket.PublicAccessBlock.RestrictPublicBuckets, ) } else { diff --git a/rules/aws/sam/api_use_secure_tls_policy.go b/rules/aws/sam/api_use_secure_tls_policy.go index 66b00ae5f..7b4d64bc5 100755 --- a/rules/aws/sam/api_use_secure_tls_policy.go +++ b/rules/aws/sam/api_use_secure_tls_policy.go @@ -33,7 +33,6 @@ var CheckApiUseSecureTlsPolicy = rules.Register( if api.DomainConfiguration.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", - &api, api.DomainConfiguration.SecurityPolicy, ) } else { diff --git a/rules/aws/sam/enable_api_access_logging.go b/rules/aws/sam/enable_api_access_logging.go index ede5cbe4d..52a713b2d 100755 --- a/rules/aws/sam/enable_api_access_logging.go +++ b/rules/aws/sam/enable_api_access_logging.go @@ -37,7 +37,6 @@ var CheckEnableApiAccessLogging = rules.Register( if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", - &api, api.AccessLogging.CloudwatchLogGroupARN, ) } else { diff --git a/rules/aws/sam/enable_api_cache_encryption.go b/rules/aws/sam/enable_api_cache_encryption.go index 13e19df6e..e1368ab2c 100755 --- a/rules/aws/sam/enable_api_cache_encryption.go +++ b/rules/aws/sam/enable_api_cache_encryption.go @@ -37,7 +37,6 @@ var CheckEnableApiCacheEncryption = rules.Register( if api.RESTMethodSettings.CacheDataEncrypted.IsFalse() { results.Add( "Cache data is not encrypted.", - &api, api.RESTMethodSettings.CacheDataEncrypted, ) } else { diff --git a/rules/aws/sam/enable_api_tracing.go b/rules/aws/sam/enable_api_tracing.go index 67a0ac012..e44ea7d56 100755 --- a/rules/aws/sam/enable_api_tracing.go +++ b/rules/aws/sam/enable_api_tracing.go @@ -37,7 +37,6 @@ var CheckEnableApiTracing = rules.Register( if api.TracingEnabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", - &api, api.TracingEnabled, ) } else { diff --git a/rules/aws/sam/enable_function_tracing.go b/rules/aws/sam/enable_function_tracing.go index 8c427f61f..b89398372 100755 --- a/rules/aws/sam/enable_function_tracing.go +++ b/rules/aws/sam/enable_function_tracing.go @@ -38,7 +38,6 @@ var CheckEnableFunctionTracing = rules.Register( if function.Tracing.NotEqualTo(sam.TracingModeActive) { results.Add( "X-Ray tracing is not enabled,", - &function, function.Tracing, ) } else { diff --git a/rules/aws/sam/enable_http_api_access_logging.go b/rules/aws/sam/enable_http_api_access_logging.go index 7aaa5e327..8115f3605 100755 --- a/rules/aws/sam/enable_http_api_access_logging.go +++ b/rules/aws/sam/enable_http_api_access_logging.go @@ -37,7 +37,6 @@ var CheckEnableHttpApiAccessLogging = rules.Register( if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", - &api, api.AccessLogging.CloudwatchLogGroupARN, ) } else { diff --git a/rules/aws/sam/enable_state_machine_logging.go b/rules/aws/sam/enable_state_machine_logging.go index d9106857c..3f9b4e74b 100644 --- a/rules/aws/sam/enable_state_machine_logging.go +++ b/rules/aws/sam/enable_state_machine_logging.go @@ -31,7 +31,6 @@ var CheckEnableStateMachineLogging = rules.Register( if stateMachine.LoggingConfiguration.LoggingEnabled.IsFalse() { results.Add( "Logging is not enabled,", - &stateMachine, stateMachine.LoggingConfiguration.LoggingEnabled, ) } else { diff --git a/rules/aws/sam/enable_state_machine_tracing.go b/rules/aws/sam/enable_state_machine_tracing.go index 2c78a839a..22ef2160e 100755 --- a/rules/aws/sam/enable_state_machine_tracing.go +++ b/rules/aws/sam/enable_state_machine_tracing.go @@ -37,7 +37,6 @@ var CheckEnableStateMachineTracing = rules.Register( if stateMachine.Tracing.Enabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", - &stateMachine, stateMachine.Tracing.Enabled, ) } else { diff --git a/rules/aws/sam/enable_table_encryption.go b/rules/aws/sam/enable_table_encryption.go index 97b34d9b4..d6e54793f 100755 --- a/rules/aws/sam/enable_table_encryption.go +++ b/rules/aws/sam/enable_table_encryption.go @@ -33,7 +33,6 @@ var CheckEnableTableEncryption = rules.Register( if table.SSESpecification.Enabled.IsFalse() { results.Add( "Domain name is configured with an outdated TLS policy.", - &table, table.SSESpecification.Enabled, ) } else { diff --git a/rules/aws/sns/enable_topic_encryption.go b/rules/aws/sns/enable_topic_encryption.go index 292cb866d..3f0e44c12 100755 --- a/rules/aws/sns/enable_topic_encryption.go +++ b/rules/aws/sns/enable_topic_encryption.go @@ -44,7 +44,6 @@ var CheckEnableTopicEncryption = rules.Register( } else if topic.Encryption.KMSKeyID.EqualTo("alias/aws/sns") { results.Add( "Topic encryption does not use a customer managed key.", - &topic, topic.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/sqs/enable_queue_encryption.go b/rules/aws/sqs/enable_queue_encryption.go index 6e9fcf5d7..aa18f1d6d 100755 --- a/rules/aws/sqs/enable_queue_encryption.go +++ b/rules/aws/sqs/enable_queue_encryption.go @@ -42,7 +42,6 @@ var CheckEnableQueueEncryption = rules.Register( if queue.Encryption.KMSKeyID.IsEmpty() || queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") { results.Add( "Queue is not encrypted with a customer managed key.", - &queue, queue.Encryption.KMSKeyID, ) } else { diff --git a/rules/aws/sqs/no_wildcards_in_policy_documents.go b/rules/aws/sqs/no_wildcards_in_policy_documents.go index 5fc0a5d55..cfcc0035e 100755 --- a/rules/aws/sqs/no_wildcards_in_policy_documents.go +++ b/rules/aws/sqs/no_wildcards_in_policy_documents.go @@ -57,7 +57,6 @@ This ensures that the queue itself cannot be modified or deleted, and prevents p fail = true results.Add( "Queue policy does not restrict actions to a known set.", - &queue, policyDoc, ) break diff --git a/rules/aws/ssm/secret_use_customer_key.go b/rules/aws/ssm/secret_use_customer_key.go index cb1e76921..65017d3fd 100755 --- a/rules/aws/ssm/secret_use_customer_key.go +++ b/rules/aws/ssm/secret_use_customer_key.go @@ -40,13 +40,11 @@ var CheckSecretUseCustomerKey = rules.Register( if secret.KMSKeyID.IsEmpty() { results.Add( "Secret is not encrypted with a customer managed key.", - &secret, secret.KMSKeyID, ) } else if secret.KMSKeyID.EqualTo(ssm.DefaultKMSKeyID) { results.Add( "Secret explicitly uses the default key.", - &secret, secret.KMSKeyID, ) } else { diff --git a/rules/aws/vpc/add_description_to_security_group.go b/rules/aws/vpc/add_description_to_security_group.go index 323040ab6..634d30fca 100755 --- a/rules/aws/vpc/add_description_to_security_group.go +++ b/rules/aws/vpc/add_description_to_security_group.go @@ -44,13 +44,11 @@ Simplifies auditing, debugging, and managing security groups.`, if group.Description.IsEmpty() { results.Add( "Security group does not have a description.", - &group, group.Description, ) } else if group.Description.EqualTo("Managed by Terraform") { results.Add( "Security group explicitly uses the default description.", - &group, group.Description, ) } else { diff --git a/rules/aws/vpc/add_description_to_security_group_rule.go b/rules/aws/vpc/add_description_to_security_group_rule.go index 39a3427e9..d17643d16 100755 --- a/rules/aws/vpc/add_description_to_security_group_rule.go +++ b/rules/aws/vpc/add_description_to_security_group_rule.go @@ -42,7 +42,6 @@ Simplifies auditing, debugging, and managing security groups.`, if rule.Description.IsEmpty() { results.Add( "Security group rule does not have a description.", - &rule, rule.Description, ) } else { diff --git a/rules/aws/vpc/no_excessive_port_access.go b/rules/aws/vpc/no_excessive_port_access.go index 9beb24aa5..76b874017 100755 --- a/rules/aws/vpc/no_excessive_port_access.go +++ b/rules/aws/vpc/no_excessive_port_access.go @@ -40,7 +40,6 @@ var CheckNoExcessivePortAccess = rules.Register( if rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all") { results.Add( "Network ACL rule allows access using ALL ports.", - &rule, rule.Protocol, ) } else { diff --git a/rules/aws/vpc/no_public_egress_sgr.go b/rules/aws/vpc/no_public_egress_sgr.go index c80ef2dc3..5db550c99 100755 --- a/rules/aws/vpc/no_public_egress_sgr.go +++ b/rules/aws/vpc/no_public_egress_sgr.go @@ -44,7 +44,6 @@ var CheckNoPublicEgressSgr = rules.Register( fail = true results.Add( "Security group rule allows egress to multiple public internet addresses.", - &rule, block, ) } diff --git a/rules/aws/vpc/no_public_ingress_acl.go b/rules/aws/vpc/no_public_ingress_acl.go index 4b49a206b..c807a6ab7 100755 --- a/rules/aws/vpc/no_public_ingress_acl.go +++ b/rules/aws/vpc/no_public_ingress_acl.go @@ -51,7 +51,6 @@ var CheckNoPublicIngress = rules.Register( fail = true results.Add( "Network ACL rule allows ingress from public internet.", - &rule, block, ) } diff --git a/rules/aws/vpc/no_public_ingress_sgr.go b/rules/aws/vpc/no_public_ingress_sgr.go index a3e8dbe90..5f97be784 100755 --- a/rules/aws/vpc/no_public_ingress_sgr.go +++ b/rules/aws/vpc/no_public_ingress_sgr.go @@ -44,7 +44,6 @@ var CheckNoPublicIngressSgr = rules.Register( failed = true results.Add( "Security group rule allows ingress from public internet.", - &rule, block, ) } diff --git a/rules/aws/workspaces/enable_disk_encryption.go b/rules/aws/workspaces/enable_disk_encryption.go index 2d2bc21aa..581a2cb58 100755 --- a/rules/aws/workspaces/enable_disk_encryption.go +++ b/rules/aws/workspaces/enable_disk_encryption.go @@ -40,7 +40,6 @@ var CheckEnableDiskEncryption = rules.Register( if workspace.RootVolume.Encryption.Enabled.IsFalse() { results.Add( "Root volume does not have encryption enabled.", - &workspace, workspace.RootVolume.Encryption.Enabled, ) fail = true @@ -48,7 +47,6 @@ var CheckEnableDiskEncryption = rules.Register( if workspace.UserVolume.Encryption.Enabled.IsFalse() { results.Add( "User volume does not have encryption enabled.", - &workspace, workspace.UserVolume.Encryption.Enabled, ) fail = true diff --git a/rules/azure/keyvault/no_purge.go b/rules/azure/keyvault/no_purge.go index 7ba157645..d25028e28 100755 --- a/rules/azure/keyvault/no_purge.go +++ b/rules/azure/keyvault/no_purge.go @@ -43,7 +43,7 @@ Purge protection can only be enabled once soft-delete is enabled. It can be turn } else if vault.EnablePurgeProtection.IsTrue() && (vault.SoftDeleteRetentionDays.LessThan(7) || vault.SoftDeleteRetentionDays.GreaterThan(90)) { results.Add( "Resource should have soft_delete_retention_days set between 7 and 90 days in order to enable purge protection.", - vault.EnablePurgeProtection, vault.SoftDeleteRetentionDays, + vault.SoftDeleteRetentionDays, ) } else { results.AddPassed(&vault) diff --git a/rules/flat.go b/rules/flat.go index 2f939932a..80b545315 100755 --- a/rules/flat.go +++ b/rules/flat.go @@ -37,10 +37,7 @@ func (r Results) Flatten() []FlatResult { } func (r *Result) Flatten() FlatResult { - rng := r.CodeBlockMetadata().Range() - if r.IssueBlockMetadata() != nil { - rng = r.IssueBlockMetadata().Range() - } + rng := r.Metadata().Range() return FlatResult{ RuleID: r.rule.AVDID, LongID: r.Rule().LongID(), @@ -54,7 +51,7 @@ func (r *Result) Flatten() FlatResult { RangeAnnotation: r.Annotation(), Severity: r.rule.Severity, Status: r.status, - Resource: r.CodeBlockMetadata().Reference().LogicalID(), + Resource: r.Metadata().Reference().LogicalID(), Location: FlatRange{ Filename: rng.GetFilename(), StartLine: rng.GetStartLine(), diff --git a/rules/github/actions/no_plain_text_action_secrets.go b/rules/github/actions/no_plain_text_action_secrets.go index 229c914ee..32dd7625c 100644 --- a/rules/github/actions/no_plain_text_action_secrets.go +++ b/rules/github/actions/no_plain_text_action_secrets.go @@ -36,7 +36,6 @@ var CheckNoPlainTextActionEnvironmentSecrets = rules.Register( } if environmentSecret.PlainTextValue.IsNotEmpty() { results.Add("Secret has plain text value", - &environmentSecret, environmentSecret.PlainTextValue) } else { results.AddPassed(&environmentSecret) diff --git a/rules/result.go b/rules/result.go index bc2afcdbd..f9187a485 100755 --- a/rules/result.go +++ b/rules/result.go @@ -21,8 +21,7 @@ type Result struct { description string annotation string status Status - codeBlock *types.Metadata - issueBlock *types.Metadata + metadata *types.Metadata severityOverride *severity.Severity } @@ -41,12 +40,8 @@ func (r *Result) OverrideDescription(description string) { r.description = description } -func (r *Result) OverrideIssueBlockMetadata(metadata *types.Metadata) { - r.issueBlock = metadata -} - -func (r *Result) OverrideCodeBlockMetadata(metadata *types.Metadata) { - r.codeBlock = metadata +func (r *Result) OverrideMetadata(metadata *types.Metadata) { + r.metadata = metadata } func (r *Result) OverrideAnnotation(annotation string) { @@ -69,19 +64,12 @@ func (r Result) Annotation() string { return r.annotation } -func (r Result) IssueBlockMetadata() *types.Metadata { - return r.issueBlock +func (r Result) Metadata() *types.Metadata { + return r.metadata } -func (r Result) CodeBlockMetadata() *types.Metadata { - return r.codeBlock -} - -func (r Result) NarrowestRange() types.Range { - if r.issueBlock != nil { - return r.issueBlock.Range() - } - return r.codeBlock.Range() +func (r Result) Range() types.Range { + return r.metadata.Range() } type Results []Result @@ -91,39 +79,30 @@ type MetadataProvider interface { GetRawValue() interface{} } -func (r *Results) Add(description string, source MetadataProvider, issueBlock ...MetadataProvider) { +func (r *Results) Add(description string, source MetadataProvider) { var annotationStr string - srcMeta := *(source.GetMetadata()) + metadata := source.GetMetadata() result := Result{ description: description, - codeBlock: &srcMeta, + metadata: metadata, } - if len(issueBlock) > 0 { - metadata := issueBlock[0].GetMetadata() - if metadata != nil { - if metadata.IsExplicit() { - annotationStr = rawToString(issueBlock[0].GetRawValue()) - } - result.annotation = annotationStr - literalMeta := *metadata - result.issueBlock = &literalMeta - } + if metadata.IsExplicit() { + annotationStr = rawToString(metadata.GetRawValue()) + result.annotation = annotationStr } *r = append(*r, result) } func (r *Results) AddPassed(source MetadataProvider, descriptions ...string) { - metadata := source.GetMetadata() - *r = append(*r, Result{ description: strings.Join(descriptions, " "), status: StatusPassed, - codeBlock: metadata, + metadata: source.GetMetadata(), }, ) } diff --git a/types/metadata.go b/types/metadata.go index ba93a1bf3..c4c859424 100755 --- a/types/metadata.go +++ b/types/metadata.go @@ -12,6 +12,7 @@ type Metadata struct { isDefault bool isExplicit bool isUnresolvable bool + parent *Metadata } func NewMetadata(r Range, ref Reference) Metadata { @@ -28,6 +29,19 @@ func NewMetadata(r Range, ref Reference) Metadata { } } +func (m *Metadata) WithParent(p Metadata) Metadata { + m.parent = &p + return *m +} + +func (m *Metadata) Parent() *Metadata { + return m.parent +} + +func (m *Metadata) IsMultiLine() bool { + return m.rnge.GetStartLine() < m.rnge.GetEndLine() +} + func NewUnmanagedMetadata() Metadata { m := NewMetadata(NewRange("", 0, 0), &FakeReference{}) m.isManaged = false diff --git a/types/range.go b/types/range.go index 9e012f2d4..d34aa04c4 100755 --- a/types/range.go +++ b/types/range.go @@ -7,6 +7,7 @@ type Range interface { GetStartLine() int GetEndLine() int String() string + IsMultiLine() bool } func NewRange(filename string, startLine int, endLine int) baseRange { @@ -35,6 +36,10 @@ func (r baseRange) GetEndLine() int { return r.endLine } +func (r baseRange) IsMultiLine() bool { + return r.startLine < r.endLine +} + func (r baseRange) String() string { if r.startLine != r.endLine { return fmt.Sprintf("%s:%d-%d", r.filename, r.startLine, r.endLine)