Add the resource to the result (#28)

aquasecurity · Nov 23, 2021 · ee09298 · ee09298
1 parent 833f2c4
commit ee09298
Show file tree

Hide file tree

Showing 94 changed files with 147 additions and 39 deletions.
diff --git a/formatters/sarif.go b/formatters/sarif.go
@@ -39,6 +39,9 @@ func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...Forma
 		if err != nil {
 			return err
 		}
+		if baseDir == rng.GetFilename() {
+			relativePath = filepath.Base(baseDir)
+		}
 
 		message := sarif.NewTextMessage(res.Description())
 		region := sarif.NewSimpleRegion(rng.GetStartLine(), rng.GetEndLine())

diff --git a/output/output.go b/output/output.go
diff --git a/provider/aws/documentdb/documentdb.go b/provider/aws/documentdb/documentdb.go
@@ -32,3 +32,11 @@ type Instance struct {
 	types.Metadata
 	KMSKeyID types.StringValue
 }
+
+func (i *Instance) GetMetadata() *types.Metadata {
+	return &i.Metadata
+}
+
+func (i *Instance) GetRawValue() interface{} {
+	return nil
+}
diff --git a/rules/aws/apigateway/enable_access_logging.go b/rules/aws/apigateway/enable_access_logging.go
@@ -34,6 +34,7 @@ var CheckEnableAccessLogging = rules.Register(
 				if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
 					results.Add(
 						"Access logging is not configured.",
+						&stage,
 						stage.AccessLogging.CloudwatchLogGroupARN,
 					)
 				} else {

diff --git a/rules/aws/apigateway/enable_cache_encryption.go b/rules/aws/apigateway/enable_cache_encryption.go
@@ -33,6 +33,7 @@ var CheckEnableCacheEncryption = rules.Register(
 				if stage.RESTMethodSettings.CacheDataEncrypted.IsFalse() {
 					results.Add(
 						"Cache data is not encrypted.",
+						&stage,
 						stage.RESTMethodSettings.CacheDataEncrypted,
 					)
 				} else {

diff --git a/rules/aws/apigateway/enable_tracing.go b/rules/aws/apigateway/enable_tracing.go
@@ -33,6 +33,7 @@ var CheckEnableTracing = rules.Register(
 				if stage.XRayTracingEnabled.IsFalse() {
 					results.Add(
 						"X-Ray tracing is not enabled,",
+						&stage,
 						stage.XRayTracingEnabled,
 					)
 				} else {

diff --git a/rules/aws/apigateway/no_public_access.go b/rules/aws/apigateway/no_public_access.go
@@ -36,6 +36,7 @@ var CheckNoPublicAccess = rules.Register(
 				if method.AuthorizationType.EqualTo(apigateway.AuthorizationNone) {
 					results.Add(
 						"Authorization is not enabled for this method.",
+						&method,
 						method.AuthorizationType,
 					)
 				} else {

diff --git a/rules/aws/apigateway/use_secure_tls_policy.go b/rules/aws/apigateway/use_secure_tls_policy.go
@@ -27,6 +27,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
 			if domain.SecurityPolicy.NotEqualTo("TLS_1_2") {
 				results.Add(
 					"Domain name is configured with an outdated TLS policy.",
+					&domain,
 					domain.SecurityPolicy,
 				)
 			} else {

diff --git a/rules/aws/athena/enable_at_rest_encryption.go b/rules/aws/athena/enable_at_rest_encryption.go
@@ -31,6 +31,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if workgroup.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
 				results.Add(
 					"Workgroup does not have encryption configured.",
+					&workgroup,
 					workgroup.Encryption.Type,
 				)
 			} else {
@@ -44,6 +45,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if database.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
 				results.Add(
 					"Database does not have encryption configured.",
+					&database,
 					database.Encryption.Type,
 				)
 			} else {

diff --git a/rules/aws/athena/no_encryption_override.go b/rules/aws/athena/no_encryption_override.go
@@ -30,6 +30,7 @@ var CheckNoEncryptionOverride = rules.Register(
 			if workgroup.EnforceConfiguration.IsFalse() {
 				results.Add(
 					"The workgroup configuration is not enforced.",
+					&workgroup,
 					workgroup.EnforceConfiguration,
 				)
 			}

diff --git a/rules/aws/autoscaling/enable_at_rest_encryption.go b/rules/aws/autoscaling/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if launchConfig.RootBlockDevice != nil && launchConfig.RootBlockDevice.Encrypted.IsFalse() {
 				results.Add(
 					"Root block device is not encrypted.",
+					&launchConfig,
 					launchConfig.RootBlockDevice.Encrypted,
 				)
 			} else {
@@ -36,6 +37,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 				if device.Encrypted.IsFalse() {
 					results.Add(
 						"EBS block device is not encrypted.",
+						&device,
 						device.Encrypted,
 					)
 				} else {

diff --git a/rules/aws/autoscaling/no_public_ip.go b/rules/aws/autoscaling/no_public_ip.go
@@ -27,6 +27,7 @@ var CheckNoPublicIp = rules.Register(
 			if launchConfig.AssociatePublicIP.IsTrue() {
 				results.Add(
 					"Launch configuration associates public IP address.",
+					&launchConfig,
 					launchConfig.AssociatePublicIP,
 				)
 			} else {

diff --git a/rules/aws/autoscaling/no_sensitive_info.go b/rules/aws/autoscaling/no_sensitive_info.go
@@ -28,6 +28,7 @@ var CheckNoSensitiveInfo = rules.Register(
 			if result := scanner.Scan(launchConfig.UserData.Value()); result.TransgressionFound {
 				results.Add(
 					fmt.Sprintf("Sensitive data found in user data: %s", result.Description),
+					&launchConfig,
 					launchConfig.UserData,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enable_logging.go b/rules/aws/cloudfront/enable_logging.go
@@ -27,6 +27,7 @@ var CheckEnableLogging = rules.Register(
 			if dist.Logging.Bucket.IsEmpty() {
 				results.Add(
 					"Distribution does not have logging enabled.",
+					&dist,
 					dist.Logging.Bucket,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enable_waf.go b/rules/aws/cloudfront/enable_waf.go
@@ -27,6 +27,7 @@ var CheckEnableWaf = rules.Register(
 			if dist.WAFID.IsEmpty() {
 				results.Add(
 					"Distribution does not utilise a WAF.",
+					&dist,
 					dist.WAFID,
 				)
 			} else {

diff --git a/rules/aws/cloudfront/enforce_https.go b/rules/aws/cloudfront/enforce_https.go
@@ -30,6 +30,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
 			if dist.DefaultCacheBehaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
 				results.Add(
 					"Distribution allows unencrypted communications.",
+					&dist,
 					dist.DefaultCacheBehaviour.ViewerProtocolPolicy,
 				)
 			} else {
@@ -39,6 +40,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
 				if behaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
 					results.Add(
 						"Distribution allows unencrypted communications.",
+						&behaviour,
 						behaviour.ViewerProtocolPolicy,
 					)
 				} else {

diff --git a/rules/aws/cloudfront/use_secure_tls_policy.go b/rules/aws/cloudfront/use_secure_tls_policy.go
@@ -28,6 +28,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
 			if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
 				results.Add(
 					"Distribution allows unencrypted communications.",
+					&dist,
 					dist.ViewerCertificate.MinimumProtocolVersion,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_all_regions.go b/rules/aws/cloudtrail/enable_all_regions.go
@@ -27,6 +27,7 @@ var CheckEnableAllRegions = rules.Register(
 			if trail.IsMultiRegion.IsFalse() {
 				results.Add(
 					"Trail is not enabled across all regions.",
+					&trail,
 					trail.IsMultiRegion,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_at_rest_encryption.go b/rules/aws/cloudtrail/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if trail.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Trail is not encrypted.",
+					&trail,
 					trail.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/cloudtrail/enable_log_validation.go b/rules/aws/cloudtrail/enable_log_validation.go
@@ -27,6 +27,7 @@ var CheckEnableLogValidation = rules.Register(
 			if trail.EnableLogFileValidation.IsFalse() {
 				results.Add(
 					"Trail does not have log validation enabled.",
+					&trail,
 					trail.EnableLogFileValidation,
 				)
 			} else {

diff --git a/rules/aws/cloudwatch/log_group_customer_key.go b/rules/aws/cloudwatch/log_group_customer_key.go
@@ -27,6 +27,7 @@ var CheckLogGroupCustomerKey = rules.Register(
 			if group.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Log group is not encrypted.",
+					&group,
 					group.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/codebuild/enable_encryption.go b/rules/aws/codebuild/enable_encryption.go
@@ -28,6 +28,7 @@ var CheckEnableEncryption = rules.Register(
 			if project.ArtifactSettings.EncryptionEnabled.IsFalse() {
 				results.Add(
 					"Encryption is not enabled for project artifacts.",
+					&project,
 					project.ArtifactSettings.EncryptionEnabled,
 				)
 			} else {
@@ -38,6 +39,7 @@ var CheckEnableEncryption = rules.Register(
 				if setting.EncryptionEnabled.IsFalse() {
 					results.Add(
 						"Encryption is not enabled for secondary project artifacts.",
+						&setting,
 						setting.EncryptionEnabled,
 					)
 				} else {

diff --git a/rules/aws/documentdb/enable_storage_encryption.go b/rules/aws/documentdb/enable_storage_encryption.go
@@ -25,6 +25,7 @@ var CheckEnableStorageEncryption = rules.Register(
 			if cluster.StorageEncrypted.IsFalse() {
 				results.Add(
 					"Cluster storage does not have encryption enabled.",
+					&cluster,
 					cluster.StorageEncrypted,
 				)
 			} else {

diff --git a/rules/aws/documentdb/encryption_customer_key.go b/rules/aws/documentdb/encryption_customer_key.go
@@ -25,6 +25,7 @@ var CheckEncryptionCustomerKey = rules.Register(
 			if cluster.IsManaged() && cluster.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Cluster encryption does not use a customer-managed KMS key.",
+					&cluster,
 					cluster.KMSKeyID,
 				)
 			} else {
@@ -37,6 +38,7 @@ var CheckEncryptionCustomerKey = rules.Register(
 				if instance.KMSKeyID.IsEmpty() {
 					results.Add(
 						"Instance encryption does not use a customer-managed KMS key.",
+						&instance,
 						instance.KMSKeyID,
 					)
 				} else {

diff --git a/rules/aws/ecr/enable_image_scans.go b/rules/aws/ecr/enable_image_scans.go
@@ -27,6 +27,7 @@ var CheckEnableImageScans = rules.Register(
 			if repo.ImageScanning.ScanOnPush.IsFalse() {
 				results.Add(
 					"Image scanning is not enabled.",
+					&repo,
 					repo.ImageScanning.ScanOnPush,
 				)
 			} else {

diff --git a/rules/aws/ecr/enforce_immutable_repository.go b/rules/aws/ecr/enforce_immutable_repository.go
@@ -29,6 +29,7 @@ This can be done by setting <code>image_tab_mutability</code> to <code>IMMUTABLE
 			if repo.ImageTagsImmutable.IsFalse() {
 				results.Add(
 					"Repository tags are mutable.",
+					&repo,
 					repo.ImageTagsImmutable,
 				)
 			} else {

diff --git a/rules/aws/ecr/no_public_access.go b/rules/aws/ecr/no_public_access.go
@@ -46,6 +46,7 @@ var CheckNoPublicAccess = rules.Register(
 						foundIssue = true
 						results.Add(
 							"Policy provides public access to the ECR repository.",
+							&repo,
 							repo.Policy,
 						)
 					}

diff --git a/rules/aws/ecr/repository_customer_key.go b/rules/aws/ecr/repository_customer_key.go
@@ -28,11 +28,13 @@ var CheckRepositoryCustomerKey = rules.Register(
 			if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) {
 				results.Add(
 					"Repository is not encrypted using KMS.",
+					&repo,
 					repo.Encryption.Type,
 				)
 			} else if repo.Encryption.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Repository encryption does not use a customer managed KMS key.",
+					&repo,
 					repo.Encryption.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/ecs/enable_container_insight.go b/rules/aws/ecs/enable_container_insight.go
@@ -27,6 +27,7 @@ var CheckEnableContainerInsight = rules.Register(
 			if cluster.Settings.ContainerInsightsEnabled.IsFalse() {
 				results.Add(
 					"Cluster does not have container insights enabled.",
+					&cluster,
 					cluster.Settings.ContainerInsightsEnabled,
 				)
 			} else {

diff --git a/rules/aws/ecs/enable_in_transit_encryption.go b/rules/aws/ecs/enable_in_transit_encryption.go
@@ -29,6 +29,7 @@ var CheckEnableInTransitEncryption = rules.Register(
 				if volume.EFSVolumeConfiguration.TransitEncryptionEnabled.IsFalse() {
 					results.Add(
 						"Task definition includes a volume which does not have in-transit-encryption enabled.",
+						&volume,
 						volume.EFSVolumeConfiguration.TransitEncryptionEnabled,
 					)
 				} else {

diff --git a/rules/aws/ecs/no_plaintext_secrets.go b/rules/aws/ecs/no_plaintext_secrets.go
@@ -40,6 +40,7 @@ var CheckNoPlaintextSecrets = rules.Register(
 				if result := scanner.Scan(val); result.TransgressionFound {
 					results.Add(
 						fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description),
+						&definition,
 						definition.ContainerDefinitions,
 					)
 				} else {

diff --git a/rules/aws/efs/enable_at_rest_encryption.go b/rules/aws/efs/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
 			if fs.Encrypted.IsFalse() {
 				results.Add(
 					"File system is not encrypted.",
+					&fs,
 					fs.Encrypted,
 				)
 			} else {

diff --git a/rules/aws/eks/enable_control_plane_logging.go b/rules/aws/eks/enable_control_plane_logging.go
@@ -27,6 +27,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
 			if cluster.Logging.API.IsFalse() {
 				results.Add(
 					"Control plane API logging is not enabled.",
+					&cluster,
 					cluster.Logging.API,
 				)
 			} else {
@@ -36,6 +37,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
 			if cluster.Logging.Audit.IsFalse() {
 				results.Add(
 					"Control plane audit logging is not enabled.",
+					&cluster,
 					cluster.Logging.Audit,
 				)
 			} else {
@@ -45,6 +47,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
 			if cluster.Logging.Authenticator.IsFalse() {
 				results.Add(
 					"Control plane authenticator logging is not enabled.",
+					&cluster,
 					cluster.Logging.Authenticator,
 				)
 			} else {
@@ -54,6 +57,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
 			if cluster.Logging.ControllerManager.IsFalse() {
 				results.Add(
 					"Control plane controller manager logging is not enabled.",
+					&cluster,
 					cluster.Logging.ControllerManager,
 				)
 			} else {
@@ -63,6 +67,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
 			if cluster.Logging.Scheduler.IsFalse() {
 				results.Add(
 					"Control plane scheduler logging is not enabled.",
+					&cluster,
 					cluster.Logging.Scheduler,
 				)
 			} else {

diff --git a/rules/aws/eks/encrypt_secrets.go b/rules/aws/eks/encrypt_secrets.go
@@ -27,11 +27,13 @@ var CheckEncryptSecrets = rules.Register(
 			if cluster.Encryption.Secrets.IsFalse() {
 				results.Add(
 					"Cluster does not have secret encryption enabled.",
+					&cluster,
 					cluster.Encryption.Secrets,
 				)
 			} else if cluster.Encryption.KMSKeyID.IsEmpty() {
 				results.Add(
 					"Cluster encryption requires a KMS key ID, which is missing",
+					&cluster,
 					cluster.Encryption.KMSKeyID,
 				)
 			} else {

diff --git a/rules/aws/eks/no_public_cluster_access.go b/rules/aws/eks/no_public_cluster_access.go
@@ -27,6 +27,7 @@ var CheckNoPublicClusterAccess = rules.Register(
 			if cluster.PublicAccessEnabled.IsTrue() {
 				results.Add(
 					"Public cluster access is enabled.",
+					&cluster,
 					cluster.PublicAccessEnabled,
 				)
 			} else {