From 46d5abad42bd4c4b6127d5a5053867728d619098 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Tue, 16 Apr 2024 13:51:03 +0600 Subject: [PATCH] fix(secret): convert severity for custom rules (#6500) --- pkg/fanal/secret/scanner.go | 18 ++++++++++++- pkg/fanal/secret/scanner_test.go | 27 +++++++++++++++++++ .../config-with-incorrect-severity.yaml | 9 +++++++ .../config-with-non-uppercase-severity.yaml | 9 +++++++ 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml create mode 100644 pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go index ef10ad45bb0c..51ac0db707a8 100644 --- a/pkg/fanal/secret/scanner.go +++ b/pkg/fanal/secret/scanner.go @@ -286,16 +286,32 @@ func ParseConfig(configPath string) (*Config, error) { } defer f.Close() - logger.Info("Loading the config file s for secret scanning...") + logger.Info("Loading the config file for secret scanning...") var config Config if err = yaml.NewDecoder(f).Decode(&config); err != nil { return nil, xerrors.Errorf("secrets config decode error: %w", err) } + // Update severity for custom rules + for i := range config.CustomRules { + config.CustomRules[i].Severity = convertSeverity(logger, config.CustomRules[i].Severity) + } + return &config, nil } +// convertSeverity checks the severity and converts it to uppercase or uses "UNKNOWN" for the wrong severity. +func convertSeverity(logger *log.Logger, severity string) string { + switch strings.ToLower(severity) { + case "low", "medium", "high", "critical", "unknown": + return strings.ToUpper(severity) + default: + logger.Warn("Incorrect severity", log.String("severity", severity)) + return "UNKNOWN" + } +} + func NewScanner(config *Config) Scanner { logger := log.WithPrefix("secret") diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index fe73270b9ae7..0d23f9959e24 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -916,6 +916,33 @@ func TestSecretScanner(t *testing.T) { Findings: []types.SecretFinding{wantFinding8}, }, }, + { + name: "add unknown severity when rule has no severity", + configPath: filepath.Join("testdata", "config-with-incorrect-severity.yaml"), + inputFilePath: filepath.Join("testdata", "secret.txt"), + want: types.Secret{ + FilePath: filepath.Join("testdata", "secret.txt"), + Findings: []types.SecretFinding{wantFinding8}, + }, + }, + { + name: "update severity if rule severity is not in uppercase", + configPath: filepath.Join("testdata", "config-with-non-uppercase-severity.yaml"), + inputFilePath: filepath.Join("testdata", "secret.txt"), + want: types.Secret{ + FilePath: filepath.Join("testdata", "secret.txt"), + Findings: []types.SecretFinding{wantFinding8}, + }, + }, + { + name: "use unknown severity when rule has incorrect severity", + configPath: filepath.Join("testdata", "config-with-incorrect-severity.yaml"), + inputFilePath: filepath.Join("testdata", "secret.txt"), + want: types.Secret{ + FilePath: filepath.Join("testdata", "secret.txt"), + Findings: []types.SecretFinding{wantFinding8}, + }, + }, { name: "invalid aws secrets", configPath: filepath.Join("testdata", "skip-test.yaml"), diff --git a/pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml b/pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml new file mode 100644 index 000000000000..faf80f8424fa --- /dev/null +++ b/pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml @@ -0,0 +1,9 @@ +rules: + - id: rule1 + category: general + title: Generic Rule + severity: bad + regex: (?i)(?P(secret))(=|:).{0,5}['"](?Psomevalue)['"] + secret-group-name: secret +disable-allow-rules: + - tests \ No newline at end of file diff --git a/pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml b/pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml new file mode 100644 index 000000000000..666536a8537f --- /dev/null +++ b/pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml @@ -0,0 +1,9 @@ +rules: + - id: rule1 + category: general + title: Generic Rule + severity: uNknown + regex: (?i)(?P(secret))(=|:).{0,5}['"](?Psomevalue)['"] + secret-group-name: secret +disable-allow-rules: + - tests \ No newline at end of file