fix(4.2.5): filter out anonymous packages from different repositories (…

…#27) * filter only packages under the scoped repository * add unit tests * Update README.md Co-authored-by: MorAlon1 <101275199+MorAlon1@users.noreply.github.com>
aquasecurity · Jun 28, 2022 · 45436ae · 45436ae
1 parent 3c818e6
commit 45436ae
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ The auditing focuses on the entire SDLC process, where it can reveal risks from
 [go-report-card]: https://goreportcard.com/badge/github.com/aquasecurity/chain-bench?style=flat-square
 
 <figure style="text-align: center">
-  <img src="docs/imgs/demo.gif" width="1000" alt="Vulnerability Detection">
+  <img src="docs/imgs/demo.gif" width="1000" alt="demo">
 </figure>
 
 # Contents

diff --git a/go.mod b/go.mod
@@ -12,14 +12,14 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/viper v1.11.0
 	github.com/stretchr/testify v1.7.1
+	github.com/thoas/go-funk v0.9.2
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
 )
 
 require (
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
-	github.com/thoas/go-funk v0.9.2 // indirect
 	github.com/vektah/gqlparser/v2 v2.4.4 // indirect
 )
 

diff --git a/internal/checks/artifacts/access-to-artifacts/access_to_artifacts_test.go b/internal/checks/artifacts/access-to-artifacts/access_to_artifacts_test.go
@@ -47,7 +47,8 @@ func TestAccessToArtifactsChecker(t *testing.T) {
 			Name: "Should fail when the user have package registry with 1 public package under private repo",
 			Data: &checkmodels.CheckData{
 				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true).Build()).
+					WithRepository(builders.NewRepositoryBuilder().WithID(4344).Build()).
+					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true, 4344).Build()).
 					Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
@@ -61,6 +62,18 @@ func TestAccessToArtifactsChecker(t *testing.T) {
 			},
 			Expected: []*checkmodels.CheckRunResult{},
 		},
+		{
+			Name: "Should fail when the user has Package registry with 2 public packages but only 1 under the scoped repository",
+			Data: &checkmodels.CheckData{
+				AssetsMetadata: builders.NewAssetsDataBuilder().
+					WithRepository(builders.NewRepositoryBuilder().WithID(4344).Build()).
+					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true, 4344).WithPackages("npm", "public", true, 65655).Build()).
+					Build(),
+			},
+			Expected: []*checkmodels.CheckRunResult{
+				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
+			},
+		},
 	}
 	testutils.RunCheckTests(t, common.GetRegoRunAction(regoQuery, checksMetadata), tests, checksMetadata)
 }
diff --git a/internal/checks/artifacts/access-to-artifacts/rules.rego b/internal/checks/artifacts/access-to-artifacts/rules.rego
@@ -11,6 +11,7 @@ is_two_factor_authentication_disabled_in_registry {
 is_registry_packages_allows_anonymous_access[unauth_packages] {
 	unauth_packages := count([p |
 		p := input.Registry.Packages[_]
+		p.Repository.ID == input.Repository.ID
 		p.Visibility == "public"
 		p.Repository.IsPrivate == true
 	])

diff --git a/internal/models/repository.go b/internal/models/repository.go
@@ -3,7 +3,7 @@ package models
 import "github.com/aquasecurity/chain-bench/internal/utils"
 
 type Repository struct {
-	ID               *int64           `json:"id,omitempty"`
+	ID               *int64
 	NodeID           *string          `json:"node_id,omitempty"`
 	Owner            *User            `json:"owner,omitempty"`
 	Name             *string          `json:"name,omitempty"`

diff --git a/internal/testutils/builders/package_registry_builder.go b/internal/testutils/builders/package_registry_builder.go
@@ -25,11 +25,11 @@ func (p *PackageRegistryBuilder) WithTwoFactorAuthenticationEnabled(enabled bool
 	return p
 }
 
-func (p *PackageRegistryBuilder) WithPackages(packagetype string, visability string, isRepoPrivate bool) *PackageRegistryBuilder {
+func (p *PackageRegistryBuilder) WithPackages(packagetype string, visability string, isRepoPrivate bool, repoID int64) *PackageRegistryBuilder {
 	pkg := &models.Package{
 		PackageType: utils.GetPtr(packagetype),
 		Visibility:  utils.GetPtr(visability),
-		Repository:  &models.Repository{IsPrivate: utils.GetPtr(isRepoPrivate)}}
+		Repository:  &models.Repository{ID: utils.GetPtr(repoID), IsPrivate: utils.GetPtr(isRepoPrivate)}}
 
 	if p.registry.Packages == nil {
 		p.registry.Packages = []*models.Package{pkg}

diff --git a/internal/testutils/builders/repository_builder.go b/internal/testutils/builders/repository_builder.go
@@ -58,6 +58,11 @@ func NewRepositoryBuilder() *RepositoryBuilder {
 	}}
 }
 
+func (b *RepositoryBuilder) WithID(id int64) *RepositoryBuilder {
+	b.repository.ID = utils.GetPtr(id)
+	return b
+}
+
 func (b *RepositoryBuilder) WithAllowRebaseMerge(enable bool) *RepositoryBuilder {
 	b.repository.AllowRebaseMerge = utils.GetPtr(enable)
 	return b