Merge pull request #2832 from snyk/chore/update_snyk-iac-parsers_version

feat: update snyk-iac-parsers version

release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.mod

@@ -9,6 +9,6 @@ require (
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/snyk/snyk-iac-parsers v0.4.2
+	github.com/snyk/snyk-iac-parsers v0.6.0
 	github.com/zclconf/go-cty v1.10.0 // indirect
 )

release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.sum

@@ -49,6 +49,7 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -160,6 +161,7 @@ github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FI
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -187,6 +189,8 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/snyk/snyk-iac-parsers v0.4.2 h1:Vi5BsntLX7oiLHK36s5Npgw6b/1oBMuudKCf99sijmI=
 github.com/snyk/snyk-iac-parsers v0.4.2/go.mod h1:vmR6e9WfglVPO2Y82lW49Sb5jiGb13FXGwJGNtVRBcw=
+github.com/snyk/snyk-iac-parsers v0.6.0 h1:DuYPZhAWUKueM0wGB4ixkCZT0itSTD3AlRqoBkD5ZT8=
+github.com/snyk/snyk-iac-parsers v0.6.0/go.mod h1:vmR6e9WfglVPO2Y82lW49Sb5jiGb13FXGwJGNtVRBcw=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@@ -205,6 +209,7 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tmccombs/hcl2json v0.3.1 h1:Pf+Lb9OpZ5lkQuIC0BB5txdCQskZ2ud/l8sz/Nkjf3A=
 github.com/tmccombs/hcl2json v0.3.1/go.mod h1:ljY0/prd2IFUF3cagQjV3cpPEEQKzqyGqnKI7m5DBVY=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
@@ -361,6 +366,7 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

test/fixtures/iac/terraform/var_deref/nested_var_deref/sg_open_ssh.tf

@@ -3,6 +3,6 @@ resource "aws_security_group_rule" "egress" {
   from_port         = 0
   to_port           = 65535
   protocol          = "all"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = [var.remote_user_addr]
   security_group_id = aws_security_group.allow.id
 }

test/fixtures/iac/terraform/var_deref/sg_open_ssh.tf

@@ -48,4 +48,21 @@ resource "aws_security_group" "allow_ssh_b_auto_tfvars" {
     protocol    = "tcp"
     cidr_blocks = var.remote_user_addr_b_auto_tfvars
   }
-}
+}
+
+resource "aws_security_group" "allow_ssh_c_auto_tfvars" {
+  name        = "allow_ssh"
+  description = "Allow SSH inbound from anywhere"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = local.remote_user_addr
+  }
+}
+
+locals {
+  remote_user_addr = ["0.0.0.0/0"]
+}

test/jest/acceptance/iac/test-directory.spec.ts

@@ -47,7 +47,7 @@ describe('Directory scan', () => {
     expect(stdout).toContain('Failed to parse YAML file');
     expect(stdout).toContain('Failed to parse JSON file');
     expect(stdout).toContain(
-      '22 projects, 16 contained issues. Failed to test 8 projects.',
+      '22 projects, 15 contained issues. Failed to test 8 projects.',
     );
   });
 

test/jest/acceptance/iac/test-terraform-var-deref.spec.ts

@@ -22,22 +22,23 @@ describe('Terraform Language Support', () => {
       const { stdout, exitCode } = await run(
         `snyk iac test ./iac/terraform/var_deref`,
       );
-      expect(exitCode).toBe(1);
+
+      // expect exitCode to be 0 or 1
+      expect(exitCode).toBeLessThanOrEqual(1);
 
       expect(stdout).toContain('Testing sg_open_ssh.tf...');
-      expect(stdout).toContain('Infrastructure as code issues:');
-      expect(stdout).not.toContain('✗ Security Group allows open ingress');
-      expect(stdout).not.toContain(
-        ' input > resource > aws_security_group[allow_ssh] > ingress',
-      );
-      expect(stdout).not.toContain(
-        ' input > resource > aws_security_group[allow_ssh_terraform_tfvars] > ingress',
-      );
-      expect(stdout).not.toContain(
-        ' input > resource > aws_security_group[allow_ssh_a_auto_tfvars] > ingress',
+      expect(stdout.match(/✗ Security Group allows open ingress/g)).toBeNull();
+      expect(stdout).toContain('Tested sg_open_ssh.tf for known issues');
+
+      expect(stdout).toContain(
+        `Testing ${path.join('nested_var_deref', 'sg_open_ssh.tf')}...`,
       );
-      expect(stdout).not.toContain(
-        ' input > resource > aws_security_group[allow_ssh_b_auto_tfvars] > ingress',
+      expect(stdout.match(/✗ Rule allows open egress/g)).toBeNull();
+      expect(stdout).toContain(
+        `Tested ${path.join(
+          'nested_var_deref',
+          'sg_open_ssh.tf',
+        )} for known issues`,
       );
     });
   });
@@ -47,25 +48,27 @@ describe('Terraform Language Support', () => {
     describe('files', () => {
       it('finds issues in Terraform file', async () => {
         const { stdout, exitCode } = await run(
-          `snyk iac test --org=tf-lang-support iac/terraform/sg_open_ssh.tf`,
+          `snyk iac test --org=tf-lang-support iac/terraform/var_deref/sg_open_ssh.tf`,
         );
+
         expect(exitCode).toBe(1);
 
         expect(stdout).toContain(
-          `Testing ${path
-            .join('iac', 'terraform', 'sg_open_ssh.tf')
-            .replace(new RegExp('\\' + path.sep, 'g'), '/')}`,
+          'Testing iac/terraform/var_deref/sg_open_ssh.tf...',
         );
-        expect(stdout).toContain('Infrastructure as code issues:');
-        expect(stdout).toContain('✗ Security Group allows open ingress');
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toHaveLength(1);
         expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh] > ingress',
+          'Tested iac/terraform/var_deref/sg_open_ssh.tf for known issues',
         );
       });
+
       it('finds no issues in empty Terraform file', async () => {
         const { exitCode } = await run(
           `snyk iac test --org=tf-lang-support ./iac/terraform/empty_file.tf`,
         );
+
         expect(exitCode).toBe(0);
       });
     });
@@ -75,27 +78,25 @@ describe('Terraform Language Support', () => {
         const { stdout, exitCode } = await run(
           `snyk iac test --org=tf-lang-support ./iac/terraform/var_deref`,
         );
+
         expect(exitCode).toBe(1);
 
         expect(stdout).toContain('Testing sg_open_ssh.tf...');
-        expect(stdout).toContain('Infrastructure as code issues:');
-        expect(stdout).toContain('✗ Security Group allows open ingress');
-        expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh] > ingress',
-        );
-        expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh_terraform_tfvars] > ingress',
-        );
-        expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh_a_auto_tfvars] > ingress',
-        );
-        expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh_b_auto_tfvars] > ingress',
-        );
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toHaveLength(5);
+        expect(stdout).toContain('Tested sg_open_ssh.tf for known issues');
 
         expect(stdout).toContain(
           `Testing ${path.join('nested_var_deref', 'sg_open_ssh.tf')}...`,
         );
+        expect(stdout.match(/✗ Rule allows open egress/g)).toHaveLength(1);
+        expect(stdout).toContain(
+          `Tested ${path.join(
+            'nested_var_deref',
+            'sg_open_ssh.tf',
+          )} for known issues`,
+        );
       });
 
       //TODO: add another test that checks a folder with edge cases
@@ -104,9 +105,8 @@ describe('Terraform Language Support', () => {
         const { stdout, exitCode } = await run(
           `snyk iac test --org=tf-lang-support ./iac`,
         );
-        expect(exitCode).toBe(1);
 
-        expect(stdout).toContain('Infrastructure as code issues:');
+        expect(exitCode).toBe(1);
 
         expect(stdout).toContain(
           `Testing ${path.join('kubernetes', 'pod-privileged.yaml')}`,
@@ -121,12 +121,33 @@ describe('Terraform Language Support', () => {
         expect(stdout).toContain(
           `Testing ${path.join('terraform', 'var_deref', 'sg_open_ssh.tf')}`,
         );
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toHaveLength(8);
         expect(stdout).toContain(
           `Tested ${path.join(
             'terraform',
             'var_deref',
             'sg_open_ssh.tf',
-          )} for known issues, found`,
+          )} for known issues`,
+        );
+
+        expect(stdout).toContain(
+          `Testing ${path.join(
+            'terraform',
+            'var_deref',
+            'nested_var_deref',
+            'sg_open_ssh.tf',
+          )}...`,
+        );
+        expect(stdout.match(/✗ Rule allows open egress/g)).toHaveLength(1);
+        expect(stdout).toContain(
+          `Tested ${path.join(
+            'terraform',
+            'var_deref',
+            'nested_var_deref',
+            'sg_open_ssh.tf',
+          )} for known issues`,
         );
       });
     });
@@ -136,17 +157,15 @@ describe('Terraform Language Support', () => {
         const { stdout, exitCode } = await run(
           `snyk iac test --org=tf-lang-support iac/terraform/sg_open_ssh.tf`,
         );
+
         expect(exitCode).toBe(1);
 
+        expect(stdout).toContain('Testing iac/terraform/sg_open_ssh.tf...');
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toHaveLength(1);
         expect(stdout).toContain(
-          `Testing ${path
-            .join('iac', 'terraform', 'sg_open_ssh.tf')
-            .replace(new RegExp('\\' + path.sep, 'g'), '/')}`,
-        );
-        expect(stdout).toContain('Infrastructure as code issues:');
-        expect(stdout).toContain('✗ Security Group allows open ingress');
-        expect(stdout).toContain(
-          ' input > resource > aws_security_group[allow_ssh] > ingress',
+          'Tested iac/terraform/sg_open_ssh.tf for known issues',
         );
       });
 
@@ -155,15 +174,15 @@ describe('Terraform Language Support', () => {
           `snyk iac test --org=tf-lang-support iac/terraform/sg_open_ssh.tf --severity-threshold=high`,
         );
 
-        expect(exitCode).toBe(0);
-        expect(stdout).toContain('Infrastructure as code issues:');
+        // expect exitCode to be 0 or 1
+        expect(exitCode).toBeLessThanOrEqual(1);
+
+        expect(stdout).toContain('Testing iac/terraform/sg_open_ssh.tf...');
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toBeNull();
         expect(stdout).toContain(
-          `Tested ${path
-            .join('iac', 'terraform', 'sg_open_ssh.tf')
-            .replace(
-              new RegExp('\\' + path.sep, 'g'),
-              '/',
-            )} for known issues, found 0 issues`,
+          'Tested iac/terraform/sg_open_ssh.tf for known issues',
         );
       });
 
@@ -173,18 +192,35 @@ describe('Terraform Language Support', () => {
         );
 
         expect(exitCode).toBe(1);
-        expect(stdout).toContain('Infrastructure as code issues:');
-        expect(stdout).toContain('Testing sg_open_ssh.tf...');
+
+        expect(stdout).toContain(
+          `Testing ${path.join('var_deref', 'sg_open_ssh.tf')}`,
+        );
         expect(stdout).toContain(
-          `Testing ${path.join('var_deref', 'sg_open_ssh.tf')}...`,
+          `Tested ${path.join('var_deref', 'sg_open_ssh.tf')} for known issues`,
         );
+        expect(stdout).toContain(`Testing ${path.join('sg_open_ssh.tf')}`);
+        expect(stdout).toContain('Tested sg_open_ssh.tf for known issues');
+        expect(
+          stdout.match(/✗ Security Group allows open ingress/g),
+        ).toHaveLength(6);
+
+        // Check that we didn't scan directories with depth > 2
         expect(stdout).not.toContain(
           `Testing ${path.join(
-            'nested_var_deref',
             'var_deref',
+            'nested_var_deref',
             'sg_open_ssh.tf',
           )}...`,
         );
+        expect(stdout.match(/✗ Rule allows open egress/g)).toBeNull();
+        expect(stdout).not.toContain(
+          `Tested ${path.join(
+            'var_deref',
+            'nested_var_deref',
+            'sg_open_ssh.tf',
+          )} for known issues`,
+        );
       });
 
       it('outputs an error for files with invalid HCL2', async () => {
@@ -193,6 +229,7 @@ describe('Terraform Language Support', () => {
         );
 
         expect(exitCode).toBe(2);
+
         expect(stdout).toContain('We were unable to parse the Terraform file');
       });
 
@@ -202,6 +239,7 @@ describe('Terraform Language Support', () => {
         );
 
         expect(exitCode).toBe(1);
+
         expect(isValidJSONString(stdout)).toBe(true);
         expect(stdout).toContain('"id": "SNYK-CC-TF-1",');
         expect(stdout).toContain('"ruleId": "SNYK-CC-TF-1",');
@@ -213,6 +251,7 @@ describe('Terraform Language Support', () => {
         );
 
         expect(exitCode).toBe(1);
+
         expect(isValidJSONString(stdout)).toBe(true);
         expect(stdout).toContain('"id": "SNYK-CC-TF-1",');
         expect(stdout).toContain('"packageManager": "terraformconfig",');