From c72484d7ea729c435786a547581f596cbc38f270 Mon Sep 17 00:00:00 2001 From: Ron Tal Date: Mon, 10 May 2021 19:37:15 +0300 Subject: [PATCH] feat: iac new flow ga --- help/commands-docs/_EXAMPLES.md | 2 +- help/commands-docs/iac-examples.md | 2 +- help/commands-docs/iac.md | 7 +- .../assert-iac-options-flag.ts | 2 +- .../test/iac-local-execution/index.ts | 4 +- .../test/iac-local-execution/types.ts | 3 + src/cli/commands/test/iac-test-shim.ts | 29 +- src/cli/index.ts | 20 - .../cli-test/cli-test.acceptance.test.ts | 4 - .../cli-test/iac/cli-test.iac-dir.spec.ts | 197 ---------- .../cli-test/iac/cli-test.iac-k8s.spec.ts | 264 ------------- .../cli-test/iac/cli-test.iac-utils.ts | 356 ------------------ test/jest/acceptance/cli-args.spec.ts | 4 +- .../assert-iac-options-flag.spec.ts | 2 +- .../spec/iac/snyk_test_directory_spec.sh | 8 +- test/smoke/spec/iac/snyk_test_k8s_spec.sh | 10 +- .../spec/iac/snyk_test_local_exec_spec.sh | 56 +-- .../spec/iac/snyk_test_terraform_spec.sh | 10 +- 18 files changed, 70 insertions(+), 910 deletions(-) delete mode 100644 test/acceptance/cli-test/iac/cli-test.iac-dir.spec.ts delete mode 100644 test/acceptance/cli-test/iac/cli-test.iac-k8s.spec.ts delete mode 100644 test/acceptance/cli-test/iac/cli-test.iac-utils.ts diff --git a/help/commands-docs/_EXAMPLES.md b/help/commands-docs/_EXAMPLES.md index a6d3fd08cd..62cef8bdae 100644 --- a/help/commands-docs/_EXAMPLES.md +++ b/help/commands-docs/_EXAMPLES.md @@ -26,4 +26,4 @@ See `snyk iac --help` for more details and examples: $ snyk iac test /path/to/Kubernetes.yaml $ snyk iac test /path/to/terraform_file.tf - $ snyk iac test /path/to/tf-plan.json --experimental + $ snyk iac test /path/to/tf-plan.json diff --git a/help/commands-docs/iac-examples.md b/help/commands-docs/iac-examples.md index 39bfa9c2a8..c3b230c085 100644 --- a/help/commands-docs/iac-examples.md +++ b/help/commands-docs/iac-examples.md @@ -9,7 +9,7 @@ \$ snyk iac test /path/to/terraform_file.tf - `Test terraform plan file`: - \$ snyk iac test /path/to/tf-plan.json --experimental + \$ snyk iac test /path/to/tf-plan.json - `Test matching files in a directory`: \$ snyk iac test /path/to/directory diff --git a/help/commands-docs/iac.md b/help/commands-docs/iac.md index 7a05a26387..30223645ed 100644 --- a/help/commands-docs/iac.md +++ b/help/commands-docs/iac.md @@ -44,13 +44,8 @@ Find security issues in your Infrastructure as Code files. Save test output in SARIF format directly to the file, regardless of whether or not you use the `--sarif` option. This is especially useful if you want to display the human-readable test output via stdout and at the same time save the SARIF format output to a file. -- `--experimental`: - (only in `test` command) - Enable an experimental feature to scan configuration files locally on your machine. - This feature also gives you the ability to scan terraform plan JSON files. - - `--scan=`: - Dedicated flag for Terraform plan scanning modes (available only under `--experimental` mode). + Dedicated flag for Terraform plan scanning modes. It enables to control whether the scan should analyse the full final state (e.g. `planned-values`), or the proposed changes only (e.g. `resource-changes`). Default: If the `--scan` flag is not provided it would scan the proposed changes only by default. Example #1: `--scan=planned-values` (full state scan) diff --git a/src/cli/commands/test/iac-local-execution/assert-iac-options-flag.ts b/src/cli/commands/test/iac-local-execution/assert-iac-options-flag.ts index 24b8997d01..a0c176ff6b 100644 --- a/src/cli/commands/test/iac-local-execution/assert-iac-options-flag.ts +++ b/src/cli/commands/test/iac-local-execution/assert-iac-options-flag.ts @@ -6,7 +6,6 @@ import { IaCErrorCodes, IaCTestFlags, TerraformPlanScanMode } from './types'; const keys: (keyof IaCTestFlags)[] = [ 'debug', 'insecure', - 'experimental', 'detectionDepth', 'severityThreshold', 'json', @@ -20,6 +19,7 @@ const keys: (keyof IaCTestFlags)[] = [ 'q', 'quiet', 'scan', + 'legacy', ]; const allowed = new Set(keys); diff --git a/src/cli/commands/test/iac-local-execution/index.ts b/src/cli/commands/test/iac-local-execution/index.ts index 7d85f07cb9..41317c53fc 100644 --- a/src/cli/commands/test/iac-local-execution/index.ts +++ b/src/cli/commands/test/iac-local-execution/index.ts @@ -19,9 +19,7 @@ import { cleanLocalCache, } from './measurable-methods'; // this method executes the local processing engine and then formats the results to adapt with the CLI output. -// the current version is dependent on files to be present locally which are not part of the source code. -// without these files this method would fail. -// if you're interested in trying out the experimental local execution model for IaC scanning, please reach-out. +// this flow is the default GA flow for IAC scanning. export async function test( pathToScan: string, options: IaCTestFlags, diff --git a/src/cli/commands/test/iac-local-execution/types.ts b/src/cli/commands/test/iac-local-execution/types.ts index b3b4ac99e6..fce0fe4279 100644 --- a/src/cli/commands/test/iac-local-execution/types.ts +++ b/src/cli/commands/test/iac-local-execution/types.ts @@ -132,6 +132,9 @@ export type IaCTestFlags = Pick< help?: 'help'; q?: boolean; quiet?: boolean; + // This flag is internal and is used merely to route the smoke tests of the old flow. + // it should be removed together when the GA version completely deprecates the legacy remote processing flow. + legacy?: boolean; } & TerraformPlanFlags; // Flags specific for Terraform plan scanning diff --git a/src/cli/commands/test/iac-test-shim.ts b/src/cli/commands/test/iac-test-shim.ts index 931155839d..726b243674 100644 --- a/src/cli/commands/test/iac-test-shim.ts +++ b/src/cli/commands/test/iac-test-shim.ts @@ -2,9 +2,12 @@ import { assertIaCOptionsFlags } from './iac-local-execution/assert-iac-options- import { IaCTestOptions, TestReturnValue } from './iac-local-execution/types'; import { localTest } from './iac-local-execution/measurable-methods'; import { test as legacyTest } from '../../../lib'; +import { getIacOrgSettings } from './iac-local-execution/org-settings/get-iac-org-settings'; +import { isFeatureFlagSupportedForOrg } from '../../../lib/feature-flags'; +const camelCase = require('lodash.camelcase'); /** - * Shim around the new local execution test path and the existing remote + * Shim around the new local execution test path and the legacy remote * test flow. We also locally deal with the way the legacy test flow exposes * the scanned files via the `options.iacDirFiles` object here so that * in the new flow we do not mutate the options object. @@ -17,16 +20,18 @@ export async function test( // caller doesn't accidentally mistype --experimental and send their // configuration files to our backend by accident. assertIaCOptionsFlags(process.argv); - - if (options.experimental) { - // this path is an experimental feature feature for IaC which does issue scanning locally without sending files to our Backend servers. - // once ready for GA, it is aimed to deprecate our remote-processing model, so IaC file scanning in the CLI is done locally. - return localTest(pathToScan, options); + const iacOrgSettings = await getIacOrgSettings(); + const shouldOptOutFromLocalExec = await isFeatureFlagSupportedForOrg( + camelCase('opt-out-from-local-exec-iac'), + iacOrgSettings.meta.org, + ); + if (shouldOptOutFromLocalExec.ok || options.legacy) { + // this path allows users to opt-out from the local IaC scan which is GA and continue using the remote-processing legacy flow. + const results = await legacyTest(pathToScan, options); + return { + failures: options.iacDirFiles?.filter((file) => !!file.failureReason), + results, + }; } - - const results = await legacyTest(pathToScan, options); - return { - failures: options.iacDirFiles?.filter((file) => !!file.failureReason), - results, - }; + return localTest(pathToScan, options); } diff --git a/src/cli/index.ts b/src/cli/index.ts index 111758e2d2..265d7d36f6 100755 --- a/src/cli/index.ts +++ b/src/cli/index.ts @@ -3,8 +3,6 @@ import 'source-map-support/register'; import * as Debug from 'debug'; import * as pathLib from 'path'; -const camelCase = require('lodash.camelcase'); - // import args as a first internal module import { args as argsLib, Args, ArgsOptions } from './args'; // parse args as a first thing; argsLib modifies global namespace @@ -46,8 +44,6 @@ import { } from '../lib/types'; import { SarifFileOutputEmptyError } from '../lib/errors/empty-sarif-output-error'; import { InvalidDetectionDepthValue } from '../lib/errors/invalid-detection-depth-value'; -import { getIacOrgSettings } from './commands/test/iac-local-execution/org-settings/get-iac-org-settings'; -import { isFeatureFlagSupportedForOrg } from '../lib/feature-flags'; const debug = Debug('snyk'); const EXIT_CODES = { @@ -249,22 +245,6 @@ async function main() { (globalArgs.options as unknown) as AllSupportedCliOptions, ); - // IaC only: used for rolling out the experimental flow - // modify args if experimental flag not provided, based on feature flag - // this can be removed once experimental becomes the default - if ( - globalArgs.options['iac'] && - globalArgs.command === 'test' && - !globalArgs.options['experimental'] - ) { - const iacOrgSettings = await getIacOrgSettings(); - const experimentalFlowEnabled = await isFeatureFlagSupportedForOrg( - camelCase('experimental-local-exec-iac'), - iacOrgSettings.meta.org, - ); - globalArgs.options['experimental'] = !!experimentalFlowEnabled.ok; - } - if (globalArgs.options['app-vulns'] && globalArgs.options['json']) { throw new UnsupportedOptionCombinationError([ 'Application vulnerabilities is currently not supported with JSON output. ' + diff --git a/test/acceptance/cli-test/cli-test.acceptance.test.ts b/test/acceptance/cli-test/cli-test.acceptance.test.ts index 5c93edf4de..84a398c68a 100644 --- a/test/acceptance/cli-test/cli-test.acceptance.test.ts +++ b/test/acceptance/cli-test/cli-test.acceptance.test.ts @@ -26,8 +26,6 @@ import { RubyTests } from './cli-test.ruby.spec'; import { SbtTests } from './cli-test.sbt.spec'; import { YarnTests } from './cli-test.yarn.spec'; import { ElixirTests } from './cli-test.elixir.spec'; -import { IacK8sTests } from './iac/cli-test.iac-k8s.spec'; -import { IacDirTests } from './iac/cli-test.iac-dir.spec'; import { YarnWorkspacesTests } from './cli-test.yarn-workspaces.spec'; // import { AllProjectsTests } from './cli-test.all-projects.spec'; TODO @boost temporary disable flaky test @@ -44,8 +42,6 @@ const languageTests: AcceptanceTests[] = [ RubyTests, SbtTests, YarnTests, - IacK8sTests, - IacDirTests, YarnWorkspacesTests, ElixirTests, ]; diff --git a/test/acceptance/cli-test/iac/cli-test.iac-dir.spec.ts b/test/acceptance/cli-test/iac/cli-test.iac-dir.spec.ts deleted file mode 100644 index 5a4ebb551e..0000000000 --- a/test/acceptance/cli-test/iac/cli-test.iac-dir.spec.ts +++ /dev/null @@ -1,197 +0,0 @@ -import { - iacTest, - iacTestJson, - iacTestSarif, - iacErrorTest, - iacTestJsonAssertions, - iacTestSarifAssertions, - iacTestSarifFileOutput, - IacAcceptanceTestType, -} from './cli-test.iac-utils'; - -import { AcceptanceTests } from '../cli-test.acceptance.test'; - -/** - * There's a Super weird bug when referncing Typescript Enum values (i.e. SEVERITY.medium), which causes all the to tests breaks. - * Probably some bad compatability with the Tap library & Ts-Node for supporting ENUMS. - * - * */ - -export const IacDirTests: AcceptanceTests = { - language: 'Iac - Directory (Kubernetes)', - tests: { - '`iac test directory`': (params, utils) => async (t) => { - utils.chdirWorkspaces(); - - await params.cli.test('iac-kubernetes/', { - iac: true, - }); - - const req = params.server.popRequest(); - t.equal(req.method, 'POST', 'makes POST request'); - t.equal( - req.headers['x-snyk-cli-version'], - params.versionNumber, - 'sends version number', - ); - t.match(req.url, '/test-iac', 'posts to correct url'); - t.equal(req.body.type, 'k8sconfig'); - }, - - '`iac test - not a real dir`': (params, utils) => async (t) => - await iacErrorTest( - t, - utils, - params, - 'nonono', - 'iac test option currently supports only a single local file', - ), - - '`iac test directory --severity-threshold=low`': (params, utils) => async ( - t, - ) => - await iacTest( - t, - utils, - params, - 'low', - 3, - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=medium`': ( - params, - utils, - ) => async (t) => - await iacTest( - t, - utils, - params, - 'medium', - 2, - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=high`': (params, utils) => async ( - t, - ) => - await iacTest( - t, - utils, - params, - 'high', - 1, - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --json - no issues`': (params, utils) => async (t) => { - utils.chdirWorkspaces(); - const testableObject = await params.cli.test('iac-kubernetes/', { - iac: true, - json: true, - }); - const res: any = JSON.parse(testableObject); - iacTestJsonAssertions( - t, - res, - null, - false, - IacAcceptanceTestType.DIRECTORY, - ); - }, - '`iac test directory --severity-threshold=low --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'low', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=medium --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'medium', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=high --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'high', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --sarif - no issues`': (params, utils) => async ( - t, - ) => { - utils.chdirWorkspaces(); - const testableObject = await params.cli.test('iac-kubernetes/', { - iac: true, - sarif: true, - }); - const res: any = JSON.parse(testableObject); - iacTestSarifAssertions(t, res, null, false); - }, - '`iac test directory --severity-threshold=low --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'low', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=medium --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'medium', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=high --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'high', - IacAcceptanceTestType.DIRECTORY, - ), - - '`iac test directory --severity-threshold=high --sarif --sarif-file-output=test.json`': ( - params, - utils, - ) => async (t) => - await iacTestSarifFileOutput( - t, - utils, - params, - 'high', - IacAcceptanceTestType.DIRECTORY, - ), - }, -}; diff --git a/test/acceptance/cli-test/iac/cli-test.iac-k8s.spec.ts b/test/acceptance/cli-test/iac/cli-test.iac-k8s.spec.ts deleted file mode 100644 index aaa5e9763d..0000000000 --- a/test/acceptance/cli-test/iac/cli-test.iac-k8s.spec.ts +++ /dev/null @@ -1,264 +0,0 @@ -import { - iacTest, - iacTestJson, - iacTestSarif, - iacErrorTest, - iacTestMetaAssertions, - iacTestJsonAssertions, - iacTestSarifAssertions, - iacTestResponseFixturesByThreshold, - iacTestSarifFileOutput, - IacAcceptanceTestType, -} from './cli-test.iac-utils'; -import { CommandResult } from '../../../../src/cli/commands/types'; - -import { AcceptanceTests } from '../cli-test.acceptance.test'; - -/** - * There's a Super weird bug when referncing Typescript Enum values (i.e. SEVERITY.medium), which causes all the to tests breaks. - * Probably some bad compatability with the Tap library & Ts-Node for supporting ENUMS. - * - * */ - -export const IacK8sTests: AcceptanceTests = { - language: 'Iac (Kubernetes)', - tests: { - '`iac test multi.yaml - no issues`': (params, utils) => async (t) => { - utils.chdirWorkspaces(); - - await params.cli.test('iac-kubernetes/multi-file.yaml', { - iac: true, - }); - - const req = params.server.popRequest(); - t.equal(req.method, 'POST', 'makes POST request'); - t.equal( - req.headers['x-snyk-cli-version'], - params.versionNumber, - 'sends version number', - ); - t.match(req.url, '/test-iac', 'posts to correct url'); - t.equal(req.body.type, 'k8sconfig'); - }, - - '`iac test - not a real dir`': (params, utils) => async (t) => - await iacErrorTest( - t, - utils, - params, - 'nonono', - 'iac test option currently supports only a single local file', - ), - - '`iac test multi-file.yaml meta - no issues': (params, utils) => async ( - t, - ) => { - utils.chdirWorkspaces(); - const commandResult: CommandResult = await params.cli.test( - 'iac-kubernetes/multi-file.yaml', - { - iac: true, - }, - ); - const res = commandResult.getDisplayResults(); - iacTestMetaAssertions(t, res, IacAcceptanceTestType.SINGLE_K8S_FILE); - }, - - '`iac test multi-file.yaml`': (params, utils) => async (t) => { - utils.chdirWorkspaces(); - - params.server.setNextResponse(iacTestResponseFixturesByThreshold['low']); - - try { - await params.cli.test('iac-kubernetes/multi-file.yaml', { - iac: true, - }); - t.fail('should have thrown'); - } catch (err) { - const res = err.message; - - t.match( - res, - 'Tested multi-file.yaml for known issues, found 3 issues', - '3 issue', - ); - - const issues = res - .slice( - res.indexOf('Infrastructure as code issues:'), - res.indexOf('Organization:'), - ) - .split('\n'); - t.ok(issues[1].includes('[SNYK-CC-K8S-'), 'Snyk id'); - t.ok( - issues[2].trim().startsWith('introduced by'), - 'Introduced by line', - ); - t.ok(issues[3] === '', 'description'); - t.ok(issues[4].includes('[SNYK-CC-K8S-'), 'Snyk id'); - t.ok( - issues[5].trim().startsWith('introduced by'), - 'Introduced by line', - ); - t.ok(issues[6] === '', 'Empty line after description'); - iacTestMetaAssertions(t, res, IacAcceptanceTestType.SINGLE_K8S_FILE); - } - }, - '`iac test multi-file.yaml --severity-threshold=low`': ( - params, - utils, - ) => async (t) => - await iacTest( - t, - utils, - params, - 'low', - 3, - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=medium`': ( - params, - utils, - ) => async (t) => - await iacTest( - t, - utils, - params, - 'medium', - 2, - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=high`': ( - params, - utils, - ) => async (t) => - await iacTest( - t, - utils, - params, - 'high', - 1, - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --json - no issues`': (params, utils) => async ( - t, - ) => { - utils.chdirWorkspaces(); - const testableObject = await params.cli.test( - 'iac-kubernetes/multi-file.yaml', - { - iac: true, - json: true, - }, - ); - const res: any = JSON.parse(testableObject); - iacTestJsonAssertions( - t, - res, - null, - false, - IacAcceptanceTestType.SINGLE_K8S_FILE, - ); - }, - '`iac test multi-file.yaml --severity-threshold=low --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'low', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=medium --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'medium', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=high --json`': ( - params, - utils, - ) => async (t) => - await iacTestJson( - t, - utils, - params, - 'high', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --sarif - no issues`': (params, utils) => async ( - t, - ) => { - utils.chdirWorkspaces(); - const testableObject = await params.cli.test( - 'iac-kubernetes/multi-file.yaml', - { - iac: true, - sarif: true, - }, - ); - const res: any = JSON.parse(testableObject); - iacTestSarifAssertions(t, res, null, false); - }, - '`iac test multi-file.yaml --severity-threshold=low --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'low', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=medium --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'medium', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=high --sarif`': ( - params, - utils, - ) => async (t) => - await iacTestSarif( - t, - utils, - params, - 'high', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - - '`iac test multi-file.yaml --severity-threshold=high --sarif --sarif-file-output=test.json`': ( - params, - utils, - ) => async (t) => - await iacTestSarifFileOutput( - t, - utils, - params, - 'high', - IacAcceptanceTestType.SINGLE_K8S_FILE, - ), - }, -}; diff --git a/test/acceptance/cli-test/iac/cli-test.iac-utils.ts b/test/acceptance/cli-test/iac/cli-test.iac-utils.ts deleted file mode 100644 index 6043305da8..0000000000 --- a/test/acceptance/cli-test/iac/cli-test.iac-utils.ts +++ /dev/null @@ -1,356 +0,0 @@ -const sortBy = require('lodash.sortby'); -import { - mapIacTestResult, - AnnotatedIacIssue, - IacTestResponse, -} from '../../../../src/lib/snyk-test/iac-test-result'; -import { Log, Run, Result } from 'sarif'; -import { basename } from 'path'; - -export enum IacAcceptanceTestType { - SINGLE_K8S_FILE = 1, - DIRECTORY = 2, -} - -const testParams = { - [IacAcceptanceTestType.SINGLE_K8S_FILE]: { - testPath: 'iac-kubernetes/multi-file.yaml', - displayFilePath: 'iac-kubernetes/multi-file.yaml', - }, - [IacAcceptanceTestType.DIRECTORY]: { - testPath: 'iac-kubernetes/', - displayFilePath: 'multi-file.yaml', - }, -}; - -export async function iacTestPrep( - t, - utils, - params, - severityThreshold, - additionaLpropsForCli, - testType: IacAcceptanceTestType, -) { - utils.chdirWorkspaces(); - const iacTestResponse = iacTestResponseFixturesByThreshold[severityThreshold]; - params.server.setNextResponse(iacTestResponse); - - try { - await params.cli.test(testParams[testType].testPath, { - iac: true, - ...additionaLpropsForCli, - }); - t.fail('should have thrown'); - } catch (testableObject) { - return testableObject; - } -} - -export async function iacErrorTest(t, utils, params, testArg, expectedError) { - utils.chdirWorkspaces(); - - try { - await params.cli.test(testArg, { - iac: true, - }); - t.fail('should have failed'); - } catch (err) { - t.pass('throws err'); - t.match(err.message, expectedError, 'shows err'); - } -} - -export async function iacTestJson( - t, - utils, - params, - severityThreshold, - testType: IacAcceptanceTestType, -) { - const testableObject = await iacTestPrep( - t, - utils, - params, - severityThreshold, - { severityThreshold, json: true }, - testType, - ); - const req = params.server.popRequest(); - t.is(req.query.severityThreshold, severityThreshold); - - const results = JSON.parse(testableObject.message); - const expectedResults = mapIacTestResult( - iacTestResponseFixturesByThreshold[severityThreshold], - ); - - iacTestJsonAssertions(t, results, expectedResults, true, testType); -} - -export async function iacTestSarif( - t, - utils, - params, - severityThreshold, - testType: IacAcceptanceTestType, -) { - const testableObject = await iacTestPrep( - t, - utils, - params, - severityThreshold, - { severityThreshold, sarif: true }, - testType, - ); - const req = params.server.popRequest(); - t.is(req.query.severityThreshold, severityThreshold); - - const results = JSON.parse(testableObject.message); - const expectedResults = mapIacTestResult( - iacTestResponseFixturesByThreshold[severityThreshold], - ); - - iacTestSarifAssertions(t, results, expectedResults); -} - -export async function iacTestSarifFileOutput( - t, - utils, - params, - severityThreshold, - testType: IacAcceptanceTestType, -) { - const testableObject = await iacTestPrep( - t, - utils, - params, - severityThreshold, - { severityThreshold, sarif: true }, - testType, - ); - const req = params.server.popRequest(); - t.is(req.query.severityThreshold, severityThreshold); - - const results = JSON.parse(testableObject.message); - const sarifStringifiedResults = JSON.parse( - testableObject.sarifStringifiedResults, - ); - t.deepEqual( - results, - sarifStringifiedResults, - 'stdout and stringified sarif results are the same', - ); -} - -export async function iacTest( - t, - utils, - params, - severityThreshold, - numOfIssues, - testType: IacAcceptanceTestType, -) { - const testableObject = await iacTestPrep( - t, - utils, - params, - severityThreshold, - {}, - testType, - ); - const res = testableObject.message; - t.match( - res, - `Tested ${basename( - testParams[testType].displayFilePath, - )} for known issues, found ${numOfIssues} issues`, - `${numOfIssues} issue`, - ); - iacTestMetaAssertions(t, res, testType); -} - -export function iacTestMetaAssertions(t, res, testType: IacAcceptanceTestType) { - const currTestParams = testParams[testType]; - - const meta = res.slice(res.indexOf('Organization:')).split('\n'); - t.match(meta[0], /Organization:\s+test-org/, 'organization displayed'); - t.match(meta[1], /Type:\s+Kubernetes/, 'Type displayed'); - t.match( - meta[2], - `Target file: ${currTestParams.displayFilePath}`, - 'target file displayed', - ); - t.match(meta[3], /Project name:\s+iac-kubernetes/, 'project name displayed'); - t.match(meta[4], /Open source:\s+no/, 'open source displayed'); - t.match(meta[5], /Project path:\s+iac-kubernetes/, 'path displayed'); - t.notMatch( - meta[5], - /Local Snyk policy:\s+found/, - 'local policy not displayed', - ); -} - -export function iacTestJsonAssertions( - t, - results, - expectedResults, - foundIssues = true, - testType: IacAcceptanceTestType, -) { - const currTestParams = testParams[testType]; - t.deepEqual(results.org, 'test-org', 'org is ok'); - t.deepEqual(results.projectType, 'k8sconfig', 'projectType is ok'); - t.deepEqual(results.path, currTestParams.testPath, 'path is ok'); - t.deepEqual(results.projectName, 'iac-kubernetes', 'projectName is ok'); - t.deepEqual( - results.targetFile, - currTestParams.displayFilePath, - 'targetFile is ok', - ); - t.deepEqual(results.dependencyCount, 0, 'dependencyCount is 0'); - t.deepEqual(results.vulnerabilities, [], 'vulnerabilities is empty'); - t.equal(results.cloudConfigResults, undefined); - if (foundIssues) { - t.deepEqual( - sortBy(results.infrastructureAsCodeIssues, 'id'), - sortBy(expectedResults.infrastructureAsCodeIssues, 'id'), - 'issues are the same', - ); - } else { - t.deepEqual(results.infrastructureAsCodeIssues, []); - } -} - -function getDistinctIssueIds(infrastructureAsCodeIssues): string[] { - const issueIdsSet = new Set(); - infrastructureAsCodeIssues.forEach((issue) => { - issueIdsSet.add(issue.id); - }); - return [...new Set(issueIdsSet)]; -} - -export function iacTestSarifAssertions( - t, - results: Log, - expectedResults, - foundIssues = true, -) { - t.deepEqual(results.version, '2.1.0', 'version is ok'); - t.deepEqual(results.runs.length, 1, 'number of runs is ok'); - const run: Run = results.runs[0]; - t.deepEqual( - run.tool.driver.name, - 'Snyk Infrastructure as Code', - 'tool name is ok', - ); - if (!foundIssues) { - t.deepEqual(run.tool.driver.rules!.length, 0, 'number of rules is ok'); - t.deepEqual(run.results!.length, 0, 'number of issues is ok'); - - return; - } - - const distictIssueIds = getDistinctIssueIds( - expectedResults.infrastructureAsCodeIssues, - ); - t.deepEqual( - run.tool.driver.rules!.length, - distictIssueIds.length, - 'number of rules is ok', - ); - t.deepEqual( - run.results!.length, - expectedResults.infrastructureAsCodeIssues.length, - 'number of issues is ok', - ); - for (let i = 0; i < run.results!.length; i++) { - const sarifIssue: Result = run.results![i]; - const expectedIssue = expectedResults.infrastructureAsCodeIssues[i]; - t.deepEqual(sarifIssue.ruleId, expectedIssue.id, 'issue id is ok'); - - const messageText = `This line contains a potential ${expectedIssue.severity} severity misconfiguration affecting the Kubernetes ${expectedIssue.subType}`; - t.deepEqual(sarifIssue.message.text, messageText, 'issue message is ok'); - t.deepEqual( - sarifIssue.locations![0]!.physicalLocation!.artifactLocation!.uri, - 'iac-kubernetes/multi-file.yaml', - 'issue uri is ok', - ); - t.deepEqual( - sarifIssue.locations![0].physicalLocation!.region!.startLine, - expectedIssue.lineNumber, - 'issue message is ok', - ); - } -} - -function generateDummyIssue(severity): AnnotatedIacIssue { - return { - iacDescription: { issue: '', impact: '', resolve: '' }, - id: 'SNYK-CC-K8S-1', - title: 'Reducing the admission of containers with dropped capabilities', - name: 'Reducing the admission of containers with dropped capabilities', - from: [], - description: - '## Overview Privileged containers can do nearly everything a process on the host can do, and provide no isolation from other workloads. Avoid where possible. ## Remediation Change to `false` ## References ad', - cloudConfigPath: [ - '[DocId: 2]', - 'input', - 'spec', - 'requiredDropCapabilities', - ], - severity, - isIgnored: false, - type: 'k8s', - subType: 'Deployment', - path: [], - lineNumber: 1, - documentation: 'https://snyk.io/security-rules/SNYK-CC-K8S-1', - }; -} - -function generateDummyTestData( - cloudConfigResults: AnnotatedIacIssue[], -): IacTestResponse { - return { - path: '', - targetFile: '', - projectName: '', - displayTargetFile: '', - foundProjectCount: 1, - ok: false, - org: '', - summary: '', - isPrivate: false, - result: { - projectType: 'k8sconfig', - cloudConfigResults, - }, - meta: { - org: 'test-org', - isPublic: false, - isLicensesEnabled: false, - policy: '', - }, - }; -} - -export const iacTestResponseFixturesByThreshold = { - high: generateDummyTestData( - ['high'].map((severity) => generateDummyIssue(severity)), - ), - medium: generateDummyTestData( - ['high', 'medium'].map((severity) => generateDummyIssue(severity)), - ), - low: generateDummyTestData( - ['high', 'medium', 'low'].map((severity) => generateDummyIssue(severity)), - ), -}; - -export const iacOrgSettings = { - meta: { - isPrivate: false, - isLicensesEnabled: false, - ignoreSettings: null, - org: 'test-org', - }, - customPolicies: {}, -}; diff --git a/test/jest/acceptance/cli-args.spec.ts b/test/jest/acceptance/cli-args.spec.ts index 0fa559e79f..4494862356 100644 --- a/test/jest/acceptance/cli-args.spec.ts +++ b/test/jest/acceptance/cli-args.spec.ts @@ -72,7 +72,7 @@ test('snyk test command should fail when iac --file is specified', async () => { test('snyk test command should fail when iac file is not supported', async () => { const { code, stdout } = await runCLI( - `iac test ./test/acceptance/workspaces/empty/readme.md`, + `iac test ./test/acceptance/workspaces/empty/readme.md --legacy`, ); expect(stdout).toMatch('Illegal infrastructure as code target file'); @@ -81,7 +81,7 @@ test('snyk test command should fail when iac file is not supported', async () => test('snyk test command should fail when iac file is not supported', async () => { const { code, stdout } = await runCLI( - `iac test ./test/acceptance/workspaces/helmconfig/Chart.yaml`, + `iac test ./test/acceptance/workspaces/helmconfig/Chart.yaml --legacy`, ); expect(stdout).toMatch( diff --git a/test/jest/unit/iac-unit-tests/assert-iac-options-flag.spec.ts b/test/jest/unit/iac-unit-tests/assert-iac-options-flag.spec.ts index 43382c435f..f93b726c02 100644 --- a/test/jest/unit/iac-unit-tests/assert-iac-options-flag.spec.ts +++ b/test/jest/unit/iac-unit-tests/assert-iac-options-flag.spec.ts @@ -11,7 +11,6 @@ describe('assertIaCOptionsFlags()', () => { const options = [ '--debug', '--insecure', - '--experimental', '--detection-depth', '--severity-threshold', '--json', @@ -24,6 +23,7 @@ describe('assertIaCOptionsFlags()', () => { '--help', '-q', '--quiet', + '--legacy', ]; expect(() => assertIaCOptionsFlags([...command, ...options, ...files]), diff --git a/test/smoke/spec/iac/snyk_test_directory_spec.sh b/test/smoke/spec/iac/snyk_test_directory_spec.sh index 61fc6edf67..c862e72843 100644 --- a/test/smoke/spec/iac/snyk_test_directory_spec.sh +++ b/test/smoke/spec/iac/snyk_test_directory_spec.sh @@ -6,7 +6,7 @@ Describe "Snyk iac test command" Describe "terraform directory scan" Skip if "execute only in regression test" check_if_regression_test It "finds issues in terraform directory" - When run snyk iac test ../fixtures/iac/terraform/ + When run snyk iac test ../fixtures/iac/terraform/ --legacy The status should be failure # issues found The output should include "Testing sg_open_ssh.tf..." @@ -34,7 +34,7 @@ Describe "Snyk iac test command" End It "filters out issues when using severity threshold" - When run snyk iac test ../fixtures/iac/terraform --severity-threshold=high + When run snyk iac test ../fixtures/iac/terraform --severity-threshold=high --legacy The status should be success # no issues found The output should include "Testing sg_open_ssh.tf..." @@ -58,14 +58,14 @@ Describe "Snyk iac test command" End It "outputs the expected text when running with --sarif flag" - When run snyk iac test ../fixtures/iac/terraform/ --sarif + When run snyk iac test ../fixtures/iac/terraform/ --sarif --legacy The status should be failure The output should include '"id": "SNYK-CC-TF-1",' The output should include '"ruleId": "SNYK-CC-TF-1",' End It "outputs the expected text when running with --json flag" - When run snyk iac test ../fixtures/iac/terraform/ --json + When run snyk iac test ../fixtures/iac/terraform/ --json --legacy The status should be failure The output should include '"id": "SNYK-CC-TF-1",' The output should include '"packageManager": "terraformconfig",' diff --git a/test/smoke/spec/iac/snyk_test_k8s_spec.sh b/test/smoke/spec/iac/snyk_test_k8s_spec.sh index ee753708a7..7692db79fd 100644 --- a/test/smoke/spec/iac/snyk_test_k8s_spec.sh +++ b/test/smoke/spec/iac/snyk_test_k8s_spec.sh @@ -7,7 +7,7 @@ Describe "Snyk iac test command" Describe "k8s single file scan" Skip if "execute only in regression test" check_if_regression_test It "finds issues in k8s file" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --legacy The status should be failure # issues found The output should include "Testing pod-privileged.yaml..." @@ -27,7 +27,7 @@ Describe "Snyk iac test command" End It "filters out issues when using severity threshold" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --severity-threshold=high + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --severity-threshold=high --legacy The status should be failure # one issue found The output should include "Testing pod-privileged.yaml..." @@ -45,20 +45,20 @@ Describe "Snyk iac test command" End It "outputs an error for files with no valid k8s objects" - When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml + When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml --legacy The status should be failure The output should include "Illegal infrastructure as code target file pod-invalid.yaml" End It "outputs the expected text when running with --sarif flag" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --sarif + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --sarif --legacy The status should be failure The output should include '"id": "SNYK-CC-K8S-1",' The output should include '"ruleId": "SNYK-CC-K8S-1",' End It "outputs the expected text when running with --json flag" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --json + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --json --legacy The status should be failure The output should include '"id": "SNYK-CC-K8S-1",' The output should include '"packageManager": "k8sconfig",' diff --git a/test/smoke/spec/iac/snyk_test_local_exec_spec.sh b/test/smoke/spec/iac/snyk_test_local_exec_spec.sh index d1a8c84ab7..d4d3b36153 100644 --- a/test/smoke/spec/iac/snyk_test_local_exec_spec.sh +++ b/test/smoke/spec/iac/snyk_test_local_exec_spec.sh @@ -1,14 +1,14 @@ #shellcheck shell=sh -Describe "Snyk iac test --experimental command" +Describe "Snyk iac local test command" Skip if "execute only in regression test" check_if_regression_test Before snyk_login After snyk_logout Describe "basic usage" - It "outputs an error if the --experimental flag is mistyped" - When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml --experimentl + It "outputs an error if the flag is not supported or mistyped" + When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml --experimental The status should equal 2 The output should include "Unsupported flag" End @@ -17,7 +17,7 @@ Describe "Snyk iac test --experimental command" Describe "logging regression tests" It "does not include file content in analytics logs" # Run with the -d flag on directory to output network requests and analytics data. - When run snyk iac test ../fixtures/iac/file-logging -d --experimental + When run snyk iac test ../fixtures/iac/file-logging -d # We expect the output, specifically the analytics block not to include # the following text from the file. The status should equal 1 # issues found @@ -28,7 +28,7 @@ Describe "Snyk iac test --experimental command" Describe "k8s single file scan" It "finds issues in k8s file" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --experimental + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml The status should equal 1 # issues found The output should include "Testing pod-privileged.yaml..." @@ -39,7 +39,7 @@ Describe "Snyk iac test --experimental command" End It "filters out issues when using severity threshold" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --experimental --severity-threshold=high + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --severity-threshold=high The status should equal 1 # one issue found The output should include "Testing pod-privileged.yaml..." @@ -49,27 +49,27 @@ Describe "Snyk iac test --experimental command" End It "outputs an error for files with no valid k8s objects" - When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml --experimental + When run snyk iac test ../fixtures/iac/kubernetes/pod-invalid.yaml The status should equal 2 The output should include "We were unable to detect whether the YAML file" End It "outputs an error for Helm files" - When run snyk iac test ../fixtures/iac/kubernetes/helm-config.yaml --experimental + When run snyk iac test ../fixtures/iac/kubernetes/helm-config.yaml The status should equal 2 The output should include "We were unable to parse the YAML file" The output should include "do not support scanning of Helm files" End It "outputs the expected text when running with --sarif flag" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --experimental --sarif + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --sarif The status should equal 1 The output should include '"id": "SNYK-CC-K8S-1",' The output should include '"ruleId": "SNYK-CC-K8S-1",' End It "outputs the expected text when running with --json flag" - When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --experimental --json + When run snyk iac test ../fixtures/iac/kubernetes/pod-privileged.yaml --json The status should equal 1 The output should include '"id": "SNYK-CC-K8S-1",' The output should include '"packageManager": "k8sconfig",' @@ -79,7 +79,7 @@ Describe "Snyk iac test --experimental command" Describe "terraform single file scan" It "finds issues in terraform file" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --experimental + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf The status should equal 1 # issues found The output should include "Testing sg_open_ssh.tf..." @@ -90,7 +90,7 @@ Describe "Snyk iac test --experimental command" End It "filters out issues when using severity threshold" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --experimental --severity-threshold=high + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --severity-threshold=high The status should equal 0 # no issues found The output should include "Testing sg_open_ssh.tf..." @@ -101,20 +101,20 @@ Describe "Snyk iac test --experimental command" # TODO: currently skipped because the parser we're using doesn't fail on invalid terraform # will be fixed before beta It "outputs an error for invalid terraforom files" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh_invalid_hcl2.tf --experimental + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh_invalid_hcl2.tf The status should equal 2 The output should include "We were unable to parse the Terraform file" End It "outputs the expected text when running with --sarif flag" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --experimental --sarif + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --sarif The status should equal 1 The output should include '"id": "SNYK-CC-TF-1",' The output should include '"ruleId": "SNYK-CC-TF-1",' End It "outputs the expected text when running with --json flag" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --experimental --json + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --json The status should equal 1 The output should include '"id": "SNYK-CC-TF-1",' The output should include '"packageManager": "terraformconfig",' @@ -122,7 +122,7 @@ Describe "Snyk iac test --experimental command" End It "outputs the expected text when running with --json flag and getting no vulnerabilities" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --experimental --severity-threshold=high --json + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --severity-threshold=high --json The status should equal 0 # no issues found The output should not include '"id": "SNYK-CC-TF-1",' The output should include '"packageManager": "terraformconfig",' @@ -132,7 +132,7 @@ Describe "Snyk iac test --experimental command" Describe "directory scanning" It "finds issues in a directory with Terraform files" - When run snyk iac test ../fixtures/iac/terraform/ --experimental + When run snyk iac test ../fixtures/iac/terraform/ The status should equal 1 # issues found # First File The output should include "Testing sg_open_ssh.tf..." @@ -147,7 +147,7 @@ Describe "Snyk iac test --experimental command" End It "finds issues in a directory with Kubernetes files" - When run snyk iac test ../fixtures/iac/kubernetes/ --experimental + When run snyk iac test ../fixtures/iac/kubernetes/ The status should equal 1 # issues found # First File The output should include "Testing pod-privileged.yaml..." @@ -162,7 +162,7 @@ Describe "Snyk iac test --experimental command" End It "limits the depth of the directories" - When run snyk iac test ../fixtures/iac/depth_detection/ --experimental --detection-depth=2 + When run snyk iac test ../fixtures/iac/depth_detection/ --detection-depth=2 The status should equal 0 # no issues found # Only File The output should include "Testing one.tf..." @@ -181,7 +181,7 @@ Describe "Snyk iac test --experimental command" Describe "Testing status code when issues found" Describe "Using the --json flag" It "returns 1 even if some files failed to parse" - When run snyk iac test ../fixtures/iac/kubernetes/ --experimental --json + When run snyk iac test ../fixtures/iac/kubernetes/ --json The status should equal 1 The output should not equal "" The stderr should equal "" @@ -190,7 +190,7 @@ Describe "Snyk iac test --experimental command" Describe "Not using the --json flag" It "returns 1 even if some files failed to parse" - When run snyk iac test ../fixtures/iac/kubernetes/ --experimental + When run snyk iac test ../fixtures/iac/kubernetes/ The status should equal 1 The output should not equal "" The stderr should equal "" @@ -201,7 +201,7 @@ Describe "Snyk iac test --experimental command" Describe "Testing status code when no issues found" Describe "Using the --json flag" It "returns 0 even if some files failed to parse" - When run snyk iac test ../fixtures/iac/no_vulnerabilities/ --experimental --severity-threshold=high --json + When run snyk iac test ../fixtures/iac/no_vulnerabilities/ --severity-threshold=high --json The status should equal 0 The output should not equal "" The stderr should equal "" @@ -210,7 +210,7 @@ Describe "Snyk iac test --experimental command" Describe "Not using the --json flag" It "returns 0 even if some files failed to parse" - When run snyk iac test ../fixtures/iac/no_vulnerabilities/ --experimental --severity-threshold=high + When run snyk iac test ../fixtures/iac/no_vulnerabilities/ --severity-threshold=high The status should equal 0 The output should not equal "" The stderr should equal "" @@ -223,7 +223,7 @@ Describe "Snyk iac test --experimental command" # Note that this now defaults to the delta scan, not the full scan. # in the future a flag will be added to control this functionality. It "finds issues in a Terraform plan file" - When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental + When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json The status should equal 1 # issues found The output should include "tf-plan-create.json" @@ -237,7 +237,7 @@ Describe "Snyk iac test --experimental command" End It "finds issues in a Terraform plan file - full scan flag" - When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental --scan=planned-values + When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --scan=planned-values The status should equal 1 # issues found The output should include "Testing tf-plan-create.json" @@ -251,7 +251,7 @@ Describe "Snyk iac test --experimental command" End It "finds issues in a Terraform plan file - explicit delta scan with flag" - When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental --scan=resource-changes + When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --scan=resource-changes The status should equal 1 # issues found The output should include "Testing tf-plan-create.json" @@ -265,13 +265,13 @@ Describe "Snyk iac test --experimental command" End It "errors when a wrong value is passed to the --scan flag" - When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --experimental --scan=rsrc-changes + When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --scan=rsrc-changes The status should equal 2 # failure The output should include "Unsupported value" End It "errors when no value is provided to the --scan flag" - When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --experimental --scan + When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --scan The status should equal 2 # failure The output should include "Unsupported value" End diff --git a/test/smoke/spec/iac/snyk_test_terraform_spec.sh b/test/smoke/spec/iac/snyk_test_terraform_spec.sh index 3c68d88134..c4db6a8724 100644 --- a/test/smoke/spec/iac/snyk_test_terraform_spec.sh +++ b/test/smoke/spec/iac/snyk_test_terraform_spec.sh @@ -7,7 +7,7 @@ Describe "Snyk iac test command" Describe "terraform single file scan" Skip if "execute only in regression test" check_if_regression_test It "finds issues in terraform file" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --legacy The status should be failure # issues found The output should include "Testing sg_open_ssh.tf..." # Outputs issues @@ -26,7 +26,7 @@ Describe "Snyk iac test command" End It "filters out issues when using severity threshold" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --severity-threshold=high + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --severity-threshold=high --legacy The status should be success # no issues found The output should include "Testing sg_open_ssh.tf..." # Outputs issues @@ -43,21 +43,21 @@ Describe "Snyk iac test command" End It "outputs an error for invalid hcl2 tf files" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh_invalid_hcl2.tf + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh_invalid_hcl2.tf --legacy The status should be failure The output should include "Illegal Terraform target file sg_open_ssh_invalid_hcl2.tf " The output should include "Validation Error Reason: Invalid HCL2 Format." End It "outputs the expected text when running with --sarif flag" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --sarif + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --sarif --legacy The status should be failure The output should include '"id": "SNYK-CC-TF-1",' The output should include '"ruleId": "SNYK-CC-TF-1",' End It "outputs the expected text when running with --json flag" - When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --json + When run snyk iac test ../fixtures/iac/terraform/sg_open_ssh.tf --json --legacy The status should be failure The output should include '"id": "SNYK-CC-TF-1",' The output should include '"packageManager": "terraformconfig",'