Skip to content

Commit

Permalink
Support for spaces in policy reference_id
Browse files Browse the repository at this point in the history
  • Loading branch information
nasir-rabbani committed Jun 4, 2021
1 parent 95aba12 commit daacad6
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 11 deletions.
27 changes: 16 additions & 11 deletions pkg/utils/skip_rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package utils

import (
"encoding/json"
"fmt"
"regexp"
"strings"

Expand All @@ -32,18 +33,24 @@ const (
TerrascanSkipRule = "rule"
// TerrascanSkipComment key used to detect comment skiupping a give rule
TerrascanSkipComment = "comment"
// SkipRulesPrefix used to identify and trim the skipping rule patterns
SkipRulesPrefix = "#ts:skip="
// RuleIDRegex used to match the reference_id string
RuleIDRegex = `((([ A-Za-z0-9]+[.-]{1})){2,5}([\d]+)){1}`
// SkipRuleCommentRegex used to detect comments in skipped rule
SkipRuleCommentRegex = `([ \t]+.*){0,1}`
)

var (
skipRulesPattern = regexp.MustCompile(`(#ts:skip=[ \t]*(([A-Za-z0-9]+[.-]{1}){3,5}([\d]+)){1}([ \t]+.*){0,1})`)
skipRulesPrefix = "#ts:skip="
ruleIDPattern = regexp.MustCompile(RuleIDRegex)
skipRulesPattern = regexp.MustCompile(fmt.Sprintf("(%s%s%s)", SkipRulesPrefix, RuleIDRegex, SkipRuleCommentRegex))
infileInstructionNotPresentLog = "%s not present for resource: %s"
)

// GetSkipRules returns a list of rules to be skipped. The rules to be skipped
// can be set in terraform resource config with the following pattern:
// #ts:skip=AWS.S3Bucket.DS.High.1043
// $ts:skip=AWS.S3Bucket.DS.High.1044 reason to skip the rule
// #ts:skip=AWS.S3Bucket.DS.High.1044 reason to skip the rule
// each rule and its optional comment must be in a new line
func GetSkipRules(body string) []output.SkipRule {
var skipRules []output.SkipRule
Expand All @@ -53,12 +60,12 @@ func GetSkipRules(body string) []output.SkipRule {
return skipRules
}

// get all skip rule comments
// extract all commented skip rules
comments := skipRulesPattern.FindAllString(body, -1)

// extract rule ids from comments
for _, c := range comments {
c = strings.TrimPrefix(c, skipRulesPrefix)
c = strings.TrimPrefix(c, SkipRulesPrefix)
skipRule := getSkipRuleObject(c)
if skipRule != nil {
skipRules = append(skipRules, *skipRule)
Expand All @@ -71,14 +78,12 @@ func getSkipRuleObject(s string) *output.SkipRule {
if s == "" {
return nil
}

var skipRule output.SkipRule
ruleComment := strings.Fields(s)
comment := ruleIDPattern.Split(s, 2)[1]
skipRule.Rule = ruleIDPattern.FindString(strings.TrimSpace(s))
skipRule.Comment = strings.TrimSpace(comment)

skipRule.Rule = strings.TrimSpace(ruleComment[0])
if len(ruleComment) > 1 {
comment := strings.Join(ruleComment[1:], " ")
skipRule.Comment = strings.TrimSpace(comment)
}
return &skipRule
}

Expand Down
49 changes: 49 additions & 0 deletions pkg/utils/skip_rules_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ import (
func TestGetSkipRules(t *testing.T) {
testRuleAWS1 := "AWS.S3Bucket.DS.High.1041"
testRuleAWS2 := "AWS.S3Bucket.DS.High.1042"
testRuleAWS3 := "AWS.S3 Bucket.DS.High.1041"
testRuleAWS4 := "AWS.S3 Bucket DS.High.1041"
testRuleAWS5 := "AWS.S3 Bucket DS .High.1041"
testRuleAWSwithHyphen := "AC-AWS-NS-IN-M-1172"
testRuleAzure := "accurics.azure.NS.147"
testRuleKubernetesWithHyphen := "AC-K8-DS-PO-M-0143"
Expand Down Expand Up @@ -132,6 +135,52 @@ func TestGetSkipRules(t *testing.T) {
},
},
},
{
// Rule with single space should get skipped
name: "rule with space in between, aws",
input: "#ts:skip=AWS.S3 Bucket.DS.High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS3},
},
},
{
// Rule with two spaces should get skipped
name: "rule with two spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS.High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS4},
},
},
{
// Rule with multiple spaces should get skipped
name: "rule with multiple spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS .High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS5},
},
},
{
// Rule with space and comment should get skipped
name: "rule with spaces in between and comment, aws",
input: "#ts:skip=AWS.S3 Bucket.DS.High.1041 skip rule with spaces",
expected: []output.SkipRule{
{
Rule: testRuleAWS3,
Comment: "skip rule with spaces",
},
},
},
{
// Rule with multiple spaces and comment should get skipped
name: "rule with multiple spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS .High.1041 skip rule with multiple spaces",
expected: []output.SkipRule{
{
Rule: testRuleAWS5,
Comment: "skip rule with multiple spaces",
},
},
},
}

for _, tt := range table {
Expand Down

0 comments on commit daacad6

Please sign in to comment.