Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for spaces in policy reference_id #833

Merged
merged 1 commit into from
Jun 4, 2021
Merged

Support for spaces in policy reference_id #833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 16 additions & 11 deletions pkg/utils/skip_rules.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package utils

import (
"encoding/json"
"fmt"
"regexp"
"strings"

Expand All @@ -32,18 +33,24 @@ const (
TerrascanSkipRule = "rule"
// TerrascanSkipComment key used to detect comment skiupping a give rule
TerrascanSkipComment = "comment"
// SkipRulesPrefix used to identify and trim the skipping rule patterns
SkipRulesPrefix = "#ts:skip="
// RuleIDRegex used to match the reference_id string
RuleIDRegex = `((([ A-Za-z0-9]+[.-]{1})){2,5}([\d]+)){1}`
// SkipRuleCommentRegex used to detect comments in skipped rule
SkipRuleCommentRegex = `([ \t]+.*){0,1}`
)

var (
skipRulesPattern = regexp.MustCompile(`(#ts:skip=[ \t]*(([A-Za-z0-9]+[.-]{1}){3,5}([\d]+)){1}([ \t]+.*){0,1})`)
skipRulesPrefix = "#ts:skip="
ruleIDPattern = regexp.MustCompile(RuleIDRegex)
skipRulesPattern = regexp.MustCompile(fmt.Sprintf("(%s%s%s)", SkipRulesPrefix, RuleIDRegex, SkipRuleCommentRegex))
infileInstructionNotPresentLog = "%s not present for resource: %s"
)

// GetSkipRules returns a list of rules to be skipped. The rules to be skipped
// can be set in terraform resource config with the following pattern:
// #ts:skip=AWS.S3Bucket.DS.High.1043
// $ts:skip=AWS.S3Bucket.DS.High.1044 reason to skip the rule
// #ts:skip=AWS.S3Bucket.DS.High.1044 reason to skip the rule
nasir-rabbani marked this conversation as resolved.
Show resolved Hide resolved
// each rule and its optional comment must be in a new line
func GetSkipRules(body string) []output.SkipRule {
var skipRules []output.SkipRule
Expand All @@ -53,12 +60,12 @@ func GetSkipRules(body string) []output.SkipRule {
return skipRules
}

// get all skip rule comments
// extract all commented skip rules
comments := skipRulesPattern.FindAllString(body, -1)

// extract rule ids from comments
for _, c := range comments {
c = strings.TrimPrefix(c, skipRulesPrefix)
c = strings.TrimPrefix(c, SkipRulesPrefix)
skipRule := getSkipRuleObject(c)
if skipRule != nil {
skipRules = append(skipRules, *skipRule)
Expand All @@ -71,14 +78,12 @@ func getSkipRuleObject(s string) *output.SkipRule {
if s == "" {
return nil
}

var skipRule output.SkipRule
ruleComment := strings.Fields(s)
comment := ruleIDPattern.Split(s, 2)[1]
skipRule.Rule = ruleIDPattern.FindString(strings.TrimSpace(s))
skipRule.Comment = strings.TrimSpace(comment)

skipRule.Rule = strings.TrimSpace(ruleComment[0])
if len(ruleComment) > 1 {
comment := strings.Join(ruleComment[1:], " ")
skipRule.Comment = strings.TrimSpace(comment)
}
return &skipRule
}

Expand Down
49 changes: 49 additions & 0 deletions pkg/utils/skip_rules_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ import (
func TestGetSkipRules(t *testing.T) {
testRuleAWS1 := "AWS.S3Bucket.DS.High.1041"
testRuleAWS2 := "AWS.S3Bucket.DS.High.1042"
testRuleAWS3 := "AWS.S3 Bucket.DS.High.1041"
testRuleAWS4 := "AWS.S3 Bucket DS.High.1041"
testRuleAWS5 := "AWS.S3 Bucket DS .High.1041"
testRuleAWSwithHyphen := "AC-AWS-NS-IN-M-1172"
testRuleAzure := "accurics.azure.NS.147"
testRuleKubernetesWithHyphen := "AC-K8-DS-PO-M-0143"
Expand Down Expand Up @@ -132,6 +135,52 @@ func TestGetSkipRules(t *testing.T) {
},
},
},
{
// Rule with single space should get skipped
name: "rule with space in between, aws",
input: "#ts:skip=AWS.S3 Bucket.DS.High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS3},
},
},
{
// Rule with two spaces should get skipped
name: "rule with two spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS.High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS4},
},
},
{
// Rule with multiple spaces should get skipped
name: "rule with multiple spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS .High.1041",
expected: []output.SkipRule{
{Rule: testRuleAWS5},
},
},
{
// Rule with space and comment should get skipped
name: "rule with spaces in between and comment, aws",
input: "#ts:skip=AWS.S3 Bucket.DS.High.1041 skip rule with spaces",
expected: []output.SkipRule{
{
Rule: testRuleAWS3,
Comment: "skip rule with spaces",
},
},
},
{
// Rule with multiple spaces and comment should get skipped
name: "rule with multiple spaces in between, aws",
input: "#ts:skip=AWS.S3 Bucket DS .High.1041 skip rule with multiple spaces",
expected: []output.SkipRule{
{
Rule: testRuleAWS5,
Comment: "skip rule with multiple spaces",
},
},
},
}

for _, tt := range table {
Expand Down