feat: Added sys info and extra debug logging via newer defsec (#1793)

go.mod

@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.5
 	github.com/Masterminds/semver v1.5.0
-	github.com/aquasecurity/defsec v0.65.0
+	github.com/aquasecurity/defsec v0.68.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-version v1.5.0
 	github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf

go.sum

@@ -142,8 +142,8 @@ github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:o
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/defsec v0.65.0 h1:E09vp6NONtliNy5aXZBRxsi7KNj7o1Sr5sfxlnmyEHU=
-github.com/aquasecurity/defsec v0.65.0/go.mod h1:xUmN8mHLF2RCITp9v6HH+vkqfnfAX6BsIC5pbCwzg9k=
+github.com/aquasecurity/defsec v0.68.0 h1:kgnEXjFaULhZarkEPH4oms7lLcYLYu7q6izcMhP1oPM=
+github.com/aquasecurity/defsec v0.68.0/go.mod h1:xUmN8mHLF2RCITp9v6HH+vkqfnfAX6BsIC5pbCwzg9k=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=

internal/app/tfsec/cmd/flags.go

@@ -261,13 +261,15 @@ func applyConfigFiles(options []options.ScannerOption, dir string) ([]options.Sc
 			path := filepath.Join(configDir, filename)
 			if _, err := os.Stat(path); err == nil {
 				configFile = path
+				logger.Log("Found default config file at %s", configFile)
 				break
 			}
 		}
 	}
 
 	if configFile != "" {
 		if conf, err := config.LoadConfig(configFile); err == nil {
+			logger.Log("Loaded config file at %s", configFile)
 			if !minVersionSatisfied(conf) {
 				return nil, fmt.Errorf("minimum tfsec version requirement not satisfied")
 			}
@@ -283,6 +285,8 @@ func applyConfigFiles(options []options.ScannerOption, dir string) ([]options.Sc
 			if len(conf.ExcludedChecks) > 0 {
 				options = append(options, scanner.ScannerWithExcludedRules(append(conf.ExcludedChecks, excludedRuleIDs)))
 			}
+		} else {
+			logger.Log("Failed to load config file: %s", err)
 		}
 	}
 

internal/app/tfsec/cmd/root.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/Masterminds/semver"
+	debugging "github.com/aquasecurity/defsec/pkg/debug"
 	"github.com/aquasecurity/defsec/pkg/extrafs"
 	scanner "github.com/aquasecurity/defsec/pkg/scanners/terraform"
 	"github.com/aquasecurity/defsec/pkg/scanners/terraform/executor"
@@ -32,6 +33,8 @@ func (e ExitCodeError) Code() int {
 	return e.code
 }
 
+var logger debugging.Logger
+
 func Root() *cobra.Command {
 	rootCmd := &cobra.Command{
 		Use:               "tfsec [directory]",
@@ -42,6 +45,13 @@ func Root() *cobra.Command {
 		Args:              cobra.RangeArgs(0, 1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if debug {
+				logger = debugging.New(cmd.ErrOrStderr(), "cmd")
+				debugging.LogSystemInfo(cmd.ErrOrStderr(), version.Version)
+			}
+
+			logger.Log("Command args=%#v", args)
+
 			// we handle our own errors, and usage does not need to be shown if we've got this far
 			cmd.SilenceUsage = true
 
@@ -50,6 +60,8 @@ func Root() *cobra.Command {
 				return err
 			}
 
+			logger.Log("Determined path dir=%s", dir)
+
 			if len(tfvarsPaths) == 0 && unusedTfvarsPresent(dir) {
 				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "WARNING: A tfvars file was found but not automatically used. Did you mean to specify the --tfvars-file flag?\n")
 			}
@@ -59,9 +71,8 @@ func Root() *cobra.Command {
 				return err
 			}
 
-			if debug {
-				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Paths: args=%s dir=%s root=%s rel=%s\n", args, dir, root, rel)
-			}
+			logger.Log("Determined path root=%s", root)
+			logger.Log("Determined path rel=%s", rel)
 
 			options, err := configureOptions(cmd, root, dir)
 			if err != nil {
@@ -87,16 +98,15 @@ func Root() *cobra.Command {
 				return nil
 			}
 
+			exitCode := getDetailedExitCode(metrics)
+			logger.Log("Exit code based on results: %d", exitCode)
+
 			formats := strings.Split(format, ",")
 			if err := output(cmd, outputFlag, formats, root, rel, results, metrics); err != nil {
 				return fmt.Errorf("failed to write output: %w", err)
 			}
 
-			exitCode := getDetailedExitCode(metrics)
 			if exitCode != 0 && !softFail {
-				if debug {
-					_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Exit code: %d\n", exitCode)
-				}
 				return &ExitCodeError{
 					code: exitCode,
 				}

test/flags_test.go

@@ -336,7 +336,7 @@ func Test_Flag_Debug(t *testing.T) {
 		t.Run(flag, func(t *testing.T) {
 			out, err, exit := runWithArgs("./testdata/pass", "-f", "json", flag)
 			_ = parseJSON(t, out)
-			assert.Contains(t, err, "\n[scan:")
+			assert.Contains(t, err, "terraform.parser")
 			assert.Equal(t, 0, exit)
 		})
 	}