Merge branch 'master' into feat/resource_info_arm

.dockerignore

@@ -8,15 +8,15 @@ examples
 .editorconfig
 .gitignore
 .golangci.yml
-.goreleaser.nightly.yml
-.goreleaser.yml
+release/.goreleaser.nightly.yml
+release/.goreleaser.yml
 cx.configuration
 docker-compose.yml
 mkdocs.yml
 sonar-project.properties
 *.sarif
 *.zip
 Dockerfile
-Dockerfile.*
+docker
 assets/queries/**/test
 assets/template

.github/workflows/go-e2e.yaml

@@ -12,7 +12,7 @@ jobs:
       matrix:
         go-version: [1.18.x]
         os: [ubuntu-latest]
-        kics-docker: ["Dockerfile", "Dockerfile.ubi8"]
+        kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Cancel Previous Runs
@@ -93,9 +93,12 @@ jobs:
           go mod tidy
           go build
           ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html
+      - name: Get docker name
+        run: |
+          DOCKER_NAME=$(echo ${{ matrix.kics-docker }} | sed 's/\//-/')
       - name: Archive test report
         if: always()
         uses: actions/upload-artifact@v2
         with:
-          name: e2e-tests-report-${{ matrix.kics-docker }}
+          name: e2e-tests-report-$DOCKER_NAME
           path: e2e-report.html

.github/workflows/release-apispec.yml

@@ -36,10 +36,10 @@ jobs:
         with:
           go-version: 1.18.x
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
+        uses: goreleaser/goreleaser-action@v3.0.0
         with:
           version: v0.160.0
-          args: release --rm-dist --snapshot --skip-validate --config="./.goreleaser-apispec.yml"
+          args: release --rm-dist --snapshot --skip-validate --config="./release/.goreleaser-apispec.yml"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
@@ -141,7 +141,7 @@ jobs:
         with:
           context: .
           push: true
-          file: ./Dockerfile.apispec
+          file: ./docker/Dockerfile.apispec
           tags: checkmarx/kics:apispec,checkmarx/kics:apispec-alpine
           build-args: |
             VERSION=apipsec-${{ steps.shorthash.outputs.sha8 }}
@@ -153,7 +153,7 @@ jobs:
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.apispec.debian
+          file: ./docker/Dockerfile.apispec.debian
           push: true
           tags: checkmarx/kics:apispec-debian,checkmarx/kics:apispec-debian-latest
           build-args: |

.github/workflows/release-dkr-image-for-tag.yml

@@ -81,12 +81,12 @@ jobs:
             SENTRY_DSN=${{ secrets.SENTRY_DSN }}
             DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
       - name: Push debian to Docker Hub
-        if: ${{ hashFiles('Dockerfile.debian') }} != ""
+        if: ${{ hashFiles('./docker/Dockerfile.debian') }} != ""
         id: build_debian
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.debian
+          file: ./docker/Dockerfile.debian
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.prep.outputs.debian_tags }}
@@ -96,12 +96,12 @@ jobs:
             SENTRY_DSN=${{ secrets.SENTRY_DSN }}
             DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
       - name: Push ubi8 to Docker Hub
-        if: ${{ hashFiles('Dockerfile.ubi8') }} != ""
+        if: ${{ hashFiles('./docker/Dockerfile.ubi8') }} != ""
         id: build_ubi8
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.ubi8
+          file: ./docker/Dockerfile.ubi8
           push: true
           platforms: linux/amd64
           tags: ${{ steps.prep.outputs.ubi8_tags }}

.github/workflows/release-dkr-image.yml

@@ -65,7 +65,7 @@ jobs:
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.debian
+          file: ./docker/Dockerfile.debian
           push: true
           platforms: linux/amd64,linux/arm64
           tags: checkmarx/kics:debian,checkmarx/kics:${{ steps.get-version.outputs.version }}-debian
@@ -79,7 +79,7 @@ jobs:
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.ubi8
+          file: ./docker/Dockerfile.ubi8
           push: true
           tags: checkmarx/kics:ubi8,checkmarx/kics:${{ steps.get-version.outputs.version }}-ubi8
           platforms: linux/amd64

.github/workflows/release-nightly.yml

@@ -53,10 +53,10 @@ jobs:
         with:
           go-version: 1.18.x
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
+        uses: goreleaser/goreleaser-action@v3.0.0
         with:
           version: v0.160.0
-          args: release --rm-dist --snapshot --skip-validate --config="./.goreleaser-nightly.yml"
+          args: release --rm-dist --snapshot --skip-validate --config="./release/.goreleaser-nightly.yml"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
@@ -175,7 +175,7 @@ jobs:
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.debian
+          file: ./docker/Dockerfile.debian
           push: true
           platforms: linux/amd64,linux/arm64
           tags: checkmarx/kics:nightly-debian
@@ -188,7 +188,7 @@ jobs:
         uses: docker/build-push-action@v3.0.0
         with:
           context: .
-          file: ./Dockerfile.ubi8
+          file: ./docker/Dockerfile.ubi8
           push: true
           tags: checkmarx/kics:nightly-ubi8
           platforms: linux/amd64

.github/workflows/update-install-script.yaml

@@ -41,7 +41,7 @@ jobs:
         run: |
           #!/usr/bin/env python3
           import ruamel.yaml
-          with open('.goreleaser.yml', 'r') as file:
+          with open('./docker/.goreleaser.yml', 'r') as file:
             file_obj = ruamel.yaml.load(file, Loader=ruamel.yaml.RoundTripLoader)
             del file_obj['brews']
             file_content = ruamel.yaml.dump(file_obj, Dumper=ruamel.yaml.RoundTripDumper)

Dockerfile

@@ -33,7 +33,7 @@ HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM alpine:3.15.4
+FROM alpine:3.16.0
 
 # Install Terraform and Terraform plugins
 RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_amd64.zip \
@@ -47,7 +47,7 @@ RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_am
     && unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip \
     && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.10.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64 \
     && apk add --no-cache \
-    git=2.34.2-r0
+    git=2.36.1-r0
 
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated

Makefile

@@ -172,7 +172,7 @@ dkr-compose: ## build docker image and runs docker-compose up
 
 .PHONY: dkr-build-antlr
 dkr-build-antlr: ## build ANTLRv4 docker image and generate parser based on given grammar
-	@docker build -t antlr4-generator:dev -f Dockerfile.antlr .
+	@docker build -t antlr4-generator:dev -f ./docker/Dockerfile.antlr .
 	@docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser/jsonfilter:/work -it antlr4-generator:dev
 
 .PHONY: release

assets/queries/ansible/aws/memcached_disabled/metadata.json

@@ -1,7 +1,7 @@
 {
   "id": "2d55ef88-b616-4890-b822-47f280763e89",
   "queryName": "Memcached Disabled",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Check if the Memcached is disabled on the ElastiCache",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine",

assets/queries/ansible/aws/memcached_disabled/query.rego

@@ -14,7 +14,7 @@ CxPolicy[result] {
 		"documentId": id,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.engine", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "elasticache.engine enables Memcached",
+		"keyExpectedValue": "elasticache.engine to have Memcached enabled",
 		"keyActualValue": "elasticache.engine doesn't enable Memcached",
 	}
 }

assets/queries/ansible/aws/memcached_disabled/test/positive_expected_result.json

@@ -1,7 +1,7 @@
 [
-	{
-		"queryName": "Memcached Disabled",
-		"severity": "HIGH",
-		"line": 5
-	}
+  {
+    "queryName": "Memcached Disabled",
+    "severity": "MEDIUM",
+    "line": 5
+  }
 ]

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CMK Unencrypted Storage",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. ",
+  "descriptionText": "Ensure that storage is encrypted.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html",
   "platform": "CloudFormation",
   "descriptionID": "ba38e42e",

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/query.rego

@@ -37,23 +37,6 @@ CxPolicy[result] { # DBTypes any DB, but without storage encrypted is undefined
 	}
 }
 
-CxPolicy[result] {
-	document := input.document[i]
-	resource := document.Resources[key]
-	common_lib.inArray({"AWS::DocDB::DBCluster", "AWS::Neptune::DBCluster", "AWS::RDS::DBCluster", "AWS::RDS::DBInstance", "AWS::Redshift::Cluster"}, resource.Type)
-
-	properties := resource.Properties
-	not common_lib.valid_key(properties, "KmsKeyId")
-
-	result := {
-		"documentId": input.document[i].id,
-		"searchKey": sprintf("Resources.%s.Properties", [key]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.KmsKeyId should be defined with AWS-Managed CMK", [key]),
-		"keyActualValue": sprintf("Resources.%s.Properties.KmsKeyId is undefined", [key]),
-	}
-}
-
 CxPolicy[result] {
 	document := input.document[i]
 	resource := document.Resources[key]

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/negative4.json

@@ -33,14 +33,7 @@
               "Sid": "Enable IAM User Permissions",
               "Effect": "Allow",
               "Principal": {
-                "AWS": [
-                  "",
-                  [
-                    "arn:aws:iam::",
-                    "AWS::AccountId",
-                    ":root"
-                  ]
-                ]
+                "AWS": ["", ["arn:aws:iam::", "AWS::AccountId", ":root"]]
               },
               "Action": "kms:*",
               "Resource": "*"

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive2.yaml

@@ -3,24 +3,24 @@ Description: >-
   AWS CloudFormation Sample Template
 Parameters:
   DBUsername:
-    NoEcho: 'true'
+    NoEcho: "true"
     Description: Username for MySQL database access
     Type: String
-    MinLength: '1'
-    MaxLength: '16'
-    AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
+    MinLength: "1"
+    MaxLength: "16"
+    AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
     ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
   DBPassword:
-    NoEcho: 'true'
+    NoEcho: "true"
     Description: Password MySQL database access
     Type: String
-    MinLength: '8'
-    MaxLength: '41'
-    AllowedPattern: '[a-zA-Z0-9]*'
+    MinLength: "8"
+    MaxLength: "41"
+    AllowedPattern: "[a-zA-Z0-9]*"
     ConstraintDescription: must contain only alphanumeric characters.
 Resources:
   RDSCluster1:
-    Type: 'AWS::RDS::DBCluster'
+    Type: "AWS::RDS::DBCluster"
     Properties:
       MasterUsername: !Ref DBUsername
       MasterUserPassword: !Ref DBPassword
@@ -33,4 +33,3 @@ Resources:
         MinCapacity: 4
         MaxCapacity: 32
         SecondsUntilAutoPause: 1000
-      StorageEncrypted: true

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive5.json

@@ -33,7 +33,6 @@
           "MaxCapacity": 32,
           "SecondsUntilAutoPause": 1000
         },
-        "StorageEncrypted": true,
         "MasterUsername": "DBUsername",
         "MasterUserPassword": "DBPassword"
       }

assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json

@@ -1,16 +1,4 @@
 [
-  {
-    "severity": "HIGH",
-    "line": 36,
-    "fileName": "positive3.yaml",
-    "queryName": "CMK Unencrypted Storage"
-  },
-  {
-    "queryName": "CMK Unencrypted Storage",
-    "severity": "HIGH",
-    "line": 54,
-    "fileName": "positive1.yaml"
-  },
   {
     "queryName": "CMK Unencrypted Storage",
     "severity": "HIGH",
@@ -25,7 +13,7 @@
   },
   {
     "severity": "HIGH",
-    "line": 24,
+    "line": 36,
     "fileName": "positive3.yaml",
     "queryName": "CMK Unencrypted Storage"
   },
@@ -35,48 +23,24 @@
     "fileName": "positive4.json",
     "queryName": "CMK Unencrypted Storage"
   },
-  {
-    "queryName": "CMK Unencrypted Storage",
-    "severity": "HIGH",
-    "line": 58,
-    "fileName": "positive4.json"
-  },
   {
     "queryName": "CMK Unencrypted Storage",
     "severity": "HIGH",
     "line": 25,
     "fileName": "positive5.json"
   },
-  {
-    "queryName": "CMK Unencrypted Storage",
-    "severity": "HIGH",
-    "line": 37,
-    "fileName": "positive6.json"
-  },
   {
     "fileName": "positive6.json",
     "queryName": "CMK Unencrypted Storage",
     "severity": "HIGH",
-    "line": 27
+    "line": 37
   },
   {
     "fileName": "positive7.yaml",
     "queryName": "CMK Unencrypted Storage",
     "severity": "HIGH",
     "line": 4
   },
-  {
-    "fileName": "positive7.yaml",
-    "queryName": "CMK Unencrypted Storage",
-    "severity": "HIGH",
-    "line": 4
-  },
-  {
-    "fileName": "positive8.json",
-    "queryName": "CMK Unencrypted Storage",
-    "severity": "HIGH",
-    "line": 5
-  },
   {
     "fileName": "positive8.json",
     "queryName": "CMK Unencrypted Storage",