diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego b/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego index d959da68e7a..b64218850cb 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego @@ -48,4 +48,3 @@ hasPolicyDuringUpdate(resource){ }else{ common_lib.valid_key(resource, "stack_policy_during_update_url") } - diff --git a/docs/docker/nightly.csv b/docs/docker/nightly.csv index 87e3c64a5f1..6f805baa48b 100644 --- a/docs/docker/nightly.csv +++ b/docs/docker/nightly.csv @@ -433,3 +433,7 @@ scratch,a8e7a611,2022-07-20,sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d6031 alpine,a8e7a611,2022-07-20,sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d603110792bce24a19e706f6 debian,a8e7a611,2022-07-20,sha256:0f2d0cf342f1df566800e286c4c926353a6b60b8355e0dcb460a839156c8e187 ubi8,a8e7a611,2022-07-20,sha256:6398049c8978b03454ff5d190cb358dd1f262871f879c368ec2271ba38c61246 +scratch,278acb19,2022-07-21,sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979 +alpine,278acb19,2022-07-21,sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979 +debian,278acb19,2022-07-21,sha256:22c026a49665bf94751cc69a71d1d6e78af9cc3e6d1e301fe17b3b82e3b2d12a +ubi8,278acb19,2022-07-21,sha256:a9d3bb91a83a79af4f33006f521f73163a64036d3ea681e1c3f07d319cefd194 diff --git a/docs/docker/nightly.md b/docs/docker/nightly.md index 85191fe6f10..e550ee3f438 100644 --- a/docs/docker/nightly.md +++ b/docs/docker/nightly.md @@ -434,3 +434,7 @@ scratch | a8e7a611 | 2022-07-20 | sha256:aa0db1182f560bb29d1afbaf8d0ca5e07 alpine | a8e7a611 | 2022-07-20 | sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d603110792bce24a19e706f6 debian | a8e7a611 | 2022-07-20 | sha256:0f2d0cf342f1df566800e286c4c926353a6b60b8355e0dcb460a839156c8e187 ubi8 | a8e7a611 | 2022-07-20 | sha256:6398049c8978b03454ff5d190cb358dd1f262871f879c368ec2271ba38c61246 +scratch | 278acb19 | 2022-07-21 | sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979 +alpine | 278acb19 | 2022-07-21 | sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979 +debian | 278acb19 | 2022-07-21 | sha256:22c026a49665bf94751cc69a71d1d6e78af9cc3e6d1e301fe17b3b82e3b2d12a +ubi8 | 278acb19 | 2022-07-21 | sha256:a9d3bb91a83a79af4f33006f521f73163a64036d3ea681e1c3f07d319cefd194 diff --git a/go.mod b/go.mod index fad3e3672c5..4eb3fa50984 100644 --- a/go.mod +++ b/go.mod @@ -4,12 +4,12 @@ go 1.18 require ( code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5 - github.com/BurntSushi/toml v1.1.0 + github.com/BurntSushi/toml v1.2.0 github.com/GoogleCloudPlatform/terraformer v0.8.18 github.com/agnivade/levenshtein v1.1.1 github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20211114212643-ec144ca0d701 - github.com/aws/aws-sdk-go v1.44.58 + github.com/aws/aws-sdk-go v1.44.59 github.com/cheggaaa/pb/v3 v3.1.0 github.com/emicklei/proto v1.11.0 github.com/getsentry/sentry-go v0.13.0 diff --git a/go.sum b/go.sum index 7d4c9df7c46..3fc7e37bbf8 100644 --- a/go.sum +++ b/go.sum @@ -118,8 +118,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-ntlmssp v0.0.0-20180810175552-4a21cbd618b4/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I= -github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0= +github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4= github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= @@ -272,8 +272,8 @@ github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.30.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go v1.44.58 h1:VPfVj0Fa1v+/8HUegdNvGg9XtmuJ3z08WerBuT730gk= -github.com/aws/aws-sdk-go v1.44.58/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.44.59 h1:bkdnNsMvMhFmNLqKDAJ6rKR+S0hjOt/3AIJp2mxOK9o= +github.com/aws/aws-sdk-go v1.44.59/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go-v2 v1.3.0/go.mod h1:hTQc/9pYq5bfFACIUY9tc/2SYWd9Vnmw+testmuQeRY= github.com/aws/aws-sdk-go-v2 v1.3.1/go.mod h1:5SmWRTjN6uTRFNCc7rR69xHsdcUJnthmaRHGDsYhpTE= github.com/aws/aws-sdk-go-v2 v1.3.2/go.mod h1:7OaACgj2SX3XGWnrIjGlJM22h6yD6MEWKvm7levnnM8= diff --git a/internal/console/scan.go b/internal/console/scan.go index f82aea7e6b3..3e16af02e83 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -143,6 +143,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool func executeScan(scanParams *scan.Parameters) error { log.Debug().Msg("console.scan()") + for _, warn := range warnings { log.Warn().Msgf(warn) } diff --git a/pkg/detector/default_detect.go b/pkg/detector/default_detect.go index 1e66aa5e6ee..92467317391 100644 --- a/pkg/detector/default_detect.go +++ b/pkg/detector/default_detect.go @@ -22,7 +22,6 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string CurrentLine: 0, IsBreak: false, FoundAtLeastOne: false, - Lines: d.SplitLines(file.OriginalData), ResolvedFile: file.FilePath, ResolvedFiles: d.prepareResolvedFiles(file.ResolvedFiles), } @@ -34,10 +33,11 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) } + lines := d.SplitLines(file.OriginalData) for _, key := range strings.Split(sanitizedSubstring, ".") { substr1, substr2 := GenerateSubstrings(key, extractedString) - detector = detector.DetectCurrentLine(substr1, substr2, 0) + detector, lines = detector.DetectCurrentLine(substr1, substr2, 0, lines) if detector.IsBreak { break @@ -47,7 +47,7 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string if detector.FoundAtLeastOne { return model.VulnerabilityLines{ Line: detector.CurrentLine + 1, - VulnLines: GetAdjacentVulnLines(detector.CurrentLine, outputLines, detector.Lines), + VulnLines: GetAdjacentVulnLines(detector.CurrentLine, outputLines, lines), ResolvedFile: detector.ResolvedFile, } } diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 237191b32aa..54a16c54d4f 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -31,7 +31,6 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, CurrentLine: 0, IsBreak: false, FoundAtLeastOne: false, - Lines: prepareDockerFileLines(d.SplitLines(file.OriginalData)), ResolvedFile: file.FilePath, ResolvedFiles: make(map[string]model.ResolvedFileSplit), } @@ -46,7 +45,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, for _, key := range strings.Split(sKey, ".") { substr1, substr2 := detector.GenerateSubstrings(key, extractedString) - det = det.DetectCurrentLine(substr1, substr2, 0) + det, _ = det.DetectCurrentLine(substr1, substr2, 0, prepareDockerFileLines(d.SplitLines(file.OriginalData))) if det.IsBreak { break diff --git a/pkg/detector/helper.go b/pkg/detector/helper.go index 430fc3453dd..a02835037c7 100644 --- a/pkg/detector/helper.go +++ b/pkg/detector/helper.go @@ -28,7 +28,6 @@ type DefaultDetectLineResponse struct { CurrentLine int IsBreak bool FoundAtLeastOne bool - Lines []string ResolvedFile string ResolvedFiles map[string]model.ResolvedFileSplit } @@ -252,74 +251,66 @@ func removeExtras(result string, start, end int) string { } // DetectCurrentLine uses levenshtein distance to find the most accurate line for the vulnerability -func (d *DefaultDetectLineResponse) DetectCurrentLine(str1, str2 string, recurseCount int) *DefaultDetectLineResponse { +func (d *DefaultDetectLineResponse) DetectCurrentLine(str1, str2 string, recurseCount int, + lines []string) (det *DefaultDetectLineResponse, l []string) { distances := make(map[int]int) - for i := d.CurrentLine; i < len(d.Lines); i++ { - if res := d.checkResolvedFile(d.Lines[i], str1, str2, recurseCount); res.FoundAtLeastOne { - return res + for i := d.CurrentLine; i < len(lines); i++ { + if len(d.ResolvedFiles) > 0 { + if res, newLines := d.checkResolvedFile(lines[i], str1, str2, recurseCount); res.FoundAtLeastOne { + return res, newLines + } } - distances = d.checkLine(str1, str2, distances, i) + distances = checkLine(str1, str2, distances, lines[i], i) } if len(distances) == 0 { - return &DefaultDetectLineResponse{ - FoundAtLeastOne: d.FoundAtLeastOne, - CurrentLine: d.CurrentLine, - IsBreak: true, - Lines: d.Lines, - ResolvedFile: d.ResolvedFile, - ResolvedFiles: d.ResolvedFiles, - } + d.IsBreak = true + return d, lines } - return &DefaultDetectLineResponse{ - CurrentLine: SelectLineWithMinimumDistance(distances, d.CurrentLine), - IsBreak: false, - FoundAtLeastOne: true, - Lines: d.Lines, - ResolvedFile: d.ResolvedFile, - ResolvedFiles: d.ResolvedFiles, - } + d.CurrentLine = SelectLineWithMinimumDistance(distances, d.CurrentLine) + d.IsBreak = false + d.FoundAtLeastOne = true + + return d, lines } -func (d *DefaultDetectLineResponse) checkLine(str1, str2 string, distances map[int]int, i int) map[int]int { - if str1 != "" && str2 != "" && strings.Contains(d.Lines[i], str1) { - restLine := d.Lines[i][strings.Index(d.Lines[i], str1)+len(str1):] +func checkLine(str1, str2 string, distances map[int]int, line string, i int) map[int]int { + if str1 != "" && str2 != "" && strings.Contains(line, str1) { + restLine := line[strings.Index(line, str1)+len(str1):] if strings.Contains(restLine, str2) { - distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(d.Lines[i], str1, false), str1) + distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(line, str1, false), str1) distances[i] += levenshtein.ComputeDistance(ExtractLineFragment(restLine, str2, false), str2) } - } else if str1 != "" && strings.Contains(d.Lines[i], str1) { - distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(d.Lines[i], str1, false), str1) + } else if str1 != "" && strings.Contains(line, str1) { + distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(line, str1, false), str1) } return distances } -func (d *DefaultDetectLineResponse) checkResolvedFile(line, str1, st2 string, recurseCount int) *DefaultDetectLineResponse { +func (d *DefaultDetectLineResponse) checkResolvedFile(line, str1, st2 string, + recurseCount int) (det *DefaultDetectLineResponse, l []string) { for key, r := range d.ResolvedFiles { if strings.Contains(line, key) { if recurseCount > constants.MaxResolvedFiles { break } - return d.restore(r.Lines, r.Path).DetectCurrentLine(str1, st2, recurseCount+1) + return d.restore(r.Path).DetectCurrentLine(str1, st2, recurseCount+1, r.Lines) } } - return &DefaultDetectLineResponse{ - CurrentLine: 0, - IsBreak: false, - FoundAtLeastOne: false, - } + + d.CurrentLine = 0 + d.IsBreak = false + d.FoundAtLeastOne = false + + return d, []string{} } -func (d *DefaultDetectLineResponse) restore(lines []string, file string) *DefaultDetectLineResponse { - return &DefaultDetectLineResponse{ - CurrentLine: 0, - IsBreak: d.IsBreak, - FoundAtLeastOne: false, - Lines: lines, - ResolvedFile: file, - ResolvedFiles: d.ResolvedFiles, - } +func (d *DefaultDetectLineResponse) restore(file string) *DefaultDetectLineResponse { + d.CurrentLine = 0 + d.FoundAtLeastOne = false + d.ResolvedFile = file + return d } diff --git a/pkg/detector/helper_test.go b/pkg/detector/helper_test.go index 0b249b3189f..3166e96ae51 100644 --- a/pkg/detector/helper_test.go +++ b/pkg/detector/helper_test.go @@ -396,7 +396,6 @@ func TestDefaultDetectLineResponse_restore(t *testing.T) { CurrentLine: 0, IsBreak: false, FoundAtLeastOne: false, - Lines: []string{"this is a line"}, ResolvedFile: "newfile", ResolvedFiles: map[string]model.ResolvedFileSplit{}, }, @@ -408,11 +407,10 @@ func TestDefaultDetectLineResponse_restore(t *testing.T) { CurrentLine: tt.fields.CurrentLine, IsBreak: tt.fields.IsBreak, FoundAtLeastOne: tt.fields.FoundAtLeastOne, - Lines: tt.fields.Lines, ResolvedFile: tt.fields.ResolvedFile, ResolvedFiles: tt.fields.ResolvedFiles, } - if got := d.restore(tt.args.lines, tt.args.file); !reflect.DeepEqual(got, tt.want) { + if got := d.restore(tt.args.file); !reflect.DeepEqual(got, tt.want) { t.Errorf("restore() = %v, want %v", got, tt.want) } }) @@ -433,11 +431,17 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) { str1 string st2 string } + + type want struct { + defaultDetectLineResponse *DefaultDetectLineResponse + lines []string + } + tests := []struct { name string fields fields args args - want *DefaultDetectLineResponse + want want }{ { name: "test_lines", @@ -463,22 +467,25 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) { }, }, }, - want: &DefaultDetectLineResponse{ - CurrentLine: 1, - IsBreak: false, - FoundAtLeastOne: true, - Lines: []string{"this is line one", "key: value", "this is line three"}, - ResolvedFile: "abs/path/to/file", - ResolvedFiles: map[string]model.ResolvedFileSplit{ - "path/to/file": { - Path: "abs/path/to/file", - Lines: []string{ - "this is line one", - "key: value", - "this is line three", + want: want{ + defaultDetectLineResponse: &DefaultDetectLineResponse{ + CurrentLine: 1, + IsBreak: false, + FoundAtLeastOne: true, + + ResolvedFile: "abs/path/to/file", + ResolvedFiles: map[string]model.ResolvedFileSplit{ + "path/to/file": { + Path: "abs/path/to/file", + Lines: []string{ + "this is line one", + "key: value", + "this is line three", + }, }, }, }, + lines: []string{"this is line one", "key: value", "this is line three"}, }, }, } @@ -488,12 +495,16 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) { CurrentLine: tt.fields.CurrentLine, IsBreak: tt.fields.IsBreak, FoundAtLeastOne: tt.fields.FoundAtLeastOne, - Lines: tt.fields.Lines, ResolvedFile: tt.fields.ResolvedFile, ResolvedFiles: tt.fields.ResolvedFiles, } - if got := d.checkResolvedFile(tt.args.line, tt.args.str1, tt.args.st2, 0); !reflect.DeepEqual(got, tt.want) { - t.Errorf("checkResolvedFile() = %v, want %v", got, tt.want) + gotDefaultDetectLineResponse, gotLines := d.checkResolvedFile(tt.args.line, tt.args.str1, tt.args.st2, 0) + + if !reflect.DeepEqual(gotDefaultDetectLineResponse, tt.want.defaultDetectLineResponse) { + t.Errorf("checkResolvedFile() = %v, want %v", gotDefaultDetectLineResponse, tt.want.defaultDetectLineResponse) + } + if !reflect.DeepEqual(gotLines, tt.want.lines) { + t.Errorf("checkResolvedFile() = %v, want %v", gotLines, tt.want.lines) } }) } diff --git a/test/fixtures/unresolved_openapi/openapi.yaml b/test/fixtures/unresolved_openapi/openapi.yaml index 8be0e943aac..959d398be46 100644 --- a/test/fixtures/unresolved_openapi/openapi.yaml +++ b/test/fixtures/unresolved_openapi/openapi.yaml @@ -24,4 +24,4 @@ components: schemas: $ref: "./schemas/_index.yaml" responses: - $ref: "./responses/_index.yaml" \ No newline at end of file + $ref: "./responses/_index.yaml"