Add exclude results functionality; needs tests

SeisoLLC · Sep 2, 2021 · dc9537e · dc9537e
1 parent d746551
commit dc9537e
Show file tree

Hide file tree

Showing 5 changed files with 223 additions and 12 deletions.
diff --git a/docs/Ansible/index.rst b/docs/Ansible/index.rst
@@ -30,16 +30,19 @@ a pipeline action on commit or pull request::
 Customizing KICS
 ^^^^^^^^^^^^^^^^
 
-+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
-| Environment variable | Result                                    | Example                                                                       |
-+======================+===========================================+===============================================================================+
-| ``KICS_QUERIES``     | Passes the value to ``--include-queries`` | ``c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff`` |
-+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
+| Environment variable        | Result                                       | Example                                                                       |
++=============================+==============================================+===============================================================================+
+| ``KICS_QUERIES``            | Passes the value to ``--include-queries``    | ``c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff`` |
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
+| ``KICS_EXCLUDE_SEVERITIES`` | Passes the value to ``--exclude-severities`` | ``info,low`` |
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
 
 ::
 
     KICS_QUERIES=c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
-    docker run --env-file <(env | grep KICS_QUERIES) -v $(pwd):/iac easy_infra:latest-minimal ansible-playbook EXAMPLE.yml --check
+    KICS_EXCLUDE_SEVERITIES=info,low
+    docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal ansible-playbook EXAMPLE.yml --check
 
 Disabling Security
 ^^^^^^^^^^^^^^^^^^

diff --git a/docs/Terraform/index.rst b/docs/Terraform/index.rst
@@ -41,16 +41,20 @@ plan`` and ``terraform deploy``::
 Customizing KICS
 ^^^^^^^^^^^^^^^^
 
-+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
-| Environment variable | Result                                    | Example                                                                       |
-+======================+===========================================+===============================================================================+
-| ``KICS_QUERIES``     | Passes the value to ``--include-queries`` | ``4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73`` |
-+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
+| Environment variable        | Result                                       | Example                                                                       |
++=============================+==============================================+===============================================================================+
+| ``KICS_QUERIES``            | Passes the value to ``--include-queries``    | ``4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73`` |
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
+| ``KICS_EXCLUDE_SEVERITIES`` | Passes the value to ``--exclude-severities`` | ``info,low``                                                                  |
++-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
+
 
 ::
 
     KICS_QUERIES=4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73
-    docker run --env-file <(env | grep KICS_QUERIES) -v $(pwd):/iac easy_infra:latest-minimal terraform validate
+    KICS_EXCLUDE_SEVERITIES=info
+    docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal terraform validate
 
 Terraform Caching
 ^^^^^^^^^^^^^^^^^

diff --git a/easy_infra.yml b/easy_infra.yml
@@ -9,6 +9,7 @@ _anchors:
         --output-name kics --path .
       customizations:
         KICS_QUERIES: --include-queries
+        KICS_EXCLUDE_SEVERITIES: --exclude-severities
       description: directory scan
     terrascan:
       command: terrascan scan -i terraform -t all -d .
@@ -33,6 +34,7 @@ commands:
           --output-name kics --path .
         customizations:
           KICS_QUERIES: --include-queries
+          KICS_EXCLUDE_SEVERITIES: --exclude-severities
         description: directory scan
     version: 2.9.6+dfsg-1
     version_argument: --version

diff --git a/tests/ansible/kics/--output-name/results.json b/tests/ansible/kics/--output-name/results.json
@@ -0,0 +1,153 @@
+{
+	"files_scanned": 1,
+	"files_parsed": 1,
+	"files_failed_to_scan": 0,
+	"queries_total": 266,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"queries": [
+		{
+			"query_name": "Automatic Minor Upgrades Disabled",
+			"query_id": "857f8808-e96a-4ba8-a9b7-f2d4ec6cad94",
+			"query_url": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade",
+			"severity": "HIGH",
+			"platform": "Ansible",
+			"category": "Encryption",
+			"description": "RDS instance auto minor version upgrade feature must be true",
+			"description_id": "7734a8b1",
+			"cis_description_id": "",
+			"cis_description_title": "",
+			"cis_description_text": "",
+			"files": [
+				{
+					"file_name": "insecure.yml",
+					"similarity_id": "f8b642608c00b0d5b6dd12be24c5c143f2f6519c53fbfadc40c6bfdec43d9d0f",
+					"line": 6,
+					"issue_type": "MissingAttribute",
+					"search_key": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{rds_instance}}",
+					"search_value": "",
+					"expected_value": "rds_instance.auto_minor_version_upgrade should be set",
+					"actual_value": "rds_instance.auto_minor_version_upgrade is undefined",
+					"value": null
+				}
+			]
+		},
+		{
+			"query_name": "CA Certificate Identifier Is Outdated",
+			"query_id": "5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce",
+			"query_url": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier",
+			"severity": "HIGH",
+			"platform": "Ansible",
+			"category": "Encryption",
+			"description": "The CA certificate Identifier must be 'rds-ca-2019'.",
+			"description_id": "d92aa922",
+			"cis_description_id": "",
+			"cis_description_title": "",
+			"cis_description_text": "",
+			"files": [
+				{
+					"file_name": "insecure.yml",
+					"similarity_id": "e91b89be82faadc62049bafb993ef49df1fbfc947682eef17160ad5d96743d77",
+					"line": 6,
+					"issue_type": "MissingAttribute",
+					"search_key": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{rds_instance}}",
+					"search_value": "",
+					"expected_value": "rds_instance.ca_certificate_identifier should be defined",
+					"actual_value": "rds_instance.ca_certificate_identifier is undefined",
+					"value": null
+				}
+			]
+		},
+		{
+			"query_name": "DB Instance Storage Not Encrypted",
+			"query_id": "7dfb316c-a6c2-454d-b8a2-97f147b0c0ff",
+			"query_url": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html",
+			"severity": "HIGH",
+			"platform": "Ansible",
+			"category": "Encryption",
+			"description": "The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').",
+			"description_id": "575cc1f4",
+			"cis_description_id": "",
+			"cis_description_title": "",
+			"cis_description_text": "",
+			"files": [
+				{
+					"file_name": "insecure.yml",
+					"similarity_id": "ce8b6eab4c32fba8e160742a194c7f7c840d2b5ea48b18a97759deb5d20b355d",
+					"line": 11,
+					"issue_type": "IncorrectValue",
+					"search_key": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{rds_instance}}.storage_encrypted",
+					"search_value": "",
+					"expected_value": "rds_instance.storage_encrypted should be set to true",
+					"actual_value": "rds_instance.storage_encrypted is set to false",
+					"value": null
+				}
+			]
+		},
+		{
+			"query_name": "IAM Database Auth Not Enabled",
+			"query_id": "0ed012a4-9199-43d2-b9e4-9bd049a48aa4",
+			"query_url": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html",
+			"severity": "HIGH",
+			"platform": "Ansible",
+			"category": "Encryption",
+			"description": "IAM Database Auth Enabled must be configured to true",
+			"description_id": "952e08fc",
+			"cis_description_id": "",
+			"cis_description_title": "",
+			"cis_description_text": "",
+			"files": [
+				{
+					"file_name": "insecure.yml",
+					"similarity_id": "5034204602e339bc7677975d17cbac097693774db02c7b23378bd151d4b4ec8f",
+					"line": 6,
+					"issue_type": "MissingAttribute",
+					"search_key": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{rds_instance}}",
+					"search_value": "",
+					"expected_value": "rds_instance.enable_iam_database_authentication should be defined",
+					"actual_value": "rds_instance.enable_iam_database_authentication is undefined",
+					"value": null
+				}
+			]
+		},
+		{
+			"query_name": "RDS With Backup Disabled",
+			"query_id": "e69890e6-fce5-461d-98ad-cb98318dfc96",
+			"query_url": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period",
+			"severity": "MEDIUM",
+			"platform": "Ansible",
+			"category": "Backup",
+			"description": "RDS configured without backup",
+			"description_id": "51f94eee",
+			"cis_description_id": "",
+			"cis_description_title": "",
+			"cis_description_text": "",
+			"files": [
+				{
+					"file_name": "insecure.yml",
+					"similarity_id": "ca3f45dad040f4e157bb7541efa4eddfdd77cb5d43f8c1ffe7c8d7facc461545",
+					"line": 6,
+					"issue_type": "MissingAttribute",
+					"search_key": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{rds_instance}}",
+					"search_value": "",
+					"expected_value": "rds_instance should have the property 'backup_retention_period' greater than 0",
+					"actual_value": "rds_instance has the property 'backup_retention_period' unassigned",
+					"value": null
+				}
+			]
+		}
+	],
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 4,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 1
+	},
+	"total_counter": 5,
+	"start": "2021-09-02T20:03:59.0343292Z",
+	"end": "2021-09-02T20:04:02.596282Z",
+	"paths": [
+		"."
+	]
+}
diff --git a/tests/test.py b/tests/test.py
@@ -321,6 +321,11 @@ def run_terraform(*, image: str, final: bool = False):
             "terraform init",
             0,
         ),
+        (
+            {"KICS_EXCLUDE_SEVERITIES": "info"},
+            "terraform validate",
+            0,
+        ),
     ]
 
     LOG.debug("Testing secure terraform configurations")
@@ -482,6 +487,31 @@ def run_terraform(*, image: str, final: bool = False):
             '/usr/bin/env bash -c "KICS_QUERIES=5a2486aa-facf-477d-a5c1-b010789459ce terraform --skip-tfsec --skip-terrascan --skip-checkov validate"',
             50,
         ),
+        (
+            {
+                "SKIP_CHECKOV": "true",
+                "SKIP_TFSEC": "true",
+                "SKIP_TERRASCAN": "true",
+                "KICS_EXCLUDE_SEVERITIES": "medium",
+            },
+            "terraform validate",
+            50,
+        ),  # Doesn't exclude high
+        (
+            {
+                "SKIP_CHECKOV": "true",
+                "SKIP_TFSEC": "true",
+                "SKIP_TERRASCAN": "true",
+                "KICS_EXCLUDE_SEVERITIES": "info,low,medium,high",
+            },
+            "terraform validate",
+            0,
+        ),  # Excludes all the severities
+        (
+            {},
+            '/usr/bin/env bash -c "KICS_EXCLUDE_SEVERITIES=info,low,medium,high terraform --skip-tfsec --skip-terrascan --skip-checkov validate"',
+            0,
+        ),  # Excludes all the severities
     ]
 
     num_tests_ran += exec_tests(tests=tests, volumes=kics_volumes, image=image)
@@ -884,6 +914,25 @@ def run_ansible(*, image: str):
             "/usr/bin/env bash -c 'KICS_QUERIES=7dfb316c-a6c2-454d-b8a2-97f147b0c0ff ansible-playbook insecure.yml --check'",
             50,
         ),
+        (
+            {
+                "KICS_EXCLUDE_SEVERITIES": "info,low",
+            },
+            "ansible-playbook insecure.yml --check",
+            50,
+        ),  # Doesn't exclude high or medium
+        (
+            {
+                "KICS_EXCLUDE_SEVERITIES": "high,medium",
+            },
+            "ansible-playbook insecure.yml --check",
+            0,
+        ),  # Excludes all the relevant severities
+        (
+            {},
+            '/usr/bin/env bash -c "KICS_EXCLUDE_SEVERITIES=info,low,medium,high ansible-playbook insecure.yml --check',
+            0,
+        ),  # Excludes all the severities
     ]
 
     num_tests_ran += exec_tests(tests=tests, volumes=kics_volumes, image=image)