Merge pull request #6773 from Checkmarx/joaom/kics-988

feat(engine): improve detection of Ansible files
Checkmarx · Nov 6, 2023 · 5131c60 · 5131c60
2 parents fe05f97 + dc64f00
commit 5131c60
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 14 deletions.
diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go
@@ -60,7 +60,7 @@ var (
 	pulumiRuntimeRegex                              = regexp.MustCompile(`runtime\s*:`)
 	pulumiResourcesRegex                            = regexp.MustCompile(`resources\s*:`)
 	serverlessServiceRegex                          = regexp.MustCompile(`service\s*:`)
-	serverlessProviderRegex                         = regexp.MustCompile(`provider\s*:`)
+	serverlessProviderRegex                         = regexp.MustCompile(`(^|\n)provider\s*:`)
 	cicdOnRegex                                     = regexp.MustCompile(`\s*on:\s*`)
 	cicdJobsRegex                                   = regexp.MustCompile(`\s*jobs:\s*`)
 	cicdStepsRegex                                  = regexp.MustCompile(`\s*steps:\s*`)
@@ -100,6 +100,10 @@ var (
 		"pulumi":               {"pulumi"},
 		"serverlessfw":         {"serverlessfw"},
 	}
+	listKeywordsAnsible = []string{"name", "gather_facts",
+		"hosts", "tasks", "become", "with_items", "with_dict",
+		"when", "become_pass", "become_exe", "become_flags"}
+	playBooks = "playbooks"
 )
 
 const (
@@ -543,9 +547,30 @@ func checkYamlPlatform(content []byte, path string) string {
 		}
 	}
 
-	// Since Ansible has no defining property
-	// and no other type matched for YAML file extension, assume the file type is Ansible
-	return ansible
+	// check if the file contains some keywords related with Ansible
+	if checkForAnsible(yamlContent) {
+		return ansible
+	}
+	return ""
+}
+
+func checkForAnsible(yamlContent model.Document) bool {
+	isAnsible := false
+	if play := yamlContent[playBooks]; play != nil {
+		if listOfPlayBooks, ok := play.([]interface{}); ok {
+			for _, value := range listOfPlayBooks {
+				castingValue, ok := value.(map[string]interface{})
+				if ok {
+					for _, keyword := range listKeywordsAnsible {
+						if _, ok := castingValue[keyword]; ok {
+							isAnsible = true
+						}
+					}
+				}
+			}
+		}
+	}
+	return isAnsible
 }
 
 // computeValues computes expected Lines of Code to be scanned from locCount channel

diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go
@@ -28,10 +28,11 @@ func TestAnalyzer_Analyze(t *testing.T) {
 			wantExclude: []string{
 				filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"),
-				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")},
+				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")},
 			typesFromFlag:        []string{""},
 			excludeTypesFromFlag: []string{""},
-			wantLOC:              835,
+			wantLOC:              834,
 			wantErr:              false,
 			gitIgnoreFileName:    "",
 			excludeGitIgnore:     false,
@@ -193,11 +194,11 @@ func TestAnalyzer_Analyze(t *testing.T) {
 			paths: []string{
 				filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"),
 			},
-			wantTypes:            []string{"ansible"},
-			wantExclude:          []string{},
+			wantTypes:            []string{},
+			wantExclude:          []string{filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")},
 			typesFromFlag:        []string{""},
 			excludeTypesFromFlag: []string{""},
-			wantLOC:              1,
+			wantLOC:              0,
 			wantErr:              false,
 			gitIgnoreFileName:    "",
 			excludeGitIgnore:     false,
@@ -208,17 +209,26 @@ func TestAnalyzer_Analyze(t *testing.T) {
 			wantTypes: []string{"ansible", "pulumi"},
 			wantExclude: []string{
 				filepath.FromSlash("../../test/fixtures/analyzer_test/azureResourceManager.json"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/cloudformation.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/crossplane.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/docker-compose.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/gdm.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/helm/Chart.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/helm/templates/service.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/helm/values.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/k8s.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/knative.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI.json"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.json"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/openAPI_test/openAPI.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"),
-				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")},
+				filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/github.yaml")},
 			typesFromFlag:        []string{"ansible", "pulumi"},
 			excludeTypesFromFlag: []string{""},
-			wantLOC:              533,
+			wantLOC:              374,
 			wantErr:              false,
 			gitIgnoreFileName:    "",
 			excludeGitIgnore:     false,
@@ -247,10 +257,11 @@ func TestAnalyzer_Analyze(t *testing.T) {
 			wantExclude: []string{
 				filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"),
-				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink")},
+				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml")},
 			typesFromFlag:        []string{""},
 			excludeTypesFromFlag: []string{""},
-			wantLOC:              835,
+			wantLOC:              834,
 			wantErr:              false,
 			gitIgnoreFileName:    "",
 			excludeGitIgnore:     false,
@@ -263,10 +274,11 @@ func TestAnalyzer_Analyze(t *testing.T) {
 				filepath.FromSlash("../../test/fixtures/analyzer_test/pnpm-lock.yaml"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/not_openapi.json"),
 				filepath.FromSlash("../../test/fixtures/analyzer_test/dead_symlink"),
+				filepath.FromSlash("../../test/fixtures/analyzer_test/undetected.yaml"),
 			},
 			typesFromFlag:        []string{""},
 			excludeTypesFromFlag: []string{""},
-			wantLOC:              835,
+			wantLOC:              834,
 			wantErr:              false,
 			gitIgnoreFileName:    "",
 			excludeGitIgnore:     false,