Merge pull request #6314 from tunakyonn/feat/add_nifcloud_engine_support

feat(nifcloud): add nifcloud engine support
Checkmarx · Nov 16, 2023 · a58a315 · a58a315
2 parents c6af14e + 0ec486c
commit a58a315
Show file tree

Hide file tree

Showing 12 changed files with 93 additions and 4 deletions.
diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json
@@ -76,7 +76,8 @@
                 "aws",
                 "azure",
                 "common",
-                "gcp"
+                "gcp",
+                "nifcloud"
             ]
         },
         "platform": {

diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json
@@ -0,0 +1,12 @@
+{
+    "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9",
+    "queryName": "Nifcloud Computing Has Common Private Network",
+    "severity": "LOW",
+    "category": "Networking and Firewall",
+    "descriptionText": "The instance has common private network",
+    "descriptionUrl": "https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id",
+    "platform": "Terraform",
+    "descriptionID": "c5065d3a",
+    "cloudProvider": "nifcloud",
+    "experimental": "true"
+}
diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego
@@ -0,0 +1,36 @@
+package Cx
+
+import data.generic.terraform as tf_lib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+
+	instance := input.document[i].resource.nifcloud_instance[name]
+	instance.network_interface[_].network_id == "net-COMMON_PRIVATE"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "nifcloud_instance",
+		"resourceName": tf_lib.get_resource_name(instance, name),
+		"searchKey": sprintf("nifcloud_instance[%s]", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'nifcloud_instance[%s]' should use a private LAN to isolate the private side network from the shared network", [name]),
+		"keyActualValue": sprintf("'nifcloud_instance[%s]' has common private network", [name]),
+	}
+}
+
+CxPolicy[result] {
+
+	instance := input.document[i].resource.nifcloud_instance[name]
+	instance.network_interface.network_id == "net-COMMON_PRIVATE"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "nifcloud_instance",
+		"resourceName": tf_lib.get_resource_name(instance, name),
+		"searchKey": sprintf("nifcloud_instance[%s]", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'nifcloud_instance[%s]' should use a private LAN to isolate the private side network from the shared network", [name]),
+		"keyActualValue": sprintf("'nifcloud_instance[%s]' has common private network", [name]),
+	}
+}
diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/negative.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/negative.tf
@@ -0,0 +1,7 @@
+resource "nifcloud_instance" "negative" {
+  image_id        = data.nifcloud_image.ubuntu.id
+  security_group  = nifcloud_security_group.example.group_name
+  network_interface {
+    network_id = nifcloud_private_lan.main.id
+  }
+}
diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive1.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive1.tf
@@ -0,0 +1,7 @@
+resource "nifcloud_instance" "positive" {
+  image_id        = data.nifcloud_image.ubuntu.id
+  security_group  = nifcloud_security_group.example.group_name
+  network_interface {
+    network_id = "net-COMMON_PRIVATE"
+  }
+}
diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive2.tf
@@ -0,0 +1,10 @@
+resource "nifcloud_instance" "positive" {
+  image_id        = data.nifcloud_image.ubuntu.id
+  security_group  = nifcloud_security_group.example.group_name
+  network_interface {
+    network_id = "net-COMMON_GLOBAL"
+  }
+  network_interface {
+    network_id = "net-COMMON_PRIVATE"
+  }
+}
diff --git a/...rraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/...rraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Nifcloud Computing Has Common Private Network",
+		"severity": "LOW",
+		"line": 1,
+		"fileName": "positive1.tf"
+	},
+	{
+		"queryName": "Nifcloud Computing Has Common Private Network",
+		"severity": "LOW",
+		"line": 1,
+		"fileName": "positive2.tf"
+	}
+]
diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help
@@ -3,7 +3,7 @@ Usage:
 
 Flags:
   -m, --bom                           include bill of materials (BoM) in results output
-      --cloud-provider strings        list of cloud providers to scan (alicloud, aws, azure, gcp)
+      --cloud-provider strings        list of cloud providers to scan (alicloud, aws, azure, gcp, nifcloud)
       --config string                 path to configuration file
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -83,6 +83,7 @@ var (
 		"aws":      "",
 		"azure":    "",
 		"gcp":      "",
+		"nifcloud": "",
 	}
 )
 

diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go
@@ -82,7 +82,7 @@ func ListSupportedPlatforms() []string {
 
 // ListSupportedCloudProviders returns a list of supported cloud providers
 func ListSupportedCloudProviders() []string {
-	return []string{"alicloud", "aws", "azure", "gcp"}
+	return []string{"alicloud", "aws", "azure", "gcp", "nifcloud"}
 }
 
 func getLibraryInDir(platform, libraryDirPath string) string {

diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go
@@ -821,7 +821,7 @@ func TestSource_validateMetadata(t *testing.T) {
 
 // TestSource_ListSupportedCloudProviders tests the function ListSupportedCloudProviders.
 func TestSource_ListSupportedCloudProviders(t *testing.T) {
-	want := []string{"alicloud", "aws", "azure", "gcp"}
+	want := []string{"alicloud", "aws", "azure", "gcp", "nifcloud"}
 	t.Run("test List Supported CP", func(t *testing.T) {
 		got := ListSupportedCloudProviders()
 		require.Equal(t, want, got)

diff --git a/test/main_test.go b/test/main_test.go
@@ -40,6 +40,7 @@ var (
 		"../assets/queries/terraform/kubernetes":            {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/general":               {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/alicloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
+		"../assets/queries/terraform/nifcloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/crossplane/aws":                  {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
 		"../assets/queries/crossplane/azure":                {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
 		"../assets/queries/crossplane/gcp":                  {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},