Checkmarx · joaoReigota1 · Mar 16, 2022 · Mar 8, 2022 · Mar 15, 2022
@@ -3,7 +3,7 @@
   "queryName": "Memory Requests Not Defined",
   "severity": "MEDIUM",
   "category": "Resource Management",
-  "descriptionText": "Memory requests should be specified",
+  "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes",
   "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/",
   "platform": "Kubernetes",
   "descriptionID": "3dcbd683"

@@ -1,63 +1,25 @@
 package Cx
 
 import data.generic.common as common_lib
+import data.generic.k8s as k8sLib
 
 types := {"initContainers", "containers"}
 
 CxPolicy[result] {
 	document := input.document[i]
-	spec := document.spec
+	specInfo := k8sLib.getSpecInfo(document)
+	container := specInfo.spec[types[t]][_]
 
-	containers := spec[types[t]][c]
-
-	requests := containers.resources.requests
+	resources := object.get(container, "resources", {})
+	requests := object.get(resources, "requests", {})
 	not common_lib.valid_key(requests, "memory")
 
 	metadata := document.metadata
-
-	result := {
-		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources.requests", [metadata.name, types[t], containers.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources.requests.memory is defined", [metadata.name, types[t], containers.name]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources.requests.memory is undefined", [metadata.name, types[t], containers.name]),
-	}
-}
-
-CxPolicy[result] {
-	document := input.document[i]
-	spec := document.spec
-
-	containers := spec[types[t]][c]
-
-	not common_lib.valid_key(containers, "resources")
-	metadata := document.metadata
-
-	result := {
-		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}", [metadata.name, types[t], containers.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources are defined", [metadata.name, types[t], containers.name]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources are undefined", [metadata.name, types[t], containers.name]),
-	}
-}
-
-CxPolicy[result] {
-	document := input.document[i]
-	spec := document.spec
-
-	containers := spec[types[t]][c]
-
-	resources := containers.resources
-	not common_lib.valid_key(resources, "requests")
-
-	metadata := document.metadata
-
 	result := {
 		"documentId": document.id,
-		"searchKey": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources", [metadata.name, types[t], containers.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.requests", [metadata.name, specInfo.path, types[t], container.name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources.requests are defined", [metadata.name, types[t], containers.name]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.spec.%s.name={{%s}}.resources.requests are undefined", [metadata.name, types[t], containers.name]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.requests.memory is defined", [metadata.name, specInfo.path, types[t], container.name]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.requests.memory is undefined", [metadata.name, specInfo.path, types[t], container.name]),
 	}
 }
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment-ctr-neg
+  labels:
+    app: test-neg
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: test-ctr-neg
+  template:
+    metadata:
+      labels:
+        app: test-ctr-neg
+    spec:
+      containers:
+        - name:  pause
+          image: k8s.gcr.io/pause
+          resources:
+            limits:
+              cpu: 0.5
+              memory: 512Mi
+            requests:
+              cpu: 0.5
+              memory: 512Mi
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment2
+  labels:
+    app: test2
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: test2
+  template:
+    metadata:
+      labels:
+        app: test2
+    spec:
+      containers:
+        - name:  pause
+          image: k8s.gcr.io/pause
+          resources:
+            limits:
+              cpu: 0.5
+              memory: 512Mi
@@ -2,21 +2,31 @@
   {
     "queryName": "Memory Requests Not Defined",
     "severity": "MEDIUM",
-    "line": 13
+    "line": 13,
+    "fileName": "positive1.yaml"
   },
   {
     "queryName": "Memory Requests Not Defined",
     "severity": "MEDIUM",
-    "line": 27
+    "line": 27,
+    "fileName": "positive1.yaml"
   },
   {
     "queryName": "Memory Requests Not Defined",
     "severity": "MEDIUM",
-    "line": 40
+    "line": 40,
+    "fileName": "positive1.yaml"
   },
   {
     "queryName": "Memory Requests Not Defined",
     "severity": "MEDIUM",
-    "line": 59
+    "line": 59,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "Memory Requests Not Defined",
+    "severity": "MEDIUM",
+    "line": 20,
+    "fileName": "positive2.yaml"
   }
 ]