fix(secret): convert severity for custom rules (aquasecurity#6500)

DmitriyLewen · Apr 16, 2024 · 46d5aba · 46d5aba
1 parent 34ab09d
commit 46d5aba
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 1 deletion.
diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go
@@ -286,16 +286,32 @@ func ParseConfig(configPath string) (*Config, error) {
 	}
 	defer f.Close()
 
-	logger.Info("Loading the config file s for secret scanning...")
+	logger.Info("Loading the config file for secret scanning...")
 
 	var config Config
 	if err = yaml.NewDecoder(f).Decode(&config); err != nil {
 		return nil, xerrors.Errorf("secrets config decode error: %w", err)
 	}
 
+	// Update severity for custom rules
+	for i := range config.CustomRules {
+		config.CustomRules[i].Severity = convertSeverity(logger, config.CustomRules[i].Severity)
+	}
+
 	return &config, nil
 }
 
+// convertSeverity checks the severity and converts it to uppercase or uses "UNKNOWN" for the wrong severity.
+func convertSeverity(logger *log.Logger, severity string) string {
+	switch strings.ToLower(severity) {
+	case "low", "medium", "high", "critical", "unknown":
+		return strings.ToUpper(severity)
+	default:
+		logger.Warn("Incorrect severity", log.String("severity", severity))
+		return "UNKNOWN"
+	}
+}
+
 func NewScanner(config *Config) Scanner {
 	logger := log.WithPrefix("secret")
 

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -916,6 +916,33 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFinding8},
 			},
 		},
+		{
+			name:          "add unknown severity when rule has no severity",
+			configPath:    filepath.Join("testdata", "config-with-incorrect-severity.yaml"),
+			inputFilePath: filepath.Join("testdata", "secret.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "secret.txt"),
+				Findings: []types.SecretFinding{wantFinding8},
+			},
+		},
+		{
+			name:          "update severity if rule severity is not in uppercase",
+			configPath:    filepath.Join("testdata", "config-with-non-uppercase-severity.yaml"),
+			inputFilePath: filepath.Join("testdata", "secret.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "secret.txt"),
+				Findings: []types.SecretFinding{wantFinding8},
+			},
+		},
+		{
+			name:          "use unknown severity when rule has incorrect severity",
+			configPath:    filepath.Join("testdata", "config-with-incorrect-severity.yaml"),
+			inputFilePath: filepath.Join("testdata", "secret.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "secret.txt"),
+				Findings: []types.SecretFinding{wantFinding8},
+			},
+		},
 		{
 			name:          "invalid aws secrets",
 			configPath:    filepath.Join("testdata", "skip-test.yaml"),

diff --git a/pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml b/pkg/fanal/secret/testdata/config-with-incorrect-severity.yaml
@@ -0,0 +1,9 @@
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: bad
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>somevalue)['"]
+    secret-group-name: secret
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml b/pkg/fanal/secret/testdata/config-with-non-uppercase-severity.yaml
@@ -0,0 +1,9 @@
+rules:
+  - id: rule1
+    category: general
+    title: Generic Rule
+    severity: uNknown
+    regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>somevalue)['"]
+    secret-group-name: secret
+disable-allow-rules:
+  - tests