SQS adaptation and rules

go.mod

@@ -3,7 +3,7 @@ module github.com/aquasecurity/cfsec
 go 1.16
 
 require (
-	github.com/aquasecurity/defsec v0.0.14
+	github.com/aquasecurity/defsec v0.0.15
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/liamg/clinch v1.5.6
 	github.com/liamg/jfather v0.0.2

go.sum

@@ -61,6 +61,8 @@ github.com/aquasecurity/defsec v0.0.13 h1:gX3hnwndcnKYGAuPJDDh85lolKxNziTJtdJINl
 github.com/aquasecurity/defsec v0.0.13/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/aquasecurity/defsec v0.0.14 h1:8Ww1zHXV8LmcS5NB/5H8h3vBLEYaYwIf63mHw+R2bC4=
 github.com/aquasecurity/defsec v0.0.14/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/defsec v0.0.15 h1:WmUxI6ep6uHDeXxbVIqBZn/QKxhPO4YaBSmirapV7ok=
+github.com/aquasecurity/defsec v0.0.15/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

internal/app/cfsec/adapter/aws/adapt.go

@@ -16,16 +16,16 @@ import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/ecr"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/ecs"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/efs"
-	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/iam"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/eks"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/elasticache"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/iam"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/s3"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sqs"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/ssm"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/vpc"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/workspaces"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
 	"github.com/aquasecurity/defsec/provider/aws"
-
 )
 
 func Adapt(cfFile parser.FileContext) aws.AWS {
@@ -45,11 +45,11 @@ func Adapt(cfFile parser.FileContext) aws.AWS {
 		ECR:         ecr.Adapt(cfFile),
 		ECS:         ecs.Adapt(cfFile),
 		EFS:         efs.Adapt(cfFile),
-
 		IAM:         iam.Adapt(cfFile),
 		EKS:         eks.Adapt(cfFile),
 		ElastiCache: elasticache.Adapt(cfFile),
 		S3:          s3.Adapt(cfFile),
+		SQS:         sqs.Adapt(cfFile),
 		SSM:         ssm.Adapt(cfFile),
 		VPC:         vpc.Adapt(cfFile),
 		WorkSpaces:  workspaces.Adapt(cfFile),

internal/app/cfsec/adapter/aws/iam/iam.go

@@ -1,8 +1,6 @@
 package iam
 
 import (
-	"fmt"
-
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/util"
 	"github.com/aquasecurity/defsec/provider/aws/iam"
@@ -19,7 +17,6 @@ func Adapt(cfFile parser.FileContext) iam.IAM {
 
 func retrieveDocument(prop *parser.Property, resource *parser.Resource) (*iam.PolicyDocument, error) {
 	policyDoc := util.GetJsonBytes(prop, resource.SourceFormat())
-	fmt.Printf("%s\n\n", string(policyDoc))
 	return iam.ParsePolicyDocument(policyDoc, prop.Metadata())
 }
 

internal/app/cfsec/parser/property_helpers.go

@@ -19,15 +19,16 @@ func (p *Property) IsString() bool {
 	if p.IsNil() {
 		return false
 	}
+	if p.isFunction() {
+		return p.resolveValue().IsString()
+	}
 	return p.Inner.Type == cftypes.String
 }
 
-
 func (p *Property) IsNotString() bool {
 	return !p.IsString()
 }
 
-
 func (p *Property) IsInt() bool {
 	if p.IsNil() {
 		return false
@@ -73,6 +74,9 @@ func (p *Property) IsNotBool() bool {
 }
 
 func (p *Property) AsString() string {
+	if p.isFunction() {
+		return p.resolveValue().AsString()
+	}
 	return p.Inner.Value.(string)
 }
 
@@ -112,7 +116,6 @@ func (p *Property) EqualTo(checkValue interface{}, equalityOptions ...EqualityOp
 		}
 	}
 
-
 	if p.IsNil() {
 		return checkValue == nil
 	}

internal/app/cfsec/rules/aws/ssm/secret_use_customer_key_rule_test.go

@@ -11,7 +11,7 @@ func Test_SSM_SecretUseCustomerKey_FailureExamples(t *testing.T) {
 	test.RunFailureExamplesTest(t, expectedCode)
 }
 
-func Test_VPC_SecretUseCustomerKey_SuccessExamples(t *testing.T) {
+func Test_SSM_SecretUseCustomerKey_SuccessExamples(t *testing.T) {
 	expectedCode := "aws-ssm-secret-use-customer-key"
 	test.RunPassingExamplesTest(t, expectedCode)
 }

vendor/modules.txt

@@ -17,7 +17,7 @@ github.com/ProtonMail/go-crypto/openpgp/packet
 github.com/ProtonMail/go-crypto/openpgp/s2k
 # github.com/acomagu/bufpipe v1.0.3
 github.com/acomagu/bufpipe
-# github.com/aquasecurity/defsec v0.0.14
+# github.com/aquasecurity/defsec v0.0.15
 ## explicit
 github.com/aquasecurity/defsec/cidr
 github.com/aquasecurity/defsec/provider
@@ -109,6 +109,7 @@ github.com/aquasecurity/defsec/rules/aws/eks
 github.com/aquasecurity/defsec/rules/aws/elasticache
 github.com/aquasecurity/defsec/rules/aws/iam
 github.com/aquasecurity/defsec/rules/aws/s3
+github.com/aquasecurity/defsec/rules/aws/sqs
 github.com/aquasecurity/defsec/rules/aws/ssm
 github.com/aquasecurity/defsec/rules/aws/vpc
 github.com/aquasecurity/defsec/rules/aws/workspaces