fix yaml tab issues

go.mod

@@ -3,7 +3,7 @@ module github.com/aquasecurity/cfsec
 go 1.16
 
 require (
-	github.com/aquasecurity/defsec v0.0.10
+	github.com/aquasecurity/defsec v0.0.12
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/liamg/clinch v1.5.6
 	github.com/liamg/jfather v0.0.2

go.sum

@@ -53,6 +53,10 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/defsec v0.0.10 h1:R3C0DAx0FJyzYbjbZWYCiabFYuqpDcXBIKIQTfu/EjY=
 github.com/aquasecurity/defsec v0.0.10/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/defsec v0.0.11 h1:OBnCyu8KWjfRVk4gdpQE4aLlWJEwwwlJmUsZVNLPEBc=
+github.com/aquasecurity/defsec v0.0.11/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/defsec v0.0.12 h1:n7wP/qsUBaN+krjX7cwY4Pj4P3P5VestF8gzhpSiY30=
+github.com/aquasecurity/defsec v0.0.12/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

internal/app/cfsec/adapter/aws/vpc/vpc.go

@@ -86,6 +86,12 @@ func getRules(id string, ctx parser.FileContext) (rules []vpc.NetworkACLRule) {
 			} else {
 				rule.Action = types.StringDefault(vpc.ActionDeny, ruleResource.Metadata())
 			}
+			protocolProperty := ruleResource.GetProperty("Protocol")
+			if protocolProperty.IsInt() {
+				rule.Protocol = protocolProperty.AsIntValue()
+			} else {
+				rule.Protocol = types.IntDefault(-1, ruleResource.Metadata())
+			}
 			rules = append(rules, rule)
 		}
 	}

internal/app/cfsec/parser/property.go

@@ -146,6 +146,17 @@ func (p *Property) IsNotNil() bool {
 	return !p.IsNil()
 }
 
+func (p *Property) IsInt() bool {
+	if p.IsNil() {
+		return false
+	}
+	return p.Inner.Type == cftypes.Int
+}
+
+func (p *Property) IsNotInt() bool {
+	return !p.IsInt()
+}
+
 func (p *Property) IsString() bool {
 	if p.IsNil() {
 		return false
@@ -198,12 +209,20 @@ func (p *Property) AsStringValue() types.StringValue {
 	return types.StringExplicit(p.AsString(), p.Metadata())
 }
 
+func (p *Property) AsInt() int {
+	return p.Inner.Value.(int)
+}
+
+func (p *Property) AsIntValue() types.IntValue {
+	return types.IntExplicit(p.AsInt(), p.Metadata())
+}
+
 func (p *Property) AsBool() bool {
 	return p.Inner.Value.(bool)
 }
 
 func (p *Property) AsBoolValue() types.BoolValue {
-	return types.Bool(p.AsBool(), p.Metadata())
+	return types.BoolExplicit(p.AsBool(), p.Metadata())
 }
 
 func (p *Property) AsMap() map[string]*Property {

internal/app/cfsec/parser/resource.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Resource struct {
-	ctx FileContext
+	ctx     FileContext
 	rng     types.Range
 	id      string
 	comment string
@@ -47,7 +47,6 @@ func (r *Resource) setFile(filepath string) {
 func (r *Resource) setContext(ctx FileContext) {
 	r.ctx = ctx
 
-
 	for _, p := range r.Inner.Properties {
 		p.setContext(ctx)
 	}

internal/app/cfsec/rules/aws/vpc/add_description_to_security_group_rule_rule.go

@@ -0,0 +1,44 @@
+package vpc
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/vpc"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad Example of ApiGateway
+Resources:
+  BadSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Limits security group egress traffic
+      SecurityGroupEgress:
+      - CidrIp: 127.0.0.1/32
+        IpProtocol: "-1"
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad Example of ApiGateway
+Resources:
+  GoodSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Limits security group egress traffic
+      SecurityGroupEgress:
+      - CidrIp: 127.0.0.1/32
+        Description: "Can connect to loopback"
+        IpProtocol: "-1"
+`,
+		},
+		Base: vpc.CheckAddDescriptionToSecurityGroupRule,
+	})
+}

internal/app/cfsec/rules/aws/vpc/add_description_to_security_group_rule_rule_test.go

@@ -0,0 +1,17 @@
+package vpc
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_VPCSGRDescription_FailureExamples(t *testing.T) {
+	expectedCode := "aws-vpc-add-description-to-security-group-rule"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_VPCSGRDescription_PassedExamples(t *testing.T) {
+	expectedCode := "aws-vpc-add-description-to-security-group-rule"
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/rules/aws/vpc/add_description_to_security_group_rule_test.go

@@ -6,12 +6,12 @@ import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
 )
 
-func Test_EnableAccessLogging_FailureExamples(t *testing.T) {
+func Test_VPCSGDescription_FailureExamples(t *testing.T) {
 	expectedCode := "aws-vpc-add-description-to-security-group"
 	test.RunFailureExamplesTest(t, expectedCode)
 }
 
-func Test_EnableAccessLogging_PassedExamples(t *testing.T) {
+func Test_VPCSGDescription_SuccessExamples(t *testing.T) {
 	expectedCode := "aws-vpc-add-description-to-security-group"
 	test.RunPassingExamplesTest(t, expectedCode)
 }

internal/app/cfsec/rules/aws/vpc/no_excessive_port_access_rule.go

@@ -0,0 +1,49 @@
+package vpc
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/vpc"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad Example of ApiGateway
+Resources:
+  NetworkACL:
+    Type: AWS::EC2::NetworkAcl
+    Properties:
+      VpcId: "something"
+  Rule:
+    Type: AWS::EC2::NetworkAclEntry
+    Properties:
+      NetworkAclId:
+        Ref: NetworkACL
+      Protocol: -1
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad Example of ApiGateway
+Resources: 
+  NetworkACL:
+    Type: AWS::EC2::NetworkAcl
+    Properties:
+      VpcId: "something"
+  Rule:
+    Type: AWS::EC2::NetworkAclEntry
+    Properties:
+      NetworkAclId:
+        Ref: NetworkACL
+        Protocol: 6
+`,
+		},
+		Base: vpc.CheckNoExcessivePortAccess,
+	})
+}

internal/app/cfsec/rules/aws/vpc/no_excessive_port_access_rule_test.go

@@ -0,0 +1,17 @@
+package vpc
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_VPC_ExcessivePortAccess_FailureExamples(t *testing.T) {
+	expectedCode := "aws-vpc-no-excessive-port-access"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_VPC_ExcessivePortAccess_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-vpc-no-excessive-port-access"
+	test.RunPassingExamplesTest(t, expectedCode)
+}

internal/app/cfsec/test/runner.go

@@ -24,7 +24,10 @@ func RunPassingExamplesTest(t *testing.T, expectedCode string) {
 		if strings.TrimSpace(goodExample) == "" {
 			t.Fatalf("Good example code not provided for %s", rule.ID())
 		}
-		results := scanTestSource(goodExample, t)
+		results, err := scanTestSource(goodExample, t)
+		if err != nil {
+			t.Fatal(err)
+		}
 		testutil.AssertCheckCode(t, "", rule.ID(), results)
 	}
 
@@ -42,40 +45,43 @@ func RunFailureExamplesTest(t *testing.T, expectedCode string) {
 		if strings.TrimSpace(badExample) == "" {
 			t.Fatalf("bad example code not provided for %s", rule.ID())
 		}
-		results := scanTestSource(badExample, t)
+		results, err := scanTestSource(badExample, t)
+		if err != nil {
+			t.Fatal(err)
+		}
 		testutil.AssertCheckCode(t, rule.ID(), "", results)
 	}
 }
 
-func scanTestSource(source string, t *testing.T) []rules.Result {
+func scanTestSource(source string, t *testing.T) ([]rules.Result, error) {
 
 	fs, err := filesystem.New()
 	if err != nil {
-		t.Fatal(err)
+		return nil, err
 	}
 	defer fs.Close()
 
-	source = strings.TrimSpace(strings.ReplaceAll(source, "\t", "  "))
-
 	ext := "yaml"
 	if source[0] == '{' {
 		ext = "json"
+	} else if strings.Contains(source, "\t") {
+		return nil, fmt.Errorf("source yaml contains tab characters - please replace them:\n%q\n\n", source)
 	}
 
 	filename := fmt.Sprintf("test.%s", ext)
 
 	if err := fs.WriteTextFile(filename, source); err != nil {
-		t.Fatal(err)
+		return nil, err
 	}
 
 	path := fs.RealPath(filename)
 
 	fileCtx, err := parser.ParseFiles(path)
 	if err != nil {
-		t.Fatal(err)
+		return nil, err
 	}
 
 	s := scanner.New()
-	return s.Scan(fileCtx)
+	return s.Scan(fileCtx), nil
 
 }

vendor/modules.txt

@@ -17,7 +17,7 @@ github.com/ProtonMail/go-crypto/openpgp/packet
 github.com/ProtonMail/go-crypto/openpgp/s2k
 # github.com/acomagu/bufpipe v1.0.3
 github.com/acomagu/bufpipe
-# github.com/aquasecurity/defsec v0.0.10
+# github.com/aquasecurity/defsec v0.0.12
 ## explicit
 github.com/aquasecurity/defsec/cidr
 github.com/aquasecurity/defsec/provider