Add more support for the parser and the rendering of results

aquasecurity · Aug 13, 2021 · 91f9e68 · 91f9e68
1 parent a8f4f93
commit 91f9e68
Show file tree

Hide file tree

Showing 373 changed files with 191,812 additions and 46 deletions.
diff --git a/cmd/cfsec/main.go b/cmd/cfsec/main.go
@@ -1,14 +1,12 @@
 package main
 
 import (
-	"fmt"
 	"os"
 
-	"github.com/aquasecurity/cfsec/internal/app/cfsec/resource"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/formatters"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
 	_ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
-
-	"github.com/awslabs/goformation/v5"
 )
 
 func main() {
@@ -18,23 +16,13 @@ func main() {
 	}
 	filepath := os.Args[1]
 
-	template, err := goformation.Open(filepath)
+	resources, err := parser.New(filepath)
 	if err != nil {
 		panic(err)
 	}
-
-	var resources resource.Resources
-
-	for name, r := range template.Resources {
-		formationType := r.AWSCloudFormationType()
-		resources = append(resources, resource.NewCFResource(&r, formationType, string(name)))
-	}
-
 	s := scanner.New()
 	results := s.Scan(resources)
 
-	for _, r := range results {
-		fmt.Println(r.Description)
-	}
+	formatters.FormatDefault(os.Stdout, results, "")
 
 }
diff --git a/example/bucket.yaml b/example/bucket.yaml
@@ -1,6 +1,18 @@
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty
+  BucketKeyEnabled:
+    Type: Boolean
+    Default: false
+
 Resources:
   S3Bucket:
     Type: 'AWS::S3::Bucket'
-    DeletionPolicy: Retain
     Properties:
-      BucketName: bad-example
+      BucketName: 
+        Ref: BucketName
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: 
+            Ref: BucketKeyEnabled
diff --git a/go.mod b/go.mod
@@ -5,6 +5,9 @@ go 1.16
 require (
 	github.com/awslabs/goformation/v5 v5.2.7
 	github.com/kr/pretty v0.1.0 // indirect
+	github.com/liamg/clinch v1.5.6
+	github.com/liamg/tml v0.3.0
+	github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522
 	github.com/stretchr/testify v1.6.1
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -28,6 +28,10 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/liamg/clinch v1.5.6 h1:cgv8uUroVWW+d23Gfee3v0/bSOKy9d4vUWFlMeNoNS8=
+github.com/liamg/clinch v1.5.6/go.mod h1:IXM+nLBuZ5sOQAYYf9+G51nkaA0WY9cszxE5nPXexhE=
+github.com/liamg/tml v0.3.0 h1:Qz+R+E3BH07IgflYyB4dLijKZ+mZcKJEuC5pTNDWShc=
+github.com/liamg/tml v0.3.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@@ -40,13 +44,15 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.12.0 h1:p4oGGk2M2UJc0wWN4lHFvIB71lxsh0T/UiKCCgFADY8=
 github.com/onsi/gomega v1.12.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
+github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA=
 github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY=
 github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522 h1:fOCp11H0yuyAt2wqlbJtbyPzSgaxHTv8uN1pMpkG1t8=
 github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -58,11 +64,15 @@ github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56 h1:yhqBHs09Sm
 github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -74,6 +84,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -85,10 +96,12 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZOR
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190509153222-73554e0f7805/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

diff --git a/internal/app/cfsec/formatters/default.go b/internal/app/cfsec/formatters/default.go
@@ -0,0 +1,95 @@
+package formatters
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/result"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/severity"
+	"github.com/liamg/clinch/terminal"
+	"github.com/liamg/tml"
+)
+
+var severityFormat = map[severity.Severity]string{
+	severity.Low:      tml.Sprintf("<white>%s</white>", severity.Low),
+	severity.Medium:   tml.Sprintf("<yellow>%s</yellow>", severity.Medium),
+	severity.High:     tml.Sprintf("<red>%s</red>", severity.High),
+	severity.Critical: tml.Sprintf("<bold><red>%s</red></bold>", severity.Critical),
+}
+
+func FormatDefault(_ io.Writer, results []result.Result, _ string) error {
+
+	fmt.Println("")
+	for i, res := range results {
+		printResult(res, i, false)
+	}
+
+	terminal.PrintErrorf("\n  %d potential problems detected.\n\n", len(results))
+
+	return nil
+
+}
+
+func printResult(res result.Result, i int, includePassedChecks bool) {
+	resultHeader := fmt.Sprintf("  <underline>Result %d</underline>\n", i+1)
+	var severity string
+	if includePassedChecks && res.Status == result.Passed {
+		terminal.PrintSuccessf(resultHeader)
+		severity = tml.Sprintf("<green>PASSED</green>")
+	} else {
+		terminal.PrintErrorf(resultHeader)
+		severity = severityFormat[res.Severity]
+	}
+
+	_ = tml.Printf(`
+  <blue>[</blue>%s<blue>]</blue><blue>[</blue>%s<blue>]</blue> %s
+  <blue>%s</blue>
+  
+`, res.RuleID, severity, res.Description, res.Location)
+
+	render, err := res.Resource().Render()
+	if err != nil {
+		fmt.Fprint(os.Stderr, err.Error())
+	}
+
+	highlightRender(render, res.Attribute)
+
+	if res.LegacyRuleID != "" {
+		_ = tml.Printf("  <white>Legacy ID:  </white><blue>%s</blue>\n", res.LegacyRuleID)
+	}
+	if res.Impact != "" {
+		_ = tml.Printf("  <white>Impact:     </white><blue>%s</blue>\n", res.Impact)
+	}
+	if res.Resolution != "" {
+		_ = tml.Printf("  <white>Resolution: </white><blue>%s</blue>\n", res.Resolution)
+	}
+	if len(res.Links) > 0 {
+		_ = tml.Printf("\n  <white>More Info:</white>")
+	}
+	for _, link := range res.Links {
+		_ = tml.Printf("\n  <blue>- %s </blue>", link)
+	}
+
+	fmt.Printf("\n\n")
+}
+
+func highlightRender(renderText string, attributeOfInterest string) {
+	if attributeOfInterest == "" {
+		tml.Println(renderText)
+	} else {
+		var newLines []string
+
+		lines := strings.Split(renderText, "\n")
+		for _, line := range lines {
+			if strings.Contains(line, attributeOfInterest) {
+				newLines = append(newLines, fmt.Sprintf("  <red>%s</red>", line))
+			} else {
+				newLines = append(newLines, fmt.Sprintf("  %s", line))
+			}
+		}
+
+		tml.Printf(strings.Join(newLines, "\n"))
+	}
+}
diff --git a/internal/app/cfsec/parser/parser.go b/internal/app/cfsec/parser/parser.go
@@ -0,0 +1,33 @@
+package parser
+
+import (
+	"strings"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/resource"
+	"github.com/awslabs/goformation/v5"
+)
+
+type Parser struct{}
+
+func New(filepaths ...string) (resource.Resources, error) {
+
+	var resources resource.Resources
+	for _, filepath := range filepaths {
+		template, err := goformation.Open(filepath)
+		if err != nil {
+			return nil, err
+		}
+
+		sourceFormat := resource.DefaultFormat
+		if strings.HasSuffix(strings.ToLower(filepath), ".json") {
+			sourceFormat = resource.JsonFormat
+		}
+
+		for name, r := range template.Resources {
+			formationType := r.AWSCloudFormationType()
+			resources = append(resources, resource.NewCFResource(&r, formationType, string(name), sourceFormat, filepath))
+		}
+	}
+
+	return resources, nil
+}
diff --git a/internal/app/cfsec/resource/cfresource.go b/internal/app/cfsec/resource/cfresource.go
@@ -1,18 +1,39 @@
 package resource
 
-import "github.com/awslabs/goformation/v5/cloudformation"
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/awslabs/goformation/v5/cloudformation"
+	"github.com/awslabs/goformation/v5/intrinsics"
+	"github.com/sanathkr/yaml"
+)
+
+type SourceFormat string
+
+const (
+	DefaultFormat SourceFormat = YamlFormat
+	YamlFormat    SourceFormat = "yaml"
+	JsonFormat    SourceFormat = "json"
+)
 
 type CFResource struct {
 	resource     *cloudformation.Resource
 	resourceType string
 	resourceName string
+	sourceFormat SourceFormat
+	filepath     string
 }
 
-func NewCFResource(resource *cloudformation.Resource, resourceType string, resourceName string) Resource {
+func NewCFResource(resource *cloudformation.Resource, resourceType string, resourceName string, sourceFormat SourceFormat, filepath string) Resource {
 	return &CFResource{
 		resource:     resource,
 		resourceType: resourceType,
 		resourceName: resourceName,
+		filepath:     filepath,
+		sourceFormat: sourceFormat,
 	}
 }
 
@@ -31,3 +52,74 @@ func (r *CFResource) IsNil() bool {
 func (r *CFResource) Name() string {
 	return r.resourceName
 }
+
+func (r *CFResource) Filepath() string {
+	wd, err := os.Getwd()
+	if err != nil {
+		wd = ""
+	}
+	return path.Join(wd, r.filepath)
+}
+
+func (r *CFResource) Render() (string, error) {
+
+	jsonContent, err := getResolvedContent(r.filepath, r.resourceName, r.sourceFormat)
+	if err != nil {
+		return "", err
+	}
+
+	marshalStruct := map[string]interface{}{
+		r.resourceName: jsonContent,
+	}
+
+	output, err := json.MarshalIndent(marshalStruct, "", "  ")
+	if err != nil {
+		return "", err
+	}
+	if r.sourceFormat == JsonFormat {
+		return string(output), nil
+	}
+
+	y, err := yaml.JSONToYAML(output)
+	if err != nil {
+		return "", err
+	}
+	return string(y), nil
+}
+
+func getResolvedContent(filepath, resourceName string, format SourceFormat) (interface{}, error) {
+
+	b, err := ioutil.ReadFile(filepath)
+	if err != nil {
+		return nil, err
+	}
+
+	var content []byte
+
+	if format == JsonFormat {
+		content, err = intrinsics.ProcessJSON(b, nil)
+	} else {
+		content, err = intrinsics.ProcessYAML(b, nil)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	var t template
+	if err := json.Unmarshal(content, &t); err != nil {
+		return nil, err
+	}
+
+	for n, r := range t.Resources {
+		if n == resourceName {
+			return r, nil
+		}
+	}
+
+	return "", nil
+}
+
+type template struct {
+	Resources map[string]interface{} `json:"Resources,omitempty"`
+}
diff --git a/internal/app/cfsec/resource/resource.go b/internal/app/cfsec/resource/resource.go
@@ -7,4 +7,6 @@ type Resource interface {
 	Underlying() cloudformation.Resource
 	IsNil() bool
 	Name() string
+	Render() (string, error)
+	Filepath() string
 }