Adds: e2e test for docker IaC provider (tenable#968)

* Adds: e2e test for docker IaC provider * fix: added helper method to compare sarif output
mihirhasan · Aug 9, 2021 · cecdd6e · cecdd6e
1 parent 309e9f5
commit cecdd6e
Show file tree

Hide file tree

Showing 29 changed files with 766 additions and 693 deletions.
diff --git a/go.sum b/go.sum
diff --git a/...r_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_human.txt b/...r_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_human.txt
@@ -0,0 +1,24 @@
+
+
+Violation Details -
+
+	Description    :	Ensure platform flag with FROM command is not used for Docker file
+	File           :	Dockerfile
+	Line           :	1
+	Severity       :	MEDIUM
+
+	-----------------------------------------------------------------------
+
+
+Scan Summary -
+
+	File/Folder         :	/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation
+	IaC Type            :	docker
+	Scanned At          :	2021-08-06 14:15:03.202473 +0000 UTC
+	Policies Validated  :	9
+	Violated Policies   :	1
+	Low                 :	0
+	Medium              :	1
+	High                :	0
+
+
diff --git a/...ockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_human_verbose.txt b/...ockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_human_verbose.txt
@@ -0,0 +1,29 @@
+
+
+Violation Details -
+
+	Description    :	Ensure platform flag with FROM command is not used for Docker file
+	File           :	Dockerfile
+	Line           :	1
+	Severity       :	MEDIUM
+	Rule Name      :	docFilePlatformFlag
+	Rule ID        :	AC_DOCKER_0001
+	Resource Name  :	Dockerfile
+	Resource Type  :	docker_from
+	Category       :	Infrastructure Security
+
+	-----------------------------------------------------------------------
+
+
+Scan Summary -
+
+	File/Folder         :	/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker
+	IaC Type            :	docker
+	Scanned At          :	2021-08-06 12:56:35.047008 +0000 UTC
+	Policies Validated  :	9
+	Violated Policies   :	1
+	Low                 :	0
+	Medium              :	1
+	High                :	0
+
+
diff --git a/...er_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_json.txt b/...er_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_json.txt
@@ -0,0 +1,28 @@
+{
+  "results": {
+    "violations": [
+      {
+        "rule_name": "docFilePlatformFlag",
+        "description": "Ensure platform flag with FROM command is not used for Docker file",
+        "rule_id": "AC_DOCKER_0001",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "Dockerfile",
+        "resource_type": "docker_from",
+        "file": "Dockerfile",
+        "line": 1
+      }
+    ],
+    "skipped_violations": null,
+    "scan_summary": {
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation",
+      "iac_type": "docker",
+      "scanned_at": "2021-08-06 14:02:26.891841 +0000 UTC",
+      "policies_validated": 9,
+      "violated_policies": 1,
+      "low": 0,
+      "medium": 1,
+      "high": 0
+    }
+  }
+}
diff --git a/...an/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_junit_xml.txt b/...an/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_junit_xml.txt
@@ -0,0 +1,10 @@
+<testsuites tests="9" name="TERRASCAN_POLICY_SUITES" failures="1" time="0">
+  <testsuite tests="9" failures="1" time="0" name="TERRASCAN_POLICY_SUITE" package="/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation">
+    <properties>
+      <property name="Terrascan Version" value="v1.8.1"></property>
+    </properties>
+    <testcase classname="Dockerfile" name="[ERROR] resource: &#34;Dockerfile&#34; at line: 1, violates: RULE - AC_DOCKER_0001" severity="MEDIUM" category="Infrastructure Security">
+      <failure message="Description: Ensure platform flag with FROM command is not used for Docker file, File: Dockerfile, Line: 1, Severity: MEDIUM, Rule Name: docFilePlatformFlag, Rule ID: AC_DOCKER_0001, Resource Name: Dockerfile, Resource Type: docker_from, Category: Infrastructure Security" type=""></failure>
+    </testcase>
+  </testsuite>
+</testsuites>
diff --git a/...r_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt b/...r_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt
@@ -0,0 +1,55 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "terrascan",
+          "version": "1.9.0",
+          "informationUri": "https://github.com/accurics/terrascan",
+          "rules": [
+            {
+              "id": "AC_DOCKER_0001",
+              "name": "docFilePlatformFlag",
+              "shortDescription": {
+                "text": "Ensure platform flag with FROM command is not used for Docker file"
+              },
+              "properties": {
+                "category": "Infrastructure Security",
+                "severity": "MEDIUM"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "AC_DOCKER_0001",
+          "level": "warning",
+          "message": {
+            "text": "Ensure platform flag with FROM command is not used for Docker file"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "file:///Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation/Dockerfile"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "name": "Dockerfile",
+                  "kind": "docker_from"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/...ker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_xml.txt b/...ker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_xml.txt
@@ -0,0 +1,9 @@
+<results>
+  <scan_errors></scan_errors>
+  <passed_rules></passed_rules>
+  <violations>
+    <violation rule_name="docFilePlatformFlag" description="Ensure platform flag with FROM command is not used for Docker file" rule_id="AC_DOCKER_0001" severity="MEDIUM" category="Infrastructure Security" resource_name="Dockerfile" resource_type="docker_from" file="Dockerfile" line="1"></violation>
+  </violations>
+  <skipped_violations></skipped_violations>
+  <scan_summary file_folder="/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation" iac_type="docker" scanned_at="2021-08-06 14:02:50.027126 +0000 UTC" policies_validated="9" violated_policies="1" low="0" medium="1" high="0"></scan_summary>
+</results>
diff --git a/...er_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_yaml.txt b/...er_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_yaml.txt
@@ -0,0 +1,22 @@
+results:
+    violations:
+        - rule_name: docFilePlatformFlag
+          description: Ensure platform flag with FROM command is not used for Docker file
+          rule_id: AC_DOCKER_0001
+          severity: MEDIUM
+          category: Infrastructure Security
+          resource_name: Dockerfile
+          resource_type: docker_from
+          file: Dockerfile
+          line: 1
+    skipped_violations: []
+    scan_summary:
+        file/folder: /Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/docker/dockerfile_with_platform_flag_violation
+        iac_type: docker
+        scanned_at: 2021-08-06 14:03:08.139109 +0000 UTC
+        policies_validated: 9
+        violated_policies: 1
+        low: 0
+        medium: 1
+        high: 0
+
diff --git a/.../e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt b/.../e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt
@@ -0,0 +1,55 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "terrascan",
+          "version": "1.9.0",
+          "informationUri": "https://github.com/accurics/terrascan",
+          "rules": [
+            {
+              "id": "AC_K8S_0001",
+              "name": "noHttps",
+              "shortDescription": {
+                "text": "TLS disabled can affect the confidentiality of the data in transit"
+              },
+              "properties": {
+                "category": "Network Security",
+                "severity": "HIGH"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "AC_K8S_0001",
+          "level": "error",
+          "message": {
+            "text": "TLS disabled can affect the confidentiality of the data in transit"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "file:///Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/k8s/kubernetes_ingress_violation/config.yaml"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "logicalLocations": [
+                {
+                  "name": "ingress-demo-disallowed",
+                  "kind": "kubernetes_ingress"
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/...scan/golden/resource_prioritising/max_severity_set/docker/dockerfile_max_severity_low.txt b/...scan/golden/resource_prioritising/max_severity_set/docker/dockerfile_max_severity_low.txt
@@ -0,0 +1,28 @@
+{
+  "results": {
+    "violations": [
+      {
+        "rule_name": "docFilePlatformFlag",
+        "description": "Ensure platform flag with FROM command is not used for Docker file",
+        "rule_id": "AC_DOCKER_0001",
+        "severity": "LOW",
+        "category": "Infrastructure Security",
+        "resource_name": "Dockerfile",
+        "resource_type": "docker_from",
+        "file": "Dockerfile",
+        "line": 1
+      }
+    ],
+    "skipped_violations": null,
+    "scan_summary": {
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set/docker",
+      "iac_type": "docker",
+      "scanned_at": "2021-08-06 10:17:42.375856 +0000 UTC",
+      "policies_validated": 9,
+      "violated_policies": 1,
+      "low": 1,
+      "medium": 0,
+      "high": 0
+    }
+  }
+}
diff --git a/...olden/resource_prioritising/max_severity_set_none/docker/dockerfile_max_severity_none.txt b/...olden/resource_prioritising/max_severity_set_none/docker/dockerfile_max_severity_none.txt
@@ -0,0 +1,28 @@
+{
+  "results": {
+    "violations": null,
+    "skipped_violations": [
+      {
+        "rule_name": "docFilePlatformFlag",
+        "description": "Ensure platform flag with FROM command is not used for Docker file",
+        "rule_id": "AC_DOCKER_0001",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "Dockerfile",
+        "resource_type": "docker_from",
+        "file": "Dockerfile",
+        "line": 1
+      }
+    ],
+    "scan_summary": {
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/docker",
+      "iac_type": "docker",
+      "scanned_at": "2021-08-06 10:20:27.27704 +0000 UTC",
+      "policies_validated": 9,
+      "violated_policies": 0,
+      "low": 0,
+      "medium": 0,
+      "high": 0
+    }
+  }
+}
diff --git a/...can/golden/resource_prioritising/min_severity_set/docker/dockerfile_min_severity_high.txt b/...can/golden/resource_prioritising/min_severity_set/docker/dockerfile_min_severity_high.txt
@@ -0,0 +1,28 @@
+{
+  "results": {
+    "violations": [
+      {
+        "rule_name": "docFilePlatformFlag",
+        "description": "Ensure platform flag with FROM command is not used for Docker file",
+        "rule_id": "AC_DOCKER_0001",
+        "severity": "HIGH",
+        "category": "Infrastructure Security",
+        "resource_name": "Dockerfile",
+        "resource_type": "docker_from",
+        "file": "Dockerfile",
+        "line": 1
+      }
+    ],
+    "skipped_violations": null,
+    "scan_summary": {
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/min_severity_set/docker",
+      "iac_type": "docker",
+      "scanned_at": "2021-08-06 10:30:28.495621 +0000 UTC",
+      "policies_validated": 9,
+      "violated_policies": 1,
+      "low": 0,
+      "medium": 0,
+      "high": 1
+    }
+  }
+}
diff --git a/test/e2e/scan/golden/resource_skipping/dockerfile_resource_skipping.txt b/test/e2e/scan/golden/resource_skipping/dockerfile_resource_skipping.txt
@@ -0,0 +1,28 @@
+{
+  "results": {
+    "violations": null,
+    "skipped_violations": [
+      {
+        "rule_name": "docFilePlatformFlag",
+        "description": "Ensure platform flag with FROM command is not used for Docker file",
+        "rule_id": "AC_DOCKER_0001",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "Dockerfile",
+        "resource_type": "docker_from",
+        "file": "Dockerfile",
+        "line": 1
+      }
+    ],
+    "scan_summary": {
+      "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_skipping/docker",
+      "iac_type": "docker",
+      "scanned_at": "2021-08-06 10:32:56.961838 +0000 UTC",
+      "policies_validated": 9,
+      "violated_policies": 0,
+      "low": 0,
+      "medium": 0,
+      "high": 0
+    }
+  }
+}