feat(flags): ast 116512 support new cloud providers ibm cloud and oracle cloud #7887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

cx-laura-rodrigues wants to merge 12 commits into master from AST-116512-kics-support-new-cloud-providers-ibm-cloud-and-oracle-cloud

.github/scripts/queries-validator/metadata-schema.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -105,7 +105,9 @@ @@
                     "azure",
                     "common",
                     "gcp",
+                    "ibmcloud",
                     "nifcloud",
+                    "oraclecloud",
                     "tencentcloud"
                 ]
             },
@@ Expand Down @@

README.md

-Original file line number
+Diff line change
@@ Expand Up @@
     </picture>
     </a>
     </td>
+    <td>
+    <a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#ibmcloud-for-terraform">
+    <img alt="IBMCloud" src="docs/img/logo-ibmcloud.png" width="100">
+    </a>
+    </td>
+    <td>
+    <a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#oraclecloud-for-terraform">
+    <picture>
+    <source media="(prefers-color-scheme: light)" srcset="docs/img/logo-oraclecloud.png" width="180">
+    <source media="(prefers-color-scheme: dark)" srcset="docs/img/logo-oraclecloud-dark.png" width="180">
+    <img alt="OracleCloud" src="docs/img/logo-oraclecloud.png" width="100">
+    </picture>
+    </a>
+    </td>
     </tr>
     </table>
@@ Expand Down @@

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/metadata.json

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    {
+        "id": "a6bc2970-c10d-45ab-9050-cf69c393e911",
+        "queryName": "Load Balancer VPC is Public",
+        "severity": "MEDIUM",
+        "category": "Insecure Configurations",
+        "descriptionText": "IBM Load Balancer VPC should not be public",
+        "descriptionUrl": "https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb",
+        "platform": "Terraform",
+        "descriptionID": "a6bc2970",
+        "cloudProvider": "ibmcloud",
+        "cwe": "668",
+        "riskScore": "3.0",
+        "experimental": "true"
+      }

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/query.rego

-Original file line number
+Diff line change
@@ -0,0 +1,38 @@
+    package Cx
+    import data.generic.common as common_lib
+    import data.generic.terraform as tf_lib
+    CxPolicy[result] {
+    	lb := input.document[i].resource.ibm_is_lb[name]
+    	not common_lib.valid_key(lb, "type")
+    	result := {
+    		"documentId": input.document[i].id,
+    		"resourceType": "ibm_is_lb",
+    		"resourceName": tf_lib.get_resource_name(lb, name),
+    		"searchKey": sprintf("ibm_is_lb[%s]", [name]),
+    		"issueType": "MissingAttribute",
+    		"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
+    		"keyActualValue": sprintf("'ibm_is_lb[%s]' is missing type property, defaults to public.", [name]),
+    		"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name], []),
+    	}
+    }
+    CxPolicy[result] {
+    	lb := input.document[i].resource.ibm_is_lb[name]
+    	lb.type == "public"
+    	result := {
+    		"documentId": input.document[i].id,
+    		"resourceType": "ibm_is_lb",
+    		"resourceName": tf_lib.get_resource_name(lb, name),
+    		"searchKey": sprintf("ibm_is_lb[%s]", [name]),
+    		"issueType": "IncorrectValue",
+    		"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
+    		"keyActualValue": sprintf("'ibm_is_lb[%s]' is set to %s.", [name, lb.type]),
+    		"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name, "type"], []),
+    	}
+    }

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/test/negative1.tf

-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    # Case: type is defined to private_path
+    resource "ibm_is_lb" "example" {
+      name    = "example-load-balancer"
+      subnets = [ibm_is_subnet.example.id]
+      profile = "network-private-path"
+      type = "private_path"
+    }

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/test/negative2.tf

-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    # Case: type is defined to private
+    resource "ibm_is_lb" "example" {
+      name    = "example-load-balancer"
+      subnets = [ibm_is_subnet.example.id]
+      profile = "network-private-path"
+      type = "private"
+    }

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/test/positive1.tf

-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    # Case: type is defined to public
+    resource "ibm_is_lb" "example" {
+      name    = "example-load-balancer"
+      subnets = [ibm_is_subnet.example.id]
+      profile = "network-private-path"
+      type = "public"
+    }

assets/queries/terraform/ibmcloud/load_balancer_vpc_is_public/test/positive2.tf

-Original file line number
+Diff line change
@@ -0,0 +1,6 @@
+    resource "ibm_is_lb" "example" {
+      name    = "example-load-balancer"
+      subnets = [ibm_is_subnet.example.id]
+      profile = "network-private-path"
+      # Case: type is not defined, defaults to public
+    }

...queries/terraform/ibmcloud/load_balancer_vpc_is_public/test/positive_expected_result.json

-Original file line number
+Diff line change
@@ -0,0 +1,15 @@
+    [
+        {
+          "queryName": "Load Balancer VPC is Public",
+          "severity": "MEDIUM",
+          "line": 6,
+          "fileName": "positive1.tf"
+        },
+        {
+        "queryName": "Load Balancer VPC is Public",
+          "severity": "MEDIUM",
+          "line": 1,
+          "fileName": "positive2.tf"
+        }
+    ]

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/metadata.json

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    {
+      "id": "1d2e88ff-7ee7-4c8a-bf16-01488c83f295",
+      "queryName": "Instance Monitoring Disabled",
+      "severity": "LOW",
+      "category": "Observability",
+      "descriptionText": "Instance should have monitoring enabled",
+      "descriptionUrl": "https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance_configuration.html#is_monitoring_disabled-2",
+      "platform": "Terraform",
+      "descriptionID": "1d2e88ff",
+      "cloudProvider": "oraclecloud",
+      "cwe": "778",
+      "riskScore": "1.0",
+      "experimental": "true"
+    }

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/query.rego

-Original file line number
+Diff line change
@@ -0,0 +1,21 @@
+    package Cx
+    import data.generic.common as common_lib
+    import data.generic.terraform as tf_lib
+    CxPolicy[result] {
+    	resource := input.document[i].resource.oci_core_instance[name]
+    	agent_config := resource.agent_config
+    	agent_config.is_monitoring_disabled == true
+    	result := {
+    		"documentId": input.document[i].id,
+    		"resourceType": "oci_core_instance",
+    		"resourceName": tf_lib.get_resource_name(resource, name),
+    		"searchKey": sprintf("oci_core_instance[%s]", [name]),
+    		"issueType": "IncorrectValue",
+    		"keyExpectedValue": "Attribute 'is_monitoring_disabled' should be set to false.",
+    		"keyActualValue": "Attribute 'is_monitoring_disabled' is set to true.",
+    		"searchLine": common_lib.build_search_line(["resource", "oci_core_instance", name, "agent_config", "is_monitoring_disabled"], []),
+    	}
+    }

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/test/negative1.tf

-Original file line number
+Diff line change
@@ -0,0 +1,9 @@
+    # Case: is_monitoring_disabled set to false
+    resource "oci_core_instance" "fail" {
+      availability_domain = var.instance_availability_domain
+      compartment_id      = var.compartment_id
+      shape               = var.instance_shape
+      agent_config {
+        is_monitoring_disabled = false
+      }
+    }

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/test/negative2.tf

-Original file line number
+Diff line change
@@ -0,0 +1,6 @@
+    # Case: missing is_monitoring_disabled property, defaults to false
+    resource "oci_core_instance" "fail" {
+      availability_domain = var.instance_availability_domain
+      compartment_id      = var.compartment_id
+      shape               = var.instance_shape
+    }

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/test/negative3.tf

-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    # Case: missing is_monitoring_disabled inside agent_config
+    resource "oci_core_instance" "fail" {
+      availability_domain = var.instance_availability_domain
+      compartment_id      = var.compartment_id
+      shape               = var.instance_shape
+      agent_config {}
+    }

assets/queries/terraform/oraclecloud/instance_monitoring_disabled/test/positive.tf

-Original file line number
+Diff line change
@@ -0,0 +1,8 @@
+    resource "oci_core_instance" "fail" {
+      availability_domain = var.instance_availability_domain
+      compartment_id      = var.compartment_id
+      shape               = var.instance_shape
+      agent_config {
+        is_monitoring_disabled = true
+      }
+    }

...ies/terraform/oraclecloud/instance_monitoring_disabled/test/positive_expected_result.json

-Original file line number
+Diff line change
@@ -0,0 +1,8 @@
+    [
+      {
+        "queryName": "Instance Monitoring Disabled",
+        "severity": "LOW",
+        "line": 6,
+        "fileName": "positive.tf"
+      }
+    ]

assets/similarityID_transition/terraform_ibmcloud.yaml

-Original file line number
+Diff line change
@@ -0,0 +1,5 @@
+    similarityIDChangeList:
+        - queryId: a6bc2970-c10d-45ab-9050-cf69c393e911
+          queryName: Load Balancer VPC is Public
+          observations: ""
+          change: 1

assets/similarityID_transition/terraform_oraclecloud.yaml

-Original file line number
+Diff line change
@@ -0,0 +1,5 @@
+    similarityIDChangeList:
+        - queryId: 1d2e88ff-7ee7-4c8a-bf16-01488c83f295
+          queryName: Instance Monitoring Disabled
+          observations: ""
+          change: 1

docs/commands.md

-Original file line number
+Diff line change
@@ Expand Up @@
     | Flags                       | Description                                                                                                                                                                                                                                                                                 |
     |-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
     |-m, --bom                           | include bill of materials (BoM) in results output                                                                                                                                                                                                                                           |
-    |      --cloud-provider strings      | list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)                                                                                                                                                                                                              |
+    |      --cloud-provider strings      | list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)                                                                                                                                                                                                              |
     |      --config string               | path to configuration file                                                                                                                                                                                                                                                                  |
     |      --old-severities              | uses old severities in query results                                                                                                                                                                                                                                                        |
     |      --disable-full-descriptions   | disable request for full descriptions and use default vulnerability descriptions                                                                                                                                                                                                            |
@@ Expand Down @@

docs/dockerhub.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -107,7 +107,7 @@ Usage: @@
     Flags:
       -m, --bom                           include bill of materials (BoM) in results output
-          --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
+          --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
           --config string                 path to configuration file
           --old-severities                use old severities in query results (excludes critical severity)
           --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
@@ Expand Down @@

docs/img/logo-ibmcloud.png

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

docs/img/logo-oraclecloud-dark.png

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

docs/img/logo-oraclecloud.png

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

docs/index.md

-Original file line number
+Diff line change
@@ Expand Up @@
     <div class="card"  style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
             <img alt="TencentCloud" src="img/logo-tencentcloud.png" width="120">&nbsp;&nbsp;&nbsp;
     </div>
+    <div class="card" style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
+            <img alt="IBMCloud" src="img/logo-ibmcloud.png" width="90">&nbsp;&nbsp;&nbsp;
+    </div>
+    <div class="card"  style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
+            <img alt="OracleCloud" src="img/logo-oraclecloud.png" width="120">&nbsp;&nbsp;&nbsp;
+    </div>
     </div>
     ## Getting Started
@@ Expand Down @@

docs/platforms.md

-Original file line number
+Diff line change
@@ Expand Up @@
     KICS supports scanning TencentCloud under Terraform file extension (`.tf`).
+    ### IBMCloud for Terraform
+    KICS supports scanning IBMCloud under Terraform file extension (`.tf`).
+    ### OracleCloud for Terraform
+    KICS supports scanning OracleCloud under Terraform file extension (`.tf`).
     ### Terraform variables path
     When using vars in a terraform file there are 2 ways of passing the file in which a variable's value is present.
@@ Expand Down @@

e2e/fixtures/assets/scan_help

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ Usage: @@
     Flags:
       -m, --bom                           include bill of materials (BoM) in results output
-          --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
+          --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
           --config string                 path to configuration file
           --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
           --disable-secrets               disable secrets scanning
@@ Expand Down @@

internal/constants/constants.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -84,7 +84,9 @@ var ( @@
     		"aws":          "",
     		"azure":        "",
     		"gcp":          "",
+    		"ibmcloud":     "",
     		"nifcloud":     "",
+    		"oraclecloud":  "",
     		"tencentcloud": "",
     	}
     )
@@ Expand Down @@

pkg/engine/source/filesystem.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -82,7 +82,7 @@ func ListSupportedPlatforms() []string { @@
     // ListSupportedCloudProviders returns a list of supported cloud providers
     func ListSupportedCloudProviders() []string {
-    	return []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
+    	return []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
     }
     func getLibraryInDir(platform, libraryDirPath string) string {
@@ Expand Down @@

pkg/engine/source/filesystem_test.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -821,7 +821,7 @@ func TestSource_validateMetadata(t *testing.T) { @@
     // TestSource_ListSupportedCloudProviders tests the function ListSupportedCloudProviders.
     func TestSource_ListSupportedCloudProviders(t *testing.T) {
-    	want := []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
+    	want := []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
     	t.Run("test List Supported CP", func(t *testing.T) {
     		got := ListSupportedCloudProviders()
     		require.Equal(t, want, got)
@@ Expand Down @@

test/main_test.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -41,7 +41,9 @@ var ( @@
     		"../assets/queries/terraform/kubernetes":            {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
     		"../assets/queries/terraform/general":               {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
     		"../assets/queries/terraform/alicloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
+    		"../assets/queries/terraform/ibmcloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
     		"../assets/queries/terraform/nifcloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
+    		"../assets/queries/terraform/oraclecloud":           {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
     		"../assets/queries/terraform/tencentcloud":          {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
     		"../assets/queries/crossplane/aws":                  {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
     		"../assets/queries/crossplane/azure":                {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(flags): ast 116512 support new cloud providers ibm cloud and oracle cloud #7887

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

feat(flags): ast 116512 support new cloud providers ibm cloud and oracle cloud #7887

Are you sure you want to change the base?

Uh oh!

feat(flags): ast 116512 support new cloud providers ibm cloud and oracle cloud #7887

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!