fix(rules): check languages in data types for missing encryption (#675)

* fix(rules): check languages in data types for missing encryption * chore: update e2e tests to support multi file structure
Bearer · Feb 27, 2023 · 79bfd05 · 79bfd05
1 parent ab95571
commit 79bfd05
Show file tree

Hide file tree

Showing 20 changed files with 89 additions and 137 deletions.
diff --git a/e2e/rules/.snapshots/TestAuxilary-unsecure → ...shots/TestAuxilary-testdata-data-auxilary b/e2e/rules/.snapshots/TestAuxilary-unsecure → ...shots/TestAuxilary-testdata-data-auxilary
diff --git a/...estRubyRailsDefaultEncryptionSchema-testdata-data-ruby_rails_default_encryption_schema_rb b/...estRubyRailsDefaultEncryptionSchema-testdata-data-ruby_rails_default_encryption_schema_rb
@@ -0,0 +1,24 @@
+warning:
+    - rule:
+        cwe_ids:
+            - "312"
+        id: ruby_rails_default_encryption
+        description: Missing application-level encryption of sensitive data detected.
+        documentation_url: https://docs.bearer.com/reference/rules/ruby_rails_default_encryption
+      line_number: 4
+      filename: e2e/rules/testdata/data/ruby_rails_default_encryption_schema_rb/db/schema.rb
+      category_groups:
+        - PII
+      parent_line_number: 2
+      parent_content: |-
+        create_table "users", force: :cascade do |t|
+            t.string "email", null: false
+            t.string "name"
+            t.string "encrypted_password", null: false
+            t.datetime "created_at", null: false
+            t.datetime "updated_at", null: false
+          end
+
+
+--
+
diff --git a/...RailsDefaultEncryptionStructure-testdata-data-ruby_rails_default_encryption_structure_sql b/...RailsDefaultEncryptionStructure-testdata-data-ruby_rails_default_encryption_structure_sql
@@ -0,0 +1,25 @@
+warning:
+    - rule:
+        cwe_ids:
+            - "312"
+        id: ruby_rails_default_encryption
+        description: Missing application-level encryption of sensitive data detected.
+        documentation_url: https://docs.bearer.com/reference/rules/ruby_rails_default_encryption
+      line_number: 3
+      filename: e2e/rules/testdata/data/ruby_rails_default_encryption_structure_sql/db/structure.sql
+      category_groups:
+        - PII
+      parent_line_number: 1
+      parent_content: |-
+        CREATE TABLE public.users (
+          id bigint NOT NULL,
+          name character varying,
+          password character varying,
+          created_at timestamp(6) without time zone NOT NULL,
+          updated_at timestamp(6) without time zone NOT NULL,
+          email character varying DEFAULT ''::character varying NOT NULL
+        )
+
+
+--
+
diff --git a/e2e/rules/.snapshots/TestSimpleRuby-unsecure → .../TestSimpleRuby-testdata-data-simple_ruby b/e2e/rules/.snapshots/TestSimpleRuby-unsecure → .../TestSimpleRuby-testdata-data-simple_ruby
diff --git a/e2e/rules/helper.go b/e2e/rules/helper.go
@@ -2,52 +2,45 @@ package rules_test
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
 	"github.com/bearer/bearer/e2e/internal/testhelper"
 )
 
-func buildRulesTestCase(testName, fileName, ruleID string) testhelper.TestCase {
+func buildRulesTestCase(testName, path, ruleID string, builtIn bool) testhelper.TestCase {
 	arguments := []string{
 		"scan",
-		fileName,
-		"--external-rule-dir=" + filepath.Join("e2e", "rules", "testdata", "rules"),
+		path,
 		"--only-rule=" + ruleID,
 		"--format=yaml",
 	}
+
+	if !builtIn {
+		arguments = append(arguments,
+			"--external-rule-dir="+filepath.Join("e2e", "rules", "testdata", "rules"),
+		)
+	}
+
 	options := testhelper.TestCaseOptions{}
 
 	return testhelper.NewTestCase(testName, arguments, options)
 }
 
-func runRulesTest(folderPath string, ruleID string, t *testing.T) {
+func runRulesTest(folderPath string, ruleID string, builtIn bool, t *testing.T) {
 	snapshotDirectory := ".snapshots"
 
 	testDataDir := fmt.Sprintf("testdata/data/%s", folderPath)
 
-	testdataDirEntries, err := os.ReadDir(testDataDir)
-	if err != nil {
-		t.Fatalf("failed to read rules/%s dir %e", folderPath, err)
-	}
-
 	testCases := []testhelper.TestCase{}
-	for _, testdataFile := range testdataDirEntries {
-		filePath := testdataFile.Name()
-		ext := filepath.Ext(filePath)
-		testName := strings.TrimSuffix(filePath, ext)
-		testName = strings.TrimPrefix(testName, testDataDir)
-
-		testCases = append(testCases,
-			buildRulesTestCase(
-				testName,
-				filepath.Join("e2e", "rules", testDataDir, filePath),
-				ruleID,
-			),
-		)
-	}
+	testCases = append(testCases,
+		buildRulesTestCase(
+			testDataDir,
+			filepath.Join("e2e", "rules", testDataDir),
+			ruleID,
+			builtIn,
+		),
+	)
 
 	testhelper.RunTestsWithSnapshotSubdirectory(t, testCases, snapshotDirectory)
 }
diff --git a/e2e/rules/rules_test.go b/e2e/rules/rules_test.go
@@ -6,10 +6,20 @@ import (
 
 func TestAuxilary(t *testing.T) {
 	t.Parallel()
-	runRulesTest("auxilary", "javascript_third_parties_datadog_test", t)
+	runRulesTest("auxilary", "javascript_third_parties_datadog_test", false, t)
 }
 
 func TestSimpleRuby(t *testing.T) {
 	t.Parallel()
-	runRulesTest("simple_ruby", "ruby_rails_insecure_communication_test", t)
+	runRulesTest("simple_ruby", "ruby_rails_insecure_communication_test", false, t)
+}
+
+func TestRubyRailsDefaultEncryptionStructure(t *testing.T) {
+	t.Parallel()
+	runRulesTest("ruby_rails_default_encryption_structure_sql", "ruby_rails_default_encryption", true, t)
+}
+
+func TestRubyRailsDefaultEncryptionSchema(t *testing.T) {
+	t.Parallel()
+	runRulesTest("ruby_rails_default_encryption_schema_rb", "ruby_rails_default_encryption", true, t)
 }
diff --git a/...tion_missing/schema_rb/app/models/user.rb → ...t_encryption_schema_rb/app/models/user.rb b/...tion_missing/schema_rb/app/models/user.rb → ...t_encryption_schema_rb/app/models/user.rb
diff --git a/...el_encryption_missing/schema_rb/bin/rails → ...ls_default_encryption_schema_rb/bin/rails b/...el_encryption_missing/schema_rb/bin/rails → ...ls_default_encryption_schema_rb/bin/rails
diff --git a/...encryption_missing/schema_rb/db/schema.rb → ...default_encryption_schema_rb/db/schema.rb b/...encryption_missing/schema_rb/db/schema.rb → ...default_encryption_schema_rb/db/schema.rb
diff --git a/..._missing/structure_sql/app/models/user.rb → ...cryption_structure_sql/app/models/user.rb b/..._missing/structure_sql/app/models/user.rb → ...cryption_structure_sql/app/models/user.rb
diff --git a/...ncryption_missing/structure_sql/bin/rails → ...efault_encryption_structure_sql/bin/rails b/...ncryption_missing/structure_sql/bin/rails → ...efault_encryption_structure_sql/bin/rails
diff --git a/...on_missing/structure_sql/db/structure.sql → ...encryption_structure_sql/db/structure.sql b/...on_missing/structure_sql/db/structure.sql → ...encryption_structure_sql/db/structure.sql
diff --git a/integration/rules/ruby_test.go b/integration/rules/ruby_test.go
@@ -96,11 +96,6 @@ func TestRubyLangWeakEncryptionWithData(t *testing.T) {
 	getRunner(t).runTest(t, rubyRulesPath+"lang/weak_encryption_with_data")
 }
 
-func TestRubyRailsDefaultEncryption(t *testing.T) {
-	t.Parallel()
-	getRunner(t).runTest(t, rubyRulesPath+"rails/default_encryption")
-}
-
 func TestRubyRailsInsecureCommunication(t *testing.T) {
 	t.Parallel()
 	getRunner(t).runTest(t, rubyRulesPath+"rails/insecure_communication")

diff --git a/pkg/commands/process/settings/policies/risk_policy.rego b/pkg/commands/process/settings/policies/risk_policy.rego
@@ -78,6 +78,7 @@ policy_failure contains item if {
 policy_failure contains item if {
 	input.rule.trigger == "stored_data_types"
 
+	contains(input.rule.languages, input.dataflow.data_types[_].detectors[_].name)
 	data_type = input.dataflow.data_types[_]
 	not contains(input.rule.skip_data_types, data_type.name)
 
@@ -101,16 +102,16 @@ policy_failure contains item if {
 
 # used by inventory report
 local_rule_failure contains item if {
-  some detector in local_failures
+	some detector in local_failures
 	data_type = detector.data_types[_]
 
-  location = data_type.locations[_]
+	location = data_type.locations[_]
 	item := {
-    "name": data_type.name,
+		"name": data_type.name,
 		"category_groups": data.bearer.common.groups_for_datatype(data_type),
-    "subject_name": location.subject_name,
-    "line_number": location.line_number,
-    "rule_id": input.rule.id,
-    "third_party": input.rule.associated_recipe
-  }
-}
+		"subject_name": location.subject_name,
+		"line_number": location.line_number,
+		"rule_id": input.rule.id,
+		"third_party": input.rule.associated_recipe,
+	}
+}
diff --git a/...ailsDefaultEncryption--application_level_encryption_missing-schema_rb-app-models-user.yml b/...ailsDefaultEncryption--application_level_encryption_missing-schema_rb-app-models-user.yml
diff --git a/...tRubyRailsDefaultEncryption--application_level_encryption_missing-schema_rb-bin-rails.yml b/...tRubyRailsDefaultEncryption--application_level_encryption_missing-schema_rb-bin-rails.yml
diff --git a/...tRubyRailsDefaultEncryption--application_level_encryption_missing-schema_rb-db-schema.yml b/...tRubyRailsDefaultEncryption--application_level_encryption_missing-schema_rb-db-schema.yml
diff --git a/...DefaultEncryption--application_level_encryption_missing-structure_sql-app-models-user.yml b/...DefaultEncryption--application_level_encryption_missing-structure_sql-app-models-user.yml
diff --git a/...yRailsDefaultEncryption--application_level_encryption_missing-structure_sql-bin-rails.yml b/...yRailsDefaultEncryption--application_level_encryption_missing-structure_sql-bin-rails.yml
diff --git a/...ilsDefaultEncryption--application_level_encryption_missing-structure_sql-db-structure.yml b/...ilsDefaultEncryption--application_level_encryption_missing-structure_sql-db-structure.yml