Merge branch 'master' into kics-816

README.md

@@ -114,4 +114,4 @@ KICS is used by various companies and organizations, some are listed below. If y
 
 ---
 
-© 2023 Checkmarx Ltd. All Rights Reserved.
+© 2024 Checkmarx Ltd. All Rights Reserved.

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "0f04217d-488f-4e7a-bec8-f16159686cd6",
+  "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+  "severity": "MEDIUM",
+  "category": "Best Practices",
+  "descriptionText": "It's considered a best practice to have point in time recovery enabled for DynamoDB Table",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-pointintimerecoveryspecification.html",
+  "platform": "CloudFormation",
+  "descriptionID": "a0a51171",
+  "cloudProvider": "aws"
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego

@@ -0,0 +1,62 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.cloudformation as cf_lib
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+
+	properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", [key]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", [key]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+
+	not common_lib.valid_key(properties, "PointInTimeRecoverySpecification")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification is not defined", [key]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+	specification := properties.PointInTimeRecoverySpecification
+
+	not common_lib.valid_key(specification, "PointInTimeRecoveryEnabled")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.PointInTimeRecoverySpecification", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", [key]),
+	}
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/negative1.yaml

@@ -0,0 +1,6 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: 
+        PointInTimeRecoveryEnabled: true

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/negative2.json

@@ -0,0 +1,15 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {
+          "PointInTimeRecoveryEnabled" : true
+        }
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive1.yaml

@@ -0,0 +1,6 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: 
+        PointInTimeRecoveryEnabled: false

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive2.yaml

@@ -0,0 +1,5 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      TableName: my-table

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive3.json

@@ -0,0 +1,15 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {
+          "PointInTimeRecoveryEnabled" : false
+        }
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive4.json

@@ -0,0 +1,12 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST"
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive5.yaml

@@ -0,0 +1,5 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: {}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive6.json

@@ -0,0 +1,13 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {}
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json

@@ -0,0 +1,38 @@
+[
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 6,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 4,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 8,
+    "filename": "positive3.json"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive4.json"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive5.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 7,
+    "filename": "positive6.json"
+  }
+]

assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json

@@ -1,7 +1,7 @@
 {
   "id": "327b0729-4c5c-4c44-8b5c-e476cd9c7290",
   "queryName": "DynamoDB Table Point In Time Recovery Disabled",
-  "severity": "INFO",
+  "severity": "MEDIUM",
   "category": "Best Practices",
   "descriptionText": "It's considered a best practice to have point in time recovery enabled for DynamoDB Table",
   "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml",

assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json

@@ -1,13 +1,13 @@
 [
 	{
 		"queryName": "DynamoDB Table Point In Time Recovery Disabled",
-		"severity": "INFO",
+		"severity": "MEDIUM",
 		"line": 7,
 		"fileName": "positive.yaml"
 	},
 	{
 		"queryName": "DynamoDB Table Point In Time Recovery Disabled",
-		"severity": "INFO",
+		"severity": "MEDIUM",
 		"line": 21,
 		"fileName": "positive.yaml"
 	}

assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json

@@ -1,7 +1,7 @@
 {
   "id": "741f1291-47ac-4a85-a07b-3d32a9d6bd3e",
   "queryName": "DynamoDB Table Point In Time Recovery Disabled",
-  "severity": "INFO",
+  "severity": "MEDIUM",
   "category": "Best Practices",
   "descriptionText": "It's considered a best practice to have point in time recovery enabled for DynamoDB Table",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery",

assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json

@@ -1,13 +1,13 @@
 [
   {
     "queryName": "DynamoDB Table Point In Time Recovery Disabled",
-    "severity": "INFO",
+    "severity": "MEDIUM",
     "line": 10,
     "filename": "positive1.tf"
   },
   {
     "queryName": "DynamoDB Table Point In Time Recovery Disabled",
-    "severity": "INFO",
+    "severity": "MEDIUM",
     "line": 1,
     "filename": "positive2.tf"
   }

e2e/cli_test.go

@@ -92,6 +92,7 @@ func Test_E2E_CLI(t *testing.T) {
 					// Check log file
 					logData, _ := utils.ReadFixture(tt.Args.ExpectedLog.LogFile, "output")
 					validation := tt.Args.ExpectedLog.ValidationFunc(logData)
+
 					require.Truef(t, validation, "The output log file 'output/%s' doesn't match the regex validation",
 						tt.Args.ExpectedLog.LogFile)
 				}

e2e/testcases/e2e-cli-007_scan.go

@@ -9,13 +9,13 @@ func init() { //nolint
 		Name: "should perform a simple scan [E2E-CLI-007]",
 		Args: args{
 			Args: []cmdArgs{
-				[]string{"scan", "-p", "/path/e2e/fixtures/samples/positive.yaml"},
+				[]string{"scan", "-p", "/path/e2e/fixtures/samples/positive.yaml", "-v"},
 			},
 		},
 		WantStatus: []int{50},
 		Validation: func(outputText string) bool {
-			match1, _ := regexp.MatchString(`Files scanned: \d+`, outputText)
-			match2, _ := regexp.MatchString(`Parsed files: \d+`, outputText)
+			match1, _ := regexp.MatchString(`Scanned Files: \d+`, outputText)
+			match2, _ := regexp.MatchString(`Parsed Files: \d+`, outputText)
 			match3, _ := regexp.MatchString(`Queries loaded: \d+`, outputText)
 			match4, _ := regexp.MatchString(`Queries failed to execute: \d+`, outputText)
 			match5, _ := regexp.MatchString(`Results Summary:`, outputText)

e2e/testcases/e2e-cli-027_scan_exclude-paths.go

@@ -10,11 +10,11 @@ func init() { //nolint
 		Args: args{
 			Args: []cmdArgs{
 				[]string{"scan", "--exclude-paths", "/path/test/fixtures/test_swagger/swaggerFileWithoutAuthorizer.yaml",
-					"-p", "/path/test/fixtures/test_swagger/"},
+					"-p", "/path/test/fixtures/test_swagger/", "-v"},
 			},
 		},
 		Validation: func(outputText string) bool {
-			match, _ := regexp.MatchString(`Files scanned: 1`, outputText)
+			match, _ := regexp.MatchString(`Scanned Files: 1`, outputText)
 			return match
 		},
 		WantStatus: []int{40},

pkg/engine/inspector.go

@@ -309,6 +309,7 @@ func (c *Inspector) doRun(ctx *QueryContext) (vulns []model.Vulnerability, err e
 		if r := recover(); r != nil {
 			errMessage := fmt.Sprintf("Recovered from panic during query '%s' run. ", ctx.Query.Metadata.Query)
 			err = fmt.Errorf("panic: %v", r)
+			fmt.Println()
 			log.Err(err).Msg(errMessage)
 		}
 	}()

pkg/printer/options.go

@@ -138,3 +138,23 @@ func LogLevel(opt interface{}, changed bool) error {
 	}
 	return nil
 }
+
+type LogSink struct {
+	logs []string
+}
+
+func NewLogger(logs *LogSink) zerolog.Logger {
+	if logs == nil {
+		return log.Logger
+	}
+	return zerolog.New(logs)
+}
+
+func (l *LogSink) Write(p []byte) (n int, err error) {
+	l.logs = append(l.logs, string(p))
+	return len(p), nil
+}
+
+func (l *LogSink) Index(i int) string {
+	return l.logs[i]
+}

pkg/printer/printer.go

@@ -18,7 +18,6 @@ import (
 )
 
 const (
-	wordWrapCount     = 5
 	charsLimitPerLine = 255
 )
 
@@ -102,19 +101,9 @@ func WordWrap(s, indentation string, limit int) string {
 }
 
 // PrintResult prints on output the summary results
-func PrintResult(summary *model.Summary, failedQueries map[string]error, printer *Printer, usingCustomQueries bool) error {
+func PrintResult(summary *model.Summary, printer *Printer, usingCustomQueries bool) error {
 	log.Debug().Msg("helpers.PrintResult()")
-	fmt.Printf("Files scanned: %d\n", summary.ScannedFiles)
-	fmt.Printf("Parsed files: %d\n", summary.ParsedFiles)
-	fmt.Printf("Queries loaded: %d\n", summary.TotalQueries)
-
-	fmt.Printf("Queries failed to execute: %d\n\n", summary.FailedToExecuteQueries)
-	for queryName, err := range failedQueries {
-		fmt.Printf("\t- %s:\n", queryName)
-		fmt.Printf("%s", WordWrap(err.Error(), "\t\t", wordWrapCount))
-	}
-
-	fmt.Printf("------------------------------------\n\n")
+	fmt.Printf("\n\n")
 	for index := range summary.Queries {
 		idx := len(summary.Queries) - index - 1
 		if summary.Queries[idx].Severity == model.SeverityTrace {