change all rule to same format (#21)

* change all rule to same format * change to cb policy * change builder to build valid object * merge * repository builder * fix 2 test files * fix all other files * add consts * fix pipeline test * change tests description * move consts to testutils, rewrite debug file * remove debug file * add is organinztion fetched to utils * change details to be in 1 object * change all statuses to consts * move to consts * move details to const * move to go funk * rename functions
aquasecurity · Jun 21, 2022 · 864dd07 · 864dd07
1 parent 5589dde
commit 864dd07
Show file tree

Hide file tree

Showing 36 changed files with 680 additions and 1,305 deletions.
diff --git a/README.md b/README.md
@@ -108,7 +108,7 @@ docker run aquasec/chain-bench scan --repository-url <REPOSITORY_URL> --access-t
  2.3.8    Ensure scanners are in place to identify and prevent sensitive data in pipeline files           Failed   Repository is not scanned for secrets
  2.4.2    Ensure all external dependencies used in the build process are locked                           Failed   16 task(s) are not pinned
  2.4.6    Ensure pipeline steps produce an SBOM                                                           Passed
- 3.1.7    Ensure dependencies are pinned to a specific, verified version                                  Failed   16 dependenc(ies) are not pinned
+ 3.1.7    Ensure dependencies are pinned to a specific, verified version                                  Failed   16 dependencies are not pinned
  3.2.2    Ensure packages are automatically scanned for known vulnerabilities                             Passed
  3.2.3    Ensure packages are automatically scanned for license implications                              Passed
  4.2.3    Ensure user's access to the package registry utilizes MFA                                       Passed

diff --git a/go.mod b/go.mod
@@ -17,7 +17,9 @@ require (
 
 require (
 	github.com/agnivade/levenshtein v1.0.1 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
+	github.com/thoas/go-funk v0.9.2 // indirect
 	github.com/vektah/gqlparser/v2 v2.4.4 // indirect
 )
 

diff --git a/go.sum b/go.sum
@@ -504,8 +504,9 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
 github.com/google/go-github/v41 v41.0.0 h1:HseJrM2JFf2vfiZJ8anY2hqBjdfY1Vlj/K27ueww4gg=
 github.com/google/go-github/v41 v41.0.0/go.mod h1:XgmCA5H323A9rtgExdTcnDkcqp6S30AVACCBDOonIxg=
@@ -936,6 +937,8 @@ github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
+github.com/thoas/go-funk v0.9.2 h1:oKlNYv0AY5nyf9g+/GhMgS/UO2ces0QRdPKwkhY3VCk=
+github.com/thoas/go-funk v0.9.2/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -1395,7 +1398,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
 google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=

diff --git a/internal/checks/artifacts/access-to-artifacts/access_to_artifacts_test.go b/internal/checks/artifacts/access-to-artifacts/access_to_artifacts_test.go
@@ -10,123 +10,57 @@ import (
 	"github.com/aquasecurity/chain-bench/internal/testutils/builders"
 )
 
-const (
-	vulnerabilityScanningTask = "argonsecurity/scanner-action"
-)
-
 func TestAccessToArtifactsChecker(t *testing.T) {
 	tests := []testutils.CheckTest{
 		{
-			Name: "no org settings permissions",
+			Name: "should return unknown with explanation when there are no org settings permissions",
 			Data: &checkmodels.CheckData{
 				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithOrganization(builders.NewOrganizationBuilder().Build()).
-					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true).Build()).
+					WithOrganization(builders.NewOrganizationBuilder().WithReposDefaultPermissions("").Build()).
 					Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
 				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_organization_missingMinimalPermissions}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
 			},
 		},
 		{
-			Name: "no org packages permissions",
+			Name: "should return unknown with explanation when there are no org packages permissions",
 			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().Build()).
-					Build(),
+				AssetsMetadata: builders.NewAssetsDataBuilder().WithPackageRegistry(builders.NewRegistryBuilder().WithNoPackages().Build()).Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
 				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_organization_hooks_missingMinimalPermissions}),
 			},
 		},
 		{
-			Name: "no org & no repo permissions",
+			Name: "Should fail when the user have package registry with 2mfa disabled",
 			Data: &checkmodels.CheckData{
 				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true).Build()).
+					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(false).Build()).
 					Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
 				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
 			},
 		},
 		{
-			Name: "repo permissions only, no org permissions",
+			Name: "Should fail when the user have package registry with 1 public package under private repo",
 			Data: &checkmodels.CheckData{
 				AssetsMetadata: builders.NewAssetsDataBuilder().
 					WithPackageRegistry(builders.NewRegistryBuilder().WithPackages("npm", "public", true).Build()).
 					Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
 				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
 			},
 		},
 		{
-			Name: "Package registry with 2mfa disabled",
+			Name: "Valid input - all rules should pass",
 			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithOrganization(builders.NewOrganizationBuilder().WithReposDefaultPermissions("read").Build()).
-					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(false).WithPackages("npm", "public", true).Build()).
-					Build(),
-			},
-			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
-			},
-		},
-		{
-			Name: "Package registry with 2mfa enabled",
-			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithOrganization(builders.NewOrganizationBuilder().WithReposDefaultPermissions("read").Build()).
-					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(true).WithPackages("npm", "public", true).Build()).
-					Build(),
-			},
-			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Passed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
-			},
-		},
-		{
-			Name: "Package registry with 2 public packages under private repo",
-			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(false).WithPackages("npm", "public", true).WithPackages("npm", "public", true).Build()).
-					Build(),
-			},
-			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "2 anonymous accessed packages"}),
-			},
-		},
-		{
-			Name: "Package registry with 1 private and 1 public packages under private repo",
-			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(false).WithPackages("npm", "private", true).WithPackages("npm", "public", true).Build()).
-					Build(),
-			},
-			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed, Details: "1 anonymous accessed packages"}),
-			},
-		},
-		{
-			Name: "Package registry with 2 private packages",
-			Data: &checkmodels.CheckData{
-				AssetsMetadata: builders.NewAssetsDataBuilder().
-					WithPackageRegistry(builders.NewRegistryBuilder().WithTwoFactorAuthenticationEnabled(false).WithPackages("npm", "private", true).WithPackages("npm", "private", true).Build()).
-					Build(),
-			},
-			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("4.2.3", checksMetadata.Checks["4.2.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Failed}),
-				checkmodels.ToCheckRunResult("4.2.5", checksMetadata.Checks["4.2.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Passed}),
+				AssetsMetadata: builders.NewAssetsDataBuilder().Build(),
 			},
+			Expected: []*checkmodels.CheckRunResult{},
 		},
 	}
-	testutils.RunCheckTests(t, common.GetRegoRunAction(regoQuery, checksMetadata), tests)
+	testutils.RunCheckTests(t, common.GetRegoRunAction(regoQuery, checksMetadata), tests, checksMetadata)
 }
diff --git a/internal/checks/artifacts/access-to-artifacts/rules.rego b/internal/checks/artifacts/access-to-artifacts/rules.rego
@@ -4,40 +4,39 @@ import data.common.consts as constsLib
 import data.common.permissions as permissionslib
 import future.keywords.in
 
-is_registry_enforce_two_factor_authentication {
-	not permissionslib.is_missing_org_settings_permission
-	input.Registry.TwoFactorRequirementEnabled == true
+is_two_factor_authentication_disabled_in_registry {
+	input.Registry.TwoFactorRequirementEnabled == false
 }
 
-is_registry_packages_allows_anonymous_access[details] {
-	not permissionslib.is_missing_org_packages_permission
+is_registry_packages_allows_anonymous_access[unauth_packages] {
 	unauth_packages := count([p |
 		p := input.Registry.Packages[_]
 		p.Visibility == "public"
 		p.Repository.IsPrivate == true
 	])
 
 	unauth_packages > 0
-	details := sprintf("%v %v", [format_int(unauth_packages, 10), "anonymous accessed packages"])
 }
 
 CbPolicy[msg] {
 	permissionslib.is_missing_org_settings_permission
-	msg := {"ids": ["4.2.3"], "status": constsLib.status.Unknown, "details": constsLib.details_organization_missingMinimalPermissions}
+	msg := {"ids": ["4.2.3"], "status": constsLib.status.Unknown, "details": constsLib.details.organization_missing_minimal_permissions}
 }
 
 CbPolicy[msg] {
 	permissionslib.is_missing_org_packages_permission
-	msg := {"ids": ["4.2.5"], "status": constsLib.status.Unknown, "details": constsLib.details_organization_packages_missingMinimalPermissions}
+	msg := {"ids": ["4.2.5"], "status": constsLib.status.Unknown, "details": constsLib.details.organization_packages_missing_minimal_permissions}
 }
 
 CbPolicy[msg] {
 	not permissionslib.is_missing_org_settings_permission
-	not is_registry_enforce_two_factor_authentication
+	is_two_factor_authentication_disabled_in_registry
 	msg := {"ids": ["4.2.3"], "status": constsLib.status.Failed}
 }
 
 CbPolicy[msg] {
-	details := is_registry_packages_allows_anonymous_access[i]
+	not permissionslib.is_missing_org_packages_permission
+	unauth_packages := is_registry_packages_allows_anonymous_access[i]
+	details := sprintf("%v %v", [format_int(unauth_packages, 10), "anonymous accessed packages"])
 	msg := {"ids": ["4.2.5"], "status": constsLib.status.Failed, "details": details}
 }