feat(general): Normalize framework flags (bridgecrewio#94)

* change --framework to use action append and CSV

* log config

* normalize different ways of specifying frameworks

* add framework normalization tests

* reuse framework parsing logic for both flags

* fix lint issues

* fix lint issues

* Update checkov/common/util/ext_argument_parser.py

Co-authored-by: Anton Grübel <[email protected]>

* Update checkov/common/util/ext_argument_parser.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/main.py

Co-authored-by: Anton Grübel <[email protected]>

* Update checkov/main.py

Co-authored-by: Anton Grübel <[email protected]>

---------

Co-authored-by: Anton Grübel <[email protected]>
Co-authored-by: Taylor <[email protected]>

Author: 3 people

checkov/common/util/ext_argument_parser.py

@@ -1,11 +1,11 @@
 from __future__ import annotations
 
 from io import StringIO
-from typing import Any, TYPE_CHECKING, cast
+from typing import Any, TYPE_CHECKING, cast, List
 
 import configargparse
 
-from checkov.common.bridgecrew.check_type import checkov_runners, sast_types
+from checkov.common.bridgecrew.check_type import checkov_runners
 from checkov.common.runners.runner_registry import OUTPUT_CHOICES, SUMMARY_POSITIONS
 from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR
 from checkov.common.util.type_forcers import convert_str_to_bool
@@ -15,6 +15,18 @@
     import argparse
 
 
+def flatten_csv(list_to_flatten: List[List[str]]) -> List[str]:
+    """
+    Flattens a list of list of strings into a list of strings, while also splitting out comma-separated values
+    Duplicates will be removed.
+    [['terraform', 'arm'], ['bicep,cloudformation,arm']] -> ['terraform', 'arm', 'bicep', 'cloudformation']
+    (Order is not guaranteed)
+    """
+    if not list_to_flatten:
+        return []
+    return list({s for sublist in list_to_flatten for val in sublist for s in val.split(',')})
+
+
 class ExtArgumentParser(configargparse.ArgumentParser):
     def __init__(self, *args: Any, **kwargs: Any) -> None:
         super().__init__(*args, **kwargs)
@@ -211,21 +223,26 @@ def add_parser_args(self) -> None:
         )
         self.add(
             "--framework",
-            help="Filter scan to run only on specific infrastructure code frameworks",
-            choices=checkov_runners + sast_types + ["all"],
-            default=["all"],
+            help="Filter scan to run only on specific infrastructure as code frameworks. Defaults to all frameworks. If you "
+                 "explicitly include 'all' as a value, then all other values are ignored. Enter as a "
+                 "comma-separated list or repeat the flag multiple times. For example, --framework terraform,sca_package "
+                 f"or --framework terraform --framework sca_package. Possible values: {', '.join(['all'] + checkov_runners)}",
             env_var="CKV_FRAMEWORK",
-            nargs="+",
+            action='append',
+            nargs='+'  # we will still allow the old way (eg: --framework terraform arm cloudformation), just not prefer it
+            # intentionally no default value - we will set it explicitly during normalization (it messes up the list of lists)
         )
         self.add(
             "--skip-framework",
-            help="Filter scan to skip specific infrastructure as code frameworks."
+            help="Filter scan to skip specific infrastructure as code frameworks. "
                  "This will be included automatically for some frameworks if system dependencies "
-                 "are missing. Add multiple frameworks using spaces. For example, "
-                 "--skip-framework terraform sca_package.",
-            choices=checkov_runners,
+                 "are missing. Enter as a comma-separated list or repeat the flag multiple times. For example, "
+                 "--skip-framework terraform,sca_package or --skip-framework terraform --skip-framework sca_package. "
+                 "Cannot include values that are also included in --framework. "
+                 f"Possible values: {', '.join(checkov_runners)}",
             default=None,
-            nargs="+",
+            action='append',
+            nargs='+'
         )
         self.add(
             "-c",

checkov/main.py

@@ -12,7 +12,7 @@
 import sys
 from collections import defaultdict
 from pathlib import Path
-from typing import TYPE_CHECKING, Any, Dict, Literal, Optional, List
+from typing import TYPE_CHECKING, Any, Dict, Literal, Optional, List, cast
 
 import argcomplete
 import configargparse
@@ -53,7 +53,7 @@
 from checkov.common.util.banner import banner as checkov_banner, tool as checkov_tool
 from checkov.common.util.config_utils import get_default_config_paths
 from checkov.common.util.consts import CHECKOV_RUN_SCA_PACKAGE_SCAN_V2
-from checkov.common.util.ext_argument_parser import ExtArgumentParser
+from checkov.common.util.ext_argument_parser import ExtArgumentParser, flatten_csv
 from checkov.common.util.runner_dependency_handler import RunnerDependencyHandler
 from checkov.common.util.type_forcers import convert_str_to_bool
 from checkov.contributor_metrics import report_contributor_metrics
@@ -206,13 +206,49 @@ def normalize_config(self) -> None:
                 '--policy-metadata-filter flag was used without a Prisma Cloud API key. Policy filtering will be skipped.'
             )
 
+        logging.debug('Normalizing --framework')
+        self.config.framework = self.normalize_framework_arg(self.config.framework, handle_all=True)
+        logging.debug(f'Normalized --framework value: {self.config.framework}')
+
+        logging.debug('Normalizing --skip-framework')
+        self.config.skip_framework = self.normalize_framework_arg(self.config.skip_framework)
+        logging.debug(f'Normalized --skip-framework value: {self.config.skip_framework}')
+
+        duplicate_frameworks = set(self.config.skip_framework).intersection(self.config.framework)
+        if duplicate_frameworks:
+            self.parser.error(f'Frameworks listed for both --framework and --skip-framework: {", ".join(duplicate_frameworks)}')
+
         # Parse mask into json with default dict. If self.config.mask is empty list, default dict will be assigned
         self._parse_mask_to_resource_attributes_to_omit()
 
         if self.config.file:
             # it is passed as a list of lists
             self.config.file = list(itertools.chain.from_iterable(self.config.file))
 
+    def normalize_framework_arg(self, raw_framework_arg: List[List[str]], handle_all=False) -> List[str]:
+        # frameworks come as arrays of arrays, e.g. --framework terraform arm --framework bicep,cloudformation
+        # becomes: [['terraform', 'arm'], ['bicep,cloudformation']]
+        # we'll collapse it into a single array (which is how it was before checkov3)
+
+        if raw_framework_arg:
+            logging.debug(f'Raw framework value: {raw_framework_arg}')
+            frameworks = flatten_csv(cast(List[List[str]], raw_framework_arg))
+            logging.debug(f'Flattened frameworks: {frameworks}')
+            if handle_all and 'all' in frameworks:
+                return ['all']
+            else:
+                invalid = list(filter(lambda f: f not in checkov_runners, frameworks))
+                if invalid:
+                    self.parser.error(f'Invalid frameworks specified: {", ".join(invalid)}.{os.linesep}'
+                                      f'Valid values are: {", ".join(checkov_runners + ["all"] if handle_all else [])}')
+                return frameworks
+        elif handle_all:
+            logging.debug('No framework specified; setting to `all`')
+            return ['all']
+        else:
+            logging.debug('No framework specified; setting to none')
+            return []
+
     def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_type: SourceType | None = None) -> int | None:
         self.run_metadata = {
             "checkov_version": version,

tests/config/TestCLIArgs.py

@@ -0,0 +1,117 @@
+import unittest
+
+from checkov.main import Checkov
+
+
+class ConfigException(Exception):
+    pass
+
+
+# override parser.error, which prints the error and exits
+def parser_error(message: str):
+    raise ConfigException(message)
+
+
+class TestCLIArgs(unittest.TestCase):
+    def test_normalize_frameworks(self):
+        argv = []
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['all'])
+        self.assertEqual(ckv.config.skip_framework, [])
+
+        argv = ['--framework', 'terraform']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['terraform'])
+
+        argv = ['--framework', 'terraform,arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.framework), {'terraform', 'arm'})
+
+        argv = ['--framework', 'terraform', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.framework), {'terraform', 'arm'})
+
+        argv = ['--framework', 'terraform', '--framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.framework), {'terraform', 'arm'})
+
+        argv = ['--framework', 'terraform,bicep', '--framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.framework), {'terraform', 'arm', 'bicep'})
+
+        argv = ['--framework', 'terraform,bicep', '--framework', 'arm,all']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['all'])
+
+        argv = ['--framework', 'terraform,bicep', '--framework', 'arm,invalid']
+        ckv = Checkov(argv=[])  # first instantiate a valid one
+        # now repeat some of the logic of the constructor, overriding values
+        ckv.config = ckv.parser.parse_args(argv)
+        ckv.parser.error = parser_error
+        with self.assertRaises(ConfigException):
+            ckv.normalize_config()
+
+        # all is specified, so we do not expect an exception
+        argv = ['--framework', 'terraform,bicep', '--framework', 'arm,invalid,all']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['all'])
+
+    def test_normalize_skip_frameworks(self):
+        argv = ['--skip-framework', 'terraform']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.skip_framework, ['terraform'])
+
+        argv = ['--skip-framework', 'terraform,arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.skip_framework), {'terraform', 'arm'})
+
+        argv = ['--skip-framework', 'terraform', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.skip_framework), {'terraform', 'arm'})
+
+        argv = ['--skip-framework', 'terraform', '--skip-framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.skip_framework), {'terraform', 'arm'})
+
+        argv = ['--skip-framework', 'terraform,bicep', '--skip-framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(set(ckv.config.skip_framework), {'terraform', 'arm', 'bicep'})
+
+        # all is not allowed
+        argv = ['--skip-framework', 'terraform,bicep', '--skip-framework', 'arm,all']
+        ckv = Checkov(argv=[])
+        ckv.config = ckv.parser.parse_args(argv)
+        ckv.parser.error = parser_error
+        with self.assertRaises(ConfigException):
+            ckv.normalize_config()
+
+        argv = ['--skip-framework', 'terraform,bicep', '--skip-framework', 'arm,invalid']
+        ckv = Checkov(argv=[])
+        ckv.config = ckv.parser.parse_args(argv)
+        ckv.parser.error = parser_error
+        with self.assertRaises(ConfigException):
+            ckv.normalize_config()
+
+    def test_combine_framework_and_skip(self):
+        argv = ['--framework', 'terraform', '--skip-framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['terraform'])
+        self.assertEqual(ckv.config.skip_framework, ['arm'])
+
+        # duplicate values not allowed
+        argv = ['--framework', 'arm', '--skip-framework', 'arm']
+        ckv = Checkov(argv=[])
+        ckv.config = ckv.parser.parse_args(argv)
+        ckv.parser.error = parser_error
+        with self.assertRaises(ConfigException):
+            ckv.normalize_config()
+
+        # but it works with all
+        argv = ['--framework', 'arm,all', '--skip-framework', 'arm']
+        ckv = Checkov(argv=argv)
+        self.assertEqual(ckv.config.framework, ['all'])
+        self.assertEqual(ckv.config.skip_framework, ['arm'])
+
+
+if __name__ == '__main__':
+    unittest.main()