add kustomizegoat to integration tests (bridgecrewio#2561)

* add kustomizegoat to integration tests

Author: schosterbarak

.github/workflows/build.yml

@@ -48,6 +48,8 @@ jobs:
         run: git clone https://github.com/bridgecrewio/cfngoat
       - name: Clone Kubernetes-goat - vulnerable kubernetes
         run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
       - name: Create checkov reports
         run: |
           # Just making sure the API key tests don't run on PRs
@@ -102,6 +104,7 @@ jobs:
           pipenv --python 3.7
           pipenv install --dev
       - uses: imranismail/setup-kustomize@v1
+        if: ${{ runner.os != 'windows' }}
       - name: Test with pytest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-test.yml

@@ -86,6 +86,8 @@ jobs:
         run: git clone https://github.com/bridgecrewio/cfngoat
       - name: Clone Kubernetes-goat - vulnerable kubernetes
         run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
       - name: Create checkov reports
         env:
           LOG_LEVEL: INFO

checkov/kustomize/runner.py

@@ -39,17 +39,28 @@ def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=No
             else: 
                 kustomizeResourceID = "Unknown error. This is a bug."
 
+            code_lines = entity_context.get("code_lines")
+            file_line_range = self.line_range(code_lines)
             record = Record(
                 check_id=check.id, bc_check_id=check.bc_id, check_name=check.name,
-                check_result=check_result, code_block=entity_context.get("code_lines"), file_path=realKustomizeEnvMetadata['filePath'],
-                file_line_range=[0,0],
+                check_result=check_result, code_block=code_lines, file_path=realKustomizeEnvMetadata['filePath'],
+                file_line_range=file_line_range,
                 resource=kustomizeResourceID, evaluations=variable_evaluations,
                 check_class=check.__class__.__module__, file_abs_path=realKustomizeEnvMetadata['filePath'], severity=check.bc_severity)
             record.set_guideline(check.guideline)
             report.add_record(record=record)
 
         return report
 
+    def line_range(self, code_lines):
+        num_of_lines = len(code_lines)
+        file_line_range = [0, 0]
+        if num_of_lines > 0:
+            first_line, code = code_lines[0]
+            last_line, code = code_lines[num_of_lines - 1]
+            file_line_range = [first_line, last_line]
+        return file_line_range
+
     def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFilter, report: Report, checks_results, reportMutatorData=None) -> Report:
         # Moves report generation logic out of run() method in Runner class.
         # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm
@@ -73,14 +84,16 @@ def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFi
                         kustomizeResourceID = f'{realKustomizeEnvMetadata["type"]}:{entity_id}'
                 else: 
                     kustomizeResourceID = "Unknown error. This is a bug."
+                code_lines = entity_context.get("code_lines")
+                file_line_range = self.line_range(code_lines)
 
                 record = Record(
                     check_id=check.id,
                     check_name=check.name,
                     check_result=check_result,
                     code_block=entity_context.get("code_lines"),
                     file_path=realKustomizeEnvMetadata['filePath'],
-                    file_line_range=[0,0],
+                    file_line_range=file_line_range,
                     resource=kustomizeResourceID,  # entity.get(CustomAttributes.ID),
                     evaluations={},
                     check_class=check.__class__.__module__,
@@ -408,17 +421,3 @@ def _curWriterValidateStoreMapAndClose(self, cur_writer, FilePath):
 
         except IsADirectoryError:
             pass
-
-def find_lines(node, kv):
-    if isinstance(node, str):
-        return node
-    if isinstance(node, list):
-        for i in node:
-            for x in find_lines(i, kv):
-                yield x
-    elif isinstance(node, dict):
-        if kv in node:
-            yield node[kv]
-        for j in node.values():
-            for x in find_lines(j, kv):
-                yield x

integration_tests/prepare_data.sh

@@ -22,6 +22,7 @@ else
   pipenv run checkov -s -d cfngoat/ -o json --external-checks-dir ./checkov/cloudformation/checks/graph_checks/aws > checkov_report_cfngoat.json
   pipenv run checkov -s -d kubernetes-goat/ --framework kubernetes -o json > checkov_report_kubernetes-goat.json
   pipenv run checkov -s -d kubernetes-goat/ --framework helm -o json > checkov_report_kubernetes-goat-helm.json
+  pipenv run checkov -s -d kustomizegoat/ --framework kustomize -o json > checkov_report_kustomizegoat.json
   pipenv run checkov -s --framework terraform --skip-check CKV_AWS_33,CKV_AWS_41 -d terragoat/terraform/ -o json > checkov_report_terragoat_with_skip.json
   pipenv run checkov -s -d cfngoat/ -o json --quiet > checkov_report_cfngoat_quiet.json
   pipenv run checkov -s -d terragoat/terraform/ --config-file integration_tests/example_config_files/config.yaml -o json > checkov_config_report_terragoat.json

integration_tests/test_checkov_json_report.py

@@ -13,6 +13,11 @@ def test_terragoat_report(self):
         report_path = os.path.join(os.path.dirname(current_dir), 'checkov_report_terragoat.json')
         self.validate_report(os.path.abspath(report_path))
 
+    def test_kustomizegoat_report(self):
+        if not sys.platform.startswith('win'):
+            report_path = os.path.join(os.path.dirname(current_dir), 'checkov_report_kustomizegoat.json')
+            self.validate_report(os.path.abspath(report_path))
+
     def test_cfngoat_report(self):
         report_path = os.path.join(os.path.dirname(current_dir), 'checkov_report_cfngoat.json')
         self.validate_report(os.path.abspath(report_path))
@@ -53,6 +58,7 @@ def validate_report_not_empty(self, report):
                          f"expecting 0 parsing errors but got: {report['results']['parsing_errors']}")
         self.assertGreater(report["summary"]["failed"], 1,
                            f"expecting more than 1 failed checks, got: {report['summary']['failed']}")
+        self.assertGreater(report['results']['failed_checks'][0]['file_line_range'][1], 0)
 
     def validate_json_quiet(self):
         report_path = os.path.join(os.path.dirname(current_dir), 'checkov_report_cfngoat_quiet.json')