Merge pull request #1421 from snyk/refactor/remove-k8s-kind-filter

Refactor/remove k8s kind filter
snyk · Oct 1, 2020 · 59df69b · 59df69b
2 parents 57281b1 + 1cc3c2e
commit 59df69b
Show file tree

Hide file tree

Showing 10 changed files with 121 additions and 42 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -12,6 +12,7 @@ src/lib/snyk-test/payload-schema.ts @snyk/cloudconfig
 src/lib/snyk-test/run-iac-test.ts @snyk/cloudconfig
 test/acceptance/cli-test/cli-test.iac-k8s.spec.ts @snyk/cloudconfig
 test/acceptance/cli-test/cli-test.iac-k8s.utils.ts @snyk/cloudconfig
-test/fixtures/iac-terraform/* @snyk/cloudconfig
+test/fixtures/iac/* @snyk/cloudconfig
+test/smoke/spec/iac/* @snyk/cloudconfig
 src/lib/errors/invalid-iac-file.ts @snyk/cloudconfig
-src/lib/errors/unsupported-options-iac-error.ts @snyk/cloudconfig
+src/lib/errors/unsupported-options-iac-error.ts @snyk/cloudconfig
diff --git a/src/lib/iac/iac-parser.ts b/src/lib/iac/iac-parser.ts
@@ -9,13 +9,7 @@ import { IacValidateTerraformResponse } from './constants';
 
 const debug = debugLib('snyk-detect');
 
-const mandatoryKeysForSupportedK8sKinds = {
-  deployment: ['apiVersion', 'metadata', 'spec'],
-  pod: ['apiVersion', 'metadata', 'spec'],
-  service: ['apiVersion', 'metadata', 'spec'],
-  podsecuritypolicy: ['apiVersion', 'metadata', 'spec'],
-  networkpolicy: ['apiVersion', 'metadata', 'spec'],
-};
+const requiredK8SObjectFields = ['apiVersion', 'kind', 'metadata', 'spec'];
 
 export function getFileType(filePath: string): string {
   const filePathSplit = filePath.split('.');
@@ -49,8 +43,6 @@ function parseYamlOrJson(fileContent: string, filePath: string): any {
 }
 
 // This function validates that there is at least one valid doc with a k8s object kind.
-// A valid k8s object has a kind key (.kind) from the keys of `mandatoryKeysForSupportedK8sKinds`
-// and all of the keys from `mandatoryKeysForSupportedK8sKinds[kind]`.
 // If there is a doc with a supported kind, but invalid, we should fail
 // The function return true if the yaml is a valid k8s one, or false otherwise
 export function validateK8sFile(
@@ -70,17 +62,11 @@ export function validateK8sFile(
       continue;
     }
 
-    const kind = k8sObject.kind.toLowerCase();
-    if (!Object.keys(mandatoryKeysForSupportedK8sKinds).includes(kind)) {
-      continue;
-    }
-
     numOfSupportedKeyDocs++;
 
-    for (let i = 0; i < mandatoryKeysForSupportedK8sKinds[kind].length; i++) {
-      const key = mandatoryKeysForSupportedK8sKinds[kind][i];
+    for (const key of requiredK8SObjectFields) {
       if (!k8sObject[key]) {
-        debug(`Missing key (${key}) from supported k8s object kind (${kind})`);
+        debug(`Missing required field (${key})`);
         throw IllegalIacFileError([root]);
       }
     }

diff --git a/test/fixtures/iac/pod-invalid.yaml b/test/fixtures/iac/pod-invalid.yaml
@@ -0,0 +1,4 @@
+apiVersion: test
+kind: example
+metadata:
+  name: pod
diff --git a/test/fixtures/iac/pod-privileged.yaml b/test/fixtures/iac/pod-privileged.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+spec:
+  containers:
+    - name: example
+      image: example:latest
+      securityContext:
+        privileged: true 
diff --git a/test/fixtures/iac-terraform/sg_open_ssh.tf → test/fixtures/iac/sg_open_ssh.tf b/test/fixtures/iac-terraform/sg_open_ssh.tf → test/fixtures/iac/sg_open_ssh.tf
diff --git a/...aform/sg_open_ssh_invalid_go_templates.tf → ...s/iac/sg_open_ssh_invalid_go_templates.tf b/...aform/sg_open_ssh_invalid_go_templates.tf → ...s/iac/sg_open_ssh_invalid_go_templates.tf
diff --git a/...iac-terraform/sg_open_ssh_invalid_hcl2.tf → .../fixtures/iac/sg_open_ssh_invalid_hcl2.tf b/...iac-terraform/sg_open_ssh_invalid_hcl2.tf → .../fixtures/iac/sg_open_ssh_invalid_hcl2.tf
diff --git a/test/smoke/alpine/Dockerfile b/test/smoke/alpine/Dockerfile
@@ -3,7 +3,7 @@ FROM shellspec/shellspec:latest
 COPY ./smoke/ /snyk/smoke/
 COPY ./fixtures/basic-npm/ /snyk/fixtures/basic-npm/
 COPY ./fixtures/empty/ /snyk/fixtures/empty/
-COPY ./fixtures/iac-terraform/ /snyk/fixtures/iac-terraform/ 
+COPY ./fixtures/iac/ /snyk/fixtures/iac/ 
 
 RUN shellspec --version
 RUN apk add curl jq libgcc libstdc++

diff --git a/test/smoke/spec/iac/snyk_test_k8s_spec.sh b/test/smoke/spec/iac/snyk_test_k8s_spec.sh
@@ -0,0 +1,77 @@
+#shellcheck shell=sh
+
+Describe "Snyk iac test command"
+  Before snyk_login
+  After snyk_logout
+
+  Describe "k8s single file scan"
+    It "finds issues in k8s file"
+      When run snyk iac test ../fixtures/iac/pod-privileged.yaml
+      The status should be failure # issues found
+      The output should include "Testing ../fixtures/iac/pod-privileged.yaml..."
+
+      # Outputs issues
+      The output should include "Infrastructure as code issues:"
+      The output should include "✗ Container is running in privileged mode [High Severity] [SNYK-CC-K8S-1] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > securityContext > privileged"
+      The output should include "✗ Containers should ideally be explicit about required capabilities [Medium Severity] [SNYK-CC-K8S-6] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > securityContext > capabilities > drop"
+      The output should include "✗ Container can run as the root [Medium Severity] [SNYK-CC-K8S-10] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > securityContext > runAsNonRoot"
+      The output should include "✗ Memory limits not set [Low Severity] [SNYK-CC-K8S-4] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > resources > limits > memory"
+      The output should include "✗ CPU limits not set [Low Severity] [SNYK-CC-K8S-5] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > resources > limits > cpu"
+      The output should include "✗ Container not using a read-only root filesystem [Low Severity] [SNYK-CC-K8S-8] in Deployment"
+      The output should include "  introduced by input > spec > containers[example] > securityContext > readOnlyRootFilesystem"
+
+      # Outputs Summary
+      The output should include "Organization:"
+      The output should include "Type:              Kubernetes"
+      The output should include "Target file:       ../fixtures/iac/pod-privileged.yaml"
+      The output should include "Project name:      iac"
+      The output should include "Open source:       no"
+      The output should include "Project path:      ../fixtures/iac/pod-privileged.yaml"
+      The output should include "Tested ../fixtures/iac/pod-privileged.yaml for known issues, found 6 issues"
+    End
+
+    It "filters out issues when using severity threshold"
+      When run snyk iac test ../fixtures/iac/pod-privileged.yaml --severity-threshold=high
+      The status should be failure # one issue found
+      The output should include "Testing ../fixtures/iac/pod-privileged.yaml..."
+
+      The output should include "Infrastructure as code issues:"
+      The output should include "✗ Container is running in privileged mode [High Severity] [SNYK-CC-K8S-1] in Deployment"
+      The output should include "introduced by input > spec > containers[example] > securityContext > privileged"
+
+      The output should include "Organization:"
+      The output should include "Type:              Kubernetes"
+      The output should include "Target file:       ../fixtures/iac/pod-privileged.yaml"
+      The output should include "Project name:      iac"
+      The output should include "Open source:       no"
+      The output should include "Project path:      ../fixtures/iac/pod-privileged.yaml"
+      The output should include "Tested ../fixtures/iac/pod-privileged.yaml for known issues, found 1 issues"
+    End
+
+    It "outputs an error for files with no valid k8s objects"
+      When run snyk iac test ../fixtures/iac/pod-invalid.yaml
+      The status should be failure
+      The output should include "Illegal infrastructure as code target file ../fixtures/iac/pod-invalid.yaml"
+    End
+
+    It "outputs the expected text when running with --sarif flag"
+      When run snyk iac test ../fixtures/iac/pod-privileged.yaml --sarif
+      The status should be failure
+      The output should include '"id": "SNYK-CC-K8S-1",'
+      The output should include '"ruleId": "SNYK-CC-K8S-1",'
+    End
+
+    It "outputs the expected text when running with --json flag"
+      When run snyk iac test ../fixtures/iac/pod-privileged.yaml --json
+      The status should be failure
+      The output should include '"id": "SNYK-CC-K8S-1",'
+      The output should include '"packageManager": "k8sconfig",'
+      The result of function check_valid_json should be success
+    End
+  End
+End
diff --git a/test/smoke/spec/snyk_test_iac_spec.sh → ...moke/spec/iac/snyk_test_terraform_spec.sh b/test/smoke/spec/snyk_test_iac_spec.sh → ...moke/spec/iac/snyk_test_terraform_spec.sh
@@ -3,66 +3,67 @@
 Describe "Snyk iac test command"
   Before snyk_login
   After snyk_logout
+
   Describe "terraform single file scan"
     It "finds issues in terraform file"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh.tf
+      When run snyk iac test ../fixtures/iac/sg_open_ssh.tf
       The status should be failure # issues found
-      The output should include "Testing ../fixtures/iac-terraform/sg_open_ssh.tf..."
-      # Outputs issues   
+      The output should include "Testing ../fixtures/iac/sg_open_ssh.tf..."
+      # Outputs issues
       The output should include "Infrastructure as code issues:"
       The output should include "✗ Security Group allows open ingress [Medium Severity] [SNYK-CC-TF-1] in Security Group"
       The output should include "introduced by resource > aws_security_group[allow_ssh] > ingress"
-      
+
       # Outputs Summary
       The output should include "Organization:"
       The output should include "Type:              Terraform"
-      The output should include "Target file:       ../fixtures/iac-terraform/sg_open_ssh.tf"
-      The output should include "Project name:      iac-terraform"
+      The output should include "Target file:       ../fixtures/iac/sg_open_ssh.tf"
+      The output should include "Project name:      iac"
       The output should include "Open source:       no"
-      The output should include "Project path:      ../fixtures/iac-terraform/sg_open_ssh.tf"
-      The output should include "Tested ../fixtures/iac-terraform/sg_open_ssh.tf for known issues, found 1 issues"
+      The output should include "Project path:      ../fixtures/iac/sg_open_ssh.tf"
+      The output should include "Tested ../fixtures/iac/sg_open_ssh.tf for known issues, found 1 issues"
     End
 
     It "filters out issues when using severity threshold"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh.tf --severity-threshold=high
+      When run snyk iac test ../fixtures/iac/sg_open_ssh.tf --severity-threshold=high
       The status should be success # no issues found
-      The output should include "Testing ../fixtures/iac-terraform/sg_open_ssh.tf..."
-      # Outputs issues   
+      The output should include "Testing ../fixtures/iac/sg_open_ssh.tf..."
+      # Outputs issues
       The output should include "Infrastructure as code issues:"
-      
+
       # Outputs Summary
       The output should include "Organization:"
       The output should include "Type:              Terraform"
-      The output should include "Target file:       ../fixtures/iac-terraform/sg_open_ssh.tf"
-      The output should include "Project name:      iac-terraform"
+      The output should include "Target file:       ../fixtures/iac/sg_open_ssh.tf"
+      The output should include "Project name:      iac"
       The output should include "Open source:       no"
-      The output should include "Project path:      ../fixtures/iac-terraform/sg_open_ssh.tf"
-      The output should include "Tested ../fixtures/iac-terraform/sg_open_ssh.tf for known issues, found 0 issues"
+      The output should include "Project path:      ../fixtures/iac/sg_open_ssh.tf"
+      The output should include "Tested ../fixtures/iac/sg_open_ssh.tf for known issues, found 0 issues"
     End
 
     It "outputs an error for invalid hcl2 tf files"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh_invalid_hcl2.tf
+      When run snyk iac test ../fixtures/iac/sg_open_ssh_invalid_hcl2.tf
       The status should be failure
-      The output should include "Illegal Terraform target file ../fixtures/iac-terraform/sg_open_ssh_invalid_hcl2.tf"
+      The output should include "Illegal Terraform target file ../fixtures/iac/sg_open_ssh_invalid_hcl2.tf"
       The output should include "Validation Error Reason: Invalid HCL2 Format."
     End
 
     It "outputs an error for invalid tf files with go templates"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh_invalid_go_templates.tf
+      When run snyk iac test ../fixtures/iac/sg_open_ssh_invalid_go_templates.tf
       The status should be failure
-      The output should include "Illegal Terraform target file ../fixtures/iac-terraform/sg_open_ssh_invalid_go_templates.tf"
+      The output should include "Illegal Terraform target file ../fixtures/iac/sg_open_ssh_invalid_go_templates.tf"
       The output should include "Validation Error Reason: Go Template placeholders found in Terraform file."
     End
 
     It "outputs the expected text when running with --sarif flag"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh.tf --sarif
+      When run snyk iac test ../fixtures/iac/sg_open_ssh.tf --sarif
       The status should be failure
       The output should include '"id": "SNYK-CC-TF-1",'
       The output should include '"ruleId": "SNYK-CC-TF-1",'
     End
 
     It "outputs the expected text when running with --json flag"
-      When run snyk iac test ../fixtures/iac-terraform/sg_open_ssh.tf --json
+      When run snyk iac test ../fixtures/iac/sg_open_ssh.tf --json
       The status should be failure
       The output should include '"id": "SNYK-CC-TF-1",'
       The output should include '"packageManager": "terraformconfig",'