Swarm and Nomad support

glitch/__main__.py

@@ -18,6 +18,8 @@
 from glitch.parsers.puppet import PuppetParser
 from glitch.parsers.terraform import TerraformParser
 from glitch.parsers.gha import GithubActionsParser
+from glitch.parsers.swarm import SwarmParser
+from glitch.parsers.nomad import NomadParser
 from glitch.exceptions import throw_exception
 from glitch.repair.interactive.main import run_infrafix
 from pkg_resources import resource_filename
@@ -90,6 +92,10 @@ def __get_parser(tech: Tech) -> Parser:
         return TerraformParser()
     elif tech == Tech.gha:
         return GithubActionsParser()
+    elif tech == Tech.swarm:
+        return SwarmParser()
+    elif tech == Tech.nomad:
+        return NomadParser()
     else:
         raise ValueError(f"Invalid tech: {tech}")
 

glitch/analysis/rules.py

@@ -18,14 +18,40 @@ class Error:
             "sec_hard_secr": "Hard-coded secret - Developers should not reveal sensitive information in the source code. (CWE-798)",
             "sec_hard_pass": "Hard-coded password - Developers should not reveal sensitive information in the source code. (CWE-259)",
             "sec_hard_user": "Hard-coded user - Developers should not reveal sensitive information in the source code. (CWE-798)",
-            "sec_invalid_bind": "Invalid IP address binding - Binding to the address 0.0.0.0 allows connections from every possible network which might be a security issues. (CWE-284)",
+            "sec_invalid_bind": "Invalid IP address binding - Binding to the address 0.0.0.0 allows connections from every possible network which might be a security issue. (CWE-284)",
             "sec_no_int_check": "No integrity check - The content of files downloaded from the internet should be checked. (CWE-353)",
             "sec_no_default_switch": "Missing default case statement - Not handling every possible input combination might allow an attacker to trigger an error for an unhandled value. (CWE-478)",
             "sec_full_permission_filesystem": "Full permission to the filesystem - Files should not have full permissions to every user. (CWE-732)",
             "sec_obsolete_command": "Use of obsolete command or function - Avoid using obsolete or deprecated commands and functions. (CWE-477)",
             Tech.docker: {
                 "sec_non_official_image": "Use of non-official Docker image - Use of non-official images should be avoided or taken into careful consideration. (CWE-829)",
             },
+            Tech.swarm: {
+                "sec_non_official_image": "Use of non-official Docker image - Use of non-official images should be avoided or taken into careful consideration. (CWE-829)",
+                "sec_image_integrity": "Use of image is not tagged with digest - The images downloaded from the internet should be checked. (CWE-353)",
+                "sec_unstable_tag": "Unstable version/release image tag - Prefer specifying a release version or better yet a specific version digest (CWE-353)",
+                "sec_no_image_tag": "The image is not tagged - Prefer specifying a release version or better yet specific version digest",
+                "arc_no_apig": "No API Gateway - If following a microservices architecture you should use in front of your services an API Gateway instead of directly exposing them.",
+                "arc_no_logging": "Log Collection not found - It is advised to setup logging for your services.",
+                "arc_missing_healthchecks": "Missing Healthchecks - You should setup healthchecks for your services, or check if the images used already have default ones.",
+                "sec_mounted_docker_socket": "Docker socket mounted to a container - Avoid mounting the Docker socket to container, if the container is compromised its access to the Docker socket allows control of all other containers, and even acquiring control of the host machine.",
+                "sec_privileged_containers": "Use of Privileged Containers - Developers should always try to give and use the least privileges possible. Use of privileged containers severely thins out the security and isolation provided by container runtimes, its use should be avoided as much as possible (CWE-250)",
+                "sec_depr_off_imgs" : "Use of deprecated official Docker images - Use of official deprecated images should be avoided as it makes you open to vulnerabilities, quality issues and unfixed bugs (CWE-1104)",
+            },
+            Tech.nomad: {
+                "sec_non_official_image": "Use of non-official Docker image - Use of non-official images should be avoided or taken into careful consideration. (CWE-829)",
+                "sec_image_integrity": "Container image is not tagged with digest - The images downloaded from the internet should be checked. (CWE-353)",
+                "sec_unstable_tag": "Unstable version/release image tag - Prefer specifying a release version or better yet a specific version digest (CWE-353)",
+                "sec_no_image_tag": "Container Image is not tagged - Prefer specifying a release version or better yet specific version digest (CWE-353)",
+                "arc_no_apig": "No API Gateway - If following a microservices architecture you should use in front of your services an API Gateway instead of directly exposing them.",
+                "arc_no_logging": "Log Collection not found - It is advised to setup logging for your services.",
+                "arc_missing_healthchecks": "Missing Healthchecks - You should setup healthchecks for your services, or check if the images used already have default ones.",
+                "sec_mounted_docker_socket": "Docker socket mounted to a container - Avoid mounting the Docker socket to container, if the container is compromised its access to the Docker socket allows control of all other containers, and even acquiring control of the host machine.",
+                "sec_privileged_containers": "Use of Privileged Containers - Developers should always try to give and use the least privileges possible. Use of privileged containers severely thins out the security and isolation provided by container runtimes, its use should be avoided as much as possible (CWE-250)",
+                "arc_multiple_services": "Multiple Services per Deployment Unit - If you are following a Microservices architecture you are violating the idependent deployability rule by deploying multiple microservices in the same group.",
+                "sec_depr_off_imgs" : "Use of deprecated official Docker images - Use of official deprecated images should be avoided as it makes you open to vulnerabilities, quality issues and unfixed bugs (CWE-1104)",
+                "arc_wobbly_service_interaction" : "Wobbly Service Interaction - If you are following a Microservices you are likely compromising the principle of isolation of failures of microservice. Using a Consul sidecar proxy allows having Circuit Breakers and Timeouts that avoid cascading failures due to wobbly interactions between microservices",
+            },
             Tech.terraform: {
                 "sec_integrity_policy": "Integrity Policy - Image tag is prone to be mutable or integrity monitoring is disabled. (CWE-471)",
                 "sec_ssl_tls_policy": "SSL/TLS/mTLS Policy - Developers should use SSL/TLS/mTLS protocols and their secure versions. (CWE-326)",

glitch/analysis/security/container_image_tags_smells.py

@@ -0,0 +1,84 @@
+from glitch.analysis.rules import Error
+from glitch.analysis.security.smell_checker import SecuritySmellChecker
+from glitch.analysis.security.visitor import SecurityVisitor
+from glitch.repr.inter import CodeElement, KeyValue, Hash, String
+from glitch.analysis.utils import parse_container_image_name
+from typing import List
+
+
+class ContainerImageTagsSmells(SecuritySmellChecker):
+    # NOTE: This is the implementation for Nomad and Swarm
+    def check(self, element: CodeElement, file: str) -> List[Error]:
+        errors: List[Error] = []
+        bad_element = element
+        if isinstance(element, KeyValue) and (
+            (element.name == "image" and isinstance(element.value, String))
+            or (isinstance(element.value, Hash) and element.name == "config")
+        ):
+            image = ""
+
+            if isinstance(element.value, String):
+                image = element.value.value
+            else:
+                for k, v in element.value.value.items():
+                    if isinstance(k, String) and k.value == "image":
+                        image = v.value
+                        bad_element = v
+                        break
+
+            has_digest, has_tag = False, False
+            _, tag, digest = parse_container_image_name(image)
+
+            if tag != "":
+                has_tag = True
+            if digest != "":
+                has_digest = True
+
+            if image != "" and has_digest:  # image tagged with digest
+                checksum_s = digest.split(":")
+                checksum = checksum_s[-1]
+                if (
+                    checksum_s[0] == "sha256" and len(checksum) != 64
+                ):  # sha256 256 digest -> 64 hexadecimal digits
+                    errors.append(
+                        Error(
+                            "sec_image_integrity",
+                            bad_element,
+                            file,
+                            repr(bad_element),
+                        )
+                    )
+
+            if image != "" and not has_digest:
+                errors.append(
+                    Error(
+                        "sec_image_integrity",
+                        bad_element,
+                        file,
+                        repr(bad_element),
+                    )
+                )
+            if image != "" and has_tag:
+                tag = tag.lower()
+
+                dangerous_tags: List[str] = SecurityVisitor.DANGEROUS_IMAGE_TAGS
+
+                for dt in dangerous_tags:
+                    if dt in tag:
+                        errors.append(
+                            Error(
+                                "sec_unstable_tag",
+                                bad_element,
+                                file,
+                                repr(bad_element),
+                            )
+                        )
+                        break
+            if (
+                image != "" and not has_digest and not has_tag
+            ):  # Image not tagged, avoids mistakenely nomad tasks without images (non-docker or non-podman)
+                errors.append(
+                    Error("sec_no_image_tag", bad_element, file, repr(bad_element))
+                )
+
+        return errors

glitch/analysis/security/deprecated_official_images.py

@@ -0,0 +1,47 @@
+from glitch.analysis.rules import Error
+from glitch.analysis.security.smell_checker import SecuritySmellChecker
+from glitch.analysis.security.visitor import SecurityVisitor
+from glitch.repr.inter import CodeElement, KeyValue, Hash, String
+from glitch.analysis.utils import parse_container_image_name
+from typing import List
+
+
+class DeprecatedOfficialDockerImages(SecuritySmellChecker):
+    def check(self, element: CodeElement, file: str) -> List[Error]:
+        errors: List[Error] = []
+        image = ""
+        bad_element = element
+        if isinstance(element, KeyValue) and element.name == "image":
+            if isinstance(element.value, String):
+                image = element.value.value
+        elif (
+            isinstance(element, KeyValue)
+            and element.name == "config"
+            and isinstance(element.value, Hash)
+        ):
+            for k, v in element.value.value.items():
+                if isinstance(k, String) and k.value == "image":
+                    image = v.value
+                    bad_element = v
+                    break
+        if image != "":
+            img_name, _, _ = parse_container_image_name(image)
+            for obsolete_img in SecurityVisitor.DEPRECATED_OFFICIAL_DOCKER_IMAGES:
+                obsolete_img_dockerio = f"docker.io/library/{obsolete_img}"
+                obsolete_img_library = f"library/{obsolete_img}"
+                obsolete_img_complete_link = (
+                    f"registry.hub.docker.com/library/{obsolete_img}"
+                )
+
+                if (
+                    img_name == obsolete_img
+                    or img_name == obsolete_img_dockerio
+                    or img_name == obsolete_img_library
+                    or img_name == obsolete_img_complete_link
+                ):
+                    errors.append(
+                        Error("sec_depr_off_imgs", bad_element, file, repr(bad_element))
+                    )
+                    break
+
+        return errors

glitch/analysis/security/docker_socket_mounted.py

@@ -0,0 +1,46 @@
+from glitch.analysis.rules import Error
+from glitch.analysis.security.smell_checker import SecuritySmellChecker
+from glitch.repr.inter import CodeElement, KeyValue, Hash, String,Array
+from typing import List
+
+
+class DockerSocketMountedInsideContainer(SecuritySmellChecker):
+    def check(self, element: CodeElement, file: str) -> List[Error]:
+        errors: List[Error] = []
+        if isinstance(element, KeyValue):
+            if element.name == "volumes" and isinstance(element.value, Array):
+                for volume in element.value.value:
+                    if isinstance(volume, String) and volume.value.split(":")[
+                        0
+                    ].startswith("/var/run/docker.sock"):
+                        errors.append(
+                            Error(
+                                "sec_mounted_docker_socket", volume, file, repr(volume)
+                            )
+                        )
+                        break
+            elif element.name == "config" and isinstance(element.value, Hash):
+                found_socket_exposed = False
+                for k, v in element.value.value.items():
+                    if (
+                        isinstance(k, String)
+                        and k.value == "volumes"
+                        and isinstance(v, Array)
+                    ):
+                        for volume in v.value:
+                            if isinstance(volume, String) and volume.value.split(":")[
+                                0
+                            ].startswith("/var/run/docker.sock"):
+                                errors.append(
+                                    Error(
+                                        "sec_mounted_docker_socket",
+                                        volume,
+                                        file,
+                                        repr(volume),
+                                    )
+                                )
+                                found_socket_exposed = True
+                                break
+                        if found_socket_exposed:
+                            break
+        return errors

glitch/analysis/security/hard_secr.py

@@ -28,10 +28,16 @@ def __check_pair(
             SecurityVisitor.PASSWORDS + SecurityVisitor.SECRETS + SecurityVisitor.USERS
         ):
             secr_checker = StringChecker(
-                lambda s: re.match(
-                    r"[_A-Za-z0-9$\/\.\[\]-]*{text}\b".format(text=item), s
+                lambda s: (
+                    re.match(r"[_A-Za-z0-9$\/\.\[\]-]*{text}\b".format(text=item), s)
+                    is not None
+                )
+                or (
+                    re.match(
+                        r"[_A-Za-z0-9$\/\.\[\]-]*{text}\b".format(text=item.upper()), s
+                    )
+                    is not None
                 )
-                is not None
             )
             if secr_checker.check(name) and not whitelist_checker.check(name):
                 if not var_checker.check(value):

glitch/analysis/security/invalid_bind.py

@@ -5,6 +5,7 @@
 from glitch.repr.inter import *
 from glitch.analysis.expr_checkers.string_checker import StringChecker
 from typing import List
+from shlex import split as shsplit
 
 
 class InvalidBind(SecuritySmellChecker):
@@ -27,4 +28,10 @@ def check(self, element: CodeElement, file: str) -> List[Error]:
         ):
             return [Error("sec_invalid_bind", element, file, repr(element))]
 
+        if isinstance(element, KeyValue) and isinstance(element.value, String):
+            #HACK: splits a string in command parts as for complete commmands invocations the regex wasn't
+            #  matching on full command invocations that included a reference to "0.0.0.0" or the its http/s variants 
+            for part in shsplit(element.value.value):
+                if check_invalid.str_check(part):
+                    return [Error("sec_invalid_bind", element, file, repr(element))]
         return []