Merge pull request #1 from bridgecrewio/master

a

Author: Guo-Bicheng

CHANGELOG.md

@@ -1,6 +1,27 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.2.43...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.2.50...HEAD)
+
+## [2.2.50](https://github.com/bridgecrewio/checkov/compare/2.2.44...2.2.50) - 2022-11-13
+
+### Feature
+
+- **general:** add reporting contributor metrics - [#3823](https://github.com/bridgecrewio/checkov/pull/3823)
+- **terraform:** add CKV NCP rules about access key hard coding - [#3820](https://github.com/bridgecrewio/checkov/pull/3820)
+- **terraform:** NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - [#3862](https://github.com/bridgecrewio/checkov/pull/3862)
+
+### Bug Fix
+
+- **kubernetes:** handle empty spec object in k8s templates - [#3865](https://github.com/bridgecrewio/checkov/pull/3865)
+- **openapi:** fixed error in invalid openapi template - [#3863](https://github.com/bridgecrewio/checkov/pull/3863)
+- **terraform:** app_service Upgrade tests and add web app resources - [#3838](https://github.com/bridgecrewio/checkov/pull/3838)
+- **terraform:** Handled nested unrendered vars - [#3853](https://github.com/bridgecrewio/checkov/pull/3853)
+
+## [2.2.44](https://github.com/bridgecrewio/checkov/compare/2.2.43...2.2.44) - 2022-11-11
+
+### Bug Fix
+
+- **terraform:** fix an issue with dynamics replacing a whole block - [#3846](https://github.com/bridgecrewio/checkov/pull/3846)
 
 ## [2.2.43](https://github.com/bridgecrewio/checkov/compare/2.2.38...2.2.43) - 2022-11-10
 

admissioncontroller/checkov-requirements.txt

@@ -1 +1 @@
-checkov==2.2.44
+checkov==2.2.50

admissioncontroller/k8s/deployment.yaml

@@ -30,7 +30,7 @@ spec:
           capabilities:
             drop:
               - ALL
-        image: bridgecrew/whorf@sha256:22f96f7076607f9ee15ac57a309c67d410d39b5a82cd4db68236943b75de3a38
+        image: bridgecrew/whorf@sha256:1fef8ebb4749aa43f4abe5dd0f95513aeb1da6ce88b4e0201adc36e4007803fb
         imagePullPolicy: Always
         resources:
           limits:

checkov/common/bridgecrew/bc_source.py

@@ -2,11 +2,12 @@
 
 
 class SourceType:
-    __slots__ = ("name", "upload_results")
+    __slots__ = ("name", "upload_results", "report_contributor_metrics")
 
-    def __init__(self, name: str, upload_results: bool):
+    def __init__(self, name: str, upload_results: bool, report_contributor_metrics: bool = False):
         self.name = name
         self.upload_results = upload_results
+        self.report_contributor_metrics = report_contributor_metrics
 
 
 @dataclass
@@ -28,11 +29,11 @@ class BCSourceType:
     BCSourceType.JETBRAINS: SourceType(BCSourceType.JETBRAINS, False),
     BCSourceType.CLI: SourceType(BCSourceType.CLI, True),
     BCSourceType.KUBERNETES_WORKLOADS: SourceType(BCSourceType.KUBERNETES_WORKLOADS, True),
-    BCSourceType.GITHUB_ACTIONS: SourceType(BCSourceType.GITHUB_ACTIONS, True),
     BCSourceType.DISABLED: SourceType(BCSourceType.VSCODE, False),
-    BCSourceType.CODEBUILD: SourceType(BCSourceType.CODEBUILD, True),
-    BCSourceType.JENKINS: SourceType(BCSourceType.JENKINS, True),
-    BCSourceType.CIRCLECI: SourceType(BCSourceType.CIRCLECI, True),
+    BCSourceType.GITHUB_ACTIONS: SourceType(BCSourceType.GITHUB_ACTIONS, True, report_contributor_metrics=True),
+    BCSourceType.CODEBUILD: SourceType(BCSourceType.CODEBUILD, True, report_contributor_metrics=True),
+    BCSourceType.JENKINS: SourceType(BCSourceType.JENKINS, True, report_contributor_metrics=True),
+    BCSourceType.CIRCLECI: SourceType(BCSourceType.CIRCLECI, True, report_contributor_metrics=True),
     BCSourceType.ADMISSION_CONTROLLER: SourceType(BCSourceType.ADMISSION_CONTROLLER, False)
 }
 

checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py

@@ -53,13 +53,24 @@ def run(self, graph_connector: DiGraph) -> Tuple[List[Dict[str, Any]], List[Dict
         return passed_vertices, failed_vertices, unknown_vertices
 
     def get_operation(self, vertex: Dict[str, Any]) -> Optional[bool]:
-        attr_val = vertex.get(self.attribute)   # type:ignore[arg-type]  # due to attribute can be None
         # if this value contains an underendered variable, then we cannot evaluate value checks,
         # and will return None (for UNKNOWN)
         # handle edge cases in some policies that explicitly look for blank values
-        if self.is_value_attribute_check and self._is_variable_dependant(attr_val, vertex['source_']) \
-                and self.value != '':
-            return None
+        # we also need to check the attribute stack - e.g., if they are looking for tags.component, but tags = local.tags,
+        # then we actually need to see if tags is variable dependent as well
+        attr_parts = self.attribute.split('.')  # type:ignore[union-attr]  # due to attribute can be None (but not really)
+        attr_to_check = None
+        for attr in attr_parts:
+            attr_to_check = f'{attr_to_check}.{attr}' if attr_to_check else attr
+            value_to_check = vertex.get(attr_to_check)
+
+            # we can only check is_attribute_value_check when evaluating the full attribute
+            # for example, if we have a policy that says "tags.component exists", and tags = local.tags, then
+            # we need to check if tags is variable dependent even though this is a not value_attribute check
+            if (attr_to_check != self.attribute or self.is_value_attribute_check) \
+                    and self._is_variable_dependant(value_to_check, vertex['source_']) \
+                    and self.value != '':
+                return None
 
         if self.attribute and (self.is_jsonpath_check or re.match(WILDCARD_PATTERN, self.attribute)):
             attribute_matches = self.get_attribute_matches(vertex)

checkov/contributor_metrics.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+import logging
+import json
+import subprocess  # nosec
+from checkov.common.util.http_utils import request_wrapper
+from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration
+from typing import Any
+
+logger = logging.getLogger(__name__)
+
+
+def report_contributor_metrics(repository: str, bc_integration: BcPlatformIntegration) -> None:  # ignore: type
+    request_body = parse_gitlog(repository)
+    if request_body:
+        response = request_wrapper(
+            "POST", f"{bc_integration.api_url}/api/v1/contributors/report",
+            headers=bc_integration.get_default_headers("POST"), data=json.dumps(request_body)
+        )
+        if response.status_code < 300:
+            logging.info(f"Successfully uploaded contributor metrics with status: {response.status_code}")
+        else:
+            logging.info(f"Failed to upload contributor metrics with: {response.status_code} - {response.reason}")
+
+
+def parse_gitlog(repository: str) -> dict[str, Any] | None:
+    process = subprocess.Popen(['git', 'shortlog', '-ne', '--all', '--since', '"90 days ago"', '--pretty=commit-%ct', '--reverse'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)  # nosec
+    out, err = process.communicate()
+    if err:
+        logger.info(f"Failed to collect contributor metrics due to: {err}")     # type: ignore
+        return None
+    # split per contributor
+    list_of_contributors = out.decode('utf-8').split('\n\n')
+    return {"repository": repository,
+            "contributors": list(map(lambda contributor: process_contributor(contributor),
+                                     list(filter(lambda x: x, list_of_contributors))
+                                     ))
+            }
+
+
+def process_contributor(contributor: str) -> str:
+    splittedList = contributor.split('\n')
+    user = splittedList[0]
+    commit = splittedList[1]
+    return user[:user.find('(')] + commit[commit.find('-') + 1:]

checkov/kubernetes/checks/resource/base_root_container_check.py

@@ -35,7 +35,13 @@ def extract_spec(self, conf: Dict[str, Any]) -> Dict:
             if "spec" in conf:
                 spec = conf["spec"]
         elif conf['kind'] == 'CronJob':
-            if "spec" in conf and "jobTemplate" in conf["spec"] and "spec" in conf["spec"]["jobTemplate"] and conf["spec"]["jobTemplate"]["spec"] and "template" in conf["spec"]["jobTemplate"]["spec"] and "spec" in conf["spec"]["jobTemplate"]["spec"]["template"]:
+            if "spec" in conf and \
+                    isinstance(conf["spec"], dict) and \
+                    "jobTemplate" in conf["spec"] and \
+                    "spec" in conf["spec"]["jobTemplate"] and \
+                    conf["spec"]["jobTemplate"]["spec"] and \
+                    "template" in conf["spec"]["jobTemplate"]["spec"] and \
+                    "spec" in conf["spec"]["jobTemplate"]["spec"]["template"]:
                 spec = conf["spec"]["jobTemplate"]["spec"]["template"]["spec"]
         else:
             inner_spec = self.get_inner_entry(conf, "spec")

checkov/kubernetes/checks/resource/base_spec_check.py

@@ -50,6 +50,6 @@ def wrapper(self, conf, entity_type=None):
     @staticmethod
     def get_inner_entry(conf: Dict[str, Any], entry_name: str) -> Dict[str, Any]:
         spec = {}
-        if conf.get("spec") and conf.get("spec").get("template"):
+        if conf.get("spec") and isinstance(conf["spec"], dict) and conf.get("spec").get("template"):
             spec = conf.get("spec").get("template").get(entry_name, {})
         return spec

checkov/kubernetes/checks/resource/k8s/Seccomp.py

@@ -37,7 +37,7 @@ def scan_spec_conf(self, conf):
                 metadata = conf["metadata"]
         elif conf['kind'] == 'CronJob':
             if "spec" in conf:
-                if "jobTemplate" in conf["spec"]:
+                if isinstance(conf["spec"], dict) and "jobTemplate" in conf["spec"]:
                     if "spec" in conf["spec"]["jobTemplate"]:
                         if conf["spec"]["jobTemplate"]["spec"] and "template" in conf["spec"]["jobTemplate"]["spec"]:
                             if "metadata" in conf["spec"]["jobTemplate"]["spec"]["template"]:

checkov/main.py

@@ -43,6 +43,7 @@
 from checkov.common.util.ext_argument_parser import ExtArgumentParser
 from checkov.common.util.runner_dependency_handler import RunnerDependencyHandler
 from checkov.common.util.type_forcers import convert_str_to_bool
+from checkov.contributor_metrics import report_contributor_metrics
 from checkov.dockerfile.runner import Runner as dockerfile_runner
 from checkov.github.runner import Runner as github_configuration_runner
 from checkov.github_actions.runner import Runner as github_actions_runner
@@ -249,6 +250,15 @@ def run(banner: str = checkov_banner, argv: List[str] = sys.argv[1:]) -> Optiona
                                                         source_version=source_version,
                                                         repo_branch=config.branch,
                                                         prisma_api_url=config.prisma_api_url)
+
+            should_run_contributor_reporting = os.getenv('RUN_CONTRIBUTOR_REPORTING', False)
+            # TODO : Replace the following condition with: if source.report_contributor_metrics and config.repo_id and config.prisma_api_url:
+            if should_run_contributor_reporting:
+                try:        # collect contributor info and upload
+                    report_contributor_metrics(config.repo_id, bc_integration)
+                except Exception as e:
+                    logger.warning(f"Unable to report contributor metrics due to: {e}")
+
         except MaxRetryError:
             return None
         except Exception:

checkov/openapi/checks/resource/v2/SecurityRequirement.py

@@ -41,6 +41,8 @@ def scan_openapi_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[Che
             for op_name, op_val in http_method.items():
                 if self.is_start_end_line(op_name):
                     continue
+                if not isinstance(op_val, dict):
+                    return CheckResult.FAILED, conf
                 if not self.check_security_conf(op_val, security_definitions):
                     return CheckResult.FAILED, op_val["security"]
 

checkov/terraform/checks/provider/ncp/__init__.py

@@ -0,0 +1,5 @@
+from os.path import dirname, basename, isfile, join
+import glob
+
+modules = glob.glob(join(dirname(__file__), "*.py"))
+__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]

checkov/terraform/checks/provider/ncp/credentials.py

@@ -0,0 +1,37 @@
+import re
+from typing import Dict, List, Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.provider.base_check import BaseProviderCheck
+from checkov.common.models.consts import access_key_pattern, secret_key_pattern
+
+
+class NCPCredentials(BaseProviderCheck):
+    def __init__(self) -> None:
+        name = "Ensure no hard coded NCP access key and secret key exists in provider"
+        id = "CKV_NCP_17"
+        supported_provider = ("ncloud",)
+        categories = (CheckCategories.SECRETS,)
+        super().__init__(name=name, id=id, categories=categories, supported_provider=supported_provider)
+
+    def scan_provider_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
+        """
+        see: https://registry.terraform.io/providers/NaverCloudPlatform/ncloud/latest/docs
+        """
+        result = CheckResult.PASSED
+        if self.secret_found(conf, "access_key", access_key_pattern):
+            result = CheckResult.FAILED
+        if self.secret_found(conf, "secret_key", secret_key_pattern):
+            result = CheckResult.FAILED
+        return result
+
+    def secret_found(self, conf: Dict[str, List[Any]], field: str, pattern: str) -> bool:
+        if field in conf.keys():
+            value = conf[field][0]
+            if isinstance(value, str) and re.match(pattern, value) is not None:
+                conf[f'{self.id}_secret_{field}'] = value
+                return True
+        return False
+
+
+check = NCPCredentials()

checkov/terraform/checks/resource/azure/AppServiceAuthentication.py

@@ -1,14 +1,15 @@
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
 
 class AppServiceAuthentication(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure App Service Authentication is set on Azure App Service"
         id = "CKV_AZURE_13"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.GENERAL_SECURITY]
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
 
     def get_inspected_key(self):
         return 'auth_settings/[0]/enabled/[0]'

checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py

@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceClientCertificate(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
+        id = "CKV_AZURE_17"
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self):
+        if self.entity_type == 'azurerm_app_service':
+            return 'client_cert_enabled/[0]'
+        else:
+            return 'client_certificate_enabled/[0]'
+
+
+check = AppServiceClientCertificate()

checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py

@@ -1,17 +1,21 @@
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 
 
 class AppServiceDetailedErrorMessagesEnabled(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure that App service enables detailed error messages"
         id = "CKV_AZURE_65"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.LOGGING]
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.LOGGING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
 
     def get_inspected_key(self):
-        return "logs/[0]/detailed_error_messages_enabled"
+        if self.entity_type == 'azurerm_app_service':
+            return "logs/[0]/detailed_error_messages_enabled"
+        else:
+            return "logs/[0]/detailed_error_messages"
 
 
 check = AppServiceDetailedErrorMessagesEnabled()

checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py

@@ -6,9 +6,10 @@ class AppServiceDisallowCORS(BaseResourceNegativeValueCheck):
     def __init__(self):
         name = "Ensure that CORS disallows every resource to access app services"
         id = "CKV_AZURE_57"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.GENERAL_SECURITY]
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_attribute_result=CheckResult.PASSED)
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_attribute_result=CheckResult.PASSED)
 
     def get_inspected_key(self):
         return 'site_config/[0]/cors/[0]/allowed_origins'

checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py

@@ -6,12 +6,15 @@ class AppServiceEnableFailedRequest(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure that App service enables failed request tracing"
         id = "CKV_AZURE_66"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.LOGGING]
+        supported_resources = ('azurerm_linux_web_app', 'azurerm_windows_web_app', 'azurerm_app_service')
+        categories = (CheckCategories.LOGGING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self):
-        return 'logs/[0]/failed_request_tracing_enabled'
+        if self.entity_type == "azurerm_app_service":
+            return 'logs/[0]/failed_request_tracing_enabled'
+        else:
+            return 'logs/[0]/failed_request_tracing'
 
 
 check = AppServiceEnableFailedRequest()

checkov/terraform/checks/resource/azure/AppServiceFTPSState.py

@@ -6,8 +6,8 @@ class AppServiceFTPSState(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure FTP deployments are disabled"
         id = "CKV_AZURE_78"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.APPLICATION_SECURITY]
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.APPLICATION_SECURITY,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self):

checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py

@@ -6,8 +6,8 @@ class AppServiceHTTPSOnly(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service"
         id = "CKV_AZURE_14"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.NETWORKING]
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.NETWORKING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self):

checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py

@@ -7,8 +7,8 @@ class AppServiceHttpLoggingEnabled(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure that App service enables HTTP logging"
         id = "CKV_AZURE_63"
-        supported_resources = ['azurerm_app_service']
-        categories = [CheckCategories.LOGGING]
+        supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.LOGGING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self):