search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.03k stars 297 forks source link

remediation doesn't work with --query-path #5915

Open jycamier opened 1 year ago

jycamier commented 1 year ago

I've create a my own query directory ./assets to stock my custom queries. I run a scan on a query tests directory that I've write for a custom query.

 kics scan -q ./assets/queries/terraform/aws/cloudfront_min_ttl_is_zero -p ./assets/queries/terraform/aws/cloudfront_min_ttl_is_zero/test/ --report-formats json -o ./

A results file is created in the current directory with the following content : 

{
    "kics_version": "v1.6.1",
    "files_scanned": 2,
    "lines_scanned": 56,
    "files_parsed": 2,
    "lines_parsed": 56,
    "files_failed_to_scan": 0,
    "queries_total": 1,
    "queries_failed_to_execute": 0,
    "queries_failed_to_compute_similarity_id": 0,
    "scan_id": "console",
    "severity_counters": {
        "HIGH": 1,
        "INFO": 0,
        "LOW": 0,
        "MEDIUM": 0,
        "TRACE": 0
    },
    "total_counter": 1,
    "total_bom_resources": 0,
    "start": "2022-10-10T21:16:11.970698074Z",
    "end": "2022-10-10T21:16:12.10788034Z",
    "paths": [
        "./assets/queries/terraform/aws/cloudfront_min_ttl_is_zero/test/"
    ],
    "queries": [
        {
            "query_name": "Cloudfront cache policy should have a 'min_ttl' attribute set to 0",
            "query_id": "a5b23f6b-605e-42ed-bece-a818447ddd58",
            "query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy",
            "severity": "HIGH",
            "platform": "Terraform",
            "cloud_provider": "AWS",
            "category": "Sustainability",
            "description": "Cloudfront's cache policy should have a 'min_ttl' attribute set to 0 due to the precedence of this configuration on application response headers.",
            "description_id": "2b7ca79m",
            "files": [
                {
                    "file_name": "assets/queries/terraform/aws/cloudfront_min_ttl_is_zero/test/positive1.tf",
                    "similarity_id": "beeb99deacbb038db691aa577fe7f56930b6214569e78abf1d38fff224210468",
                    "line": 6,
                    "issue_type": "IncorrectValue",
                    "search_key": "aws_cloudfront_cache_policy[{{positive1}}].min_ttl",
                    "search_line": 0,
                    "search_value": "",
                    "expected_value": "aws_cloudfront_cache_policy[positive1].min_ttl should be set to 0",
                    "actual_value": "aws_cloudfront_cache_policy[positive1].min_ttl is set to 10",
                    "remediation": "{\"after\":\"0\",\"before\":\"10\"}",
                    "remediation_type": "replacement"
                }
            ]
        }
    ]
}

So, I want to test the remediation command with this following results but kics remediate doesn't accept the --query-path so, here's the following error :

kics remediate --results results.json -v --log-level=TRACE
9:18PM DBG parser.NewBuilder()
9:18PM TRC terraform.tfvars not found on /tmp
9:18PM DBG Looking for queries in executable path and in current work directory
9:18PM DBG helpers.GetDefaultQueryPath()
9:18PM DBG helpers.GetExecutableDirectory()
9:18PM DBG Queries found in /app/bin/assets/queries
9:18PM DBG source.NewFilesystemSource()
9:18PM DBG engine.NewInspector()
9:18PM DBG Custom library common not provided. Loading embedded library instead
9:18PM ERR failed to get results of query a5b23f6b-605e-42ed-bece-a818447ddd58: unable to load querya5b23f6b-605e-42ed-bece-a818447ddd58

Selected remediation: 1
Remediation done: 0
rafaela-soares commented 1 year ago

Hello, @jycamier

Thank you so much for being always active 🚀

KICS remediate command does not support --query-path because we did kind of a PoC first:

Usage:
  kics remediate [flags]

Flags:
  -h, --help                  help for remediate
      --include-ids strings   which remediation (similarity ids) should be remediated
                              example "f6b7acac2d541d8c15c88d2be51b0e6abd576750b71c580f2e3a9346f7ed0e67,6af5fc5d7c0ad0077348a090f7c09949369d24d5608bbdbd14376a15de62afd1" (default [all])
      --results string        points to the JSON results file with remediation

Global Flags:
     (...)

However, custom query support makes total sense. Thank you so much for bringing up this matter. PR #5944 will support custom queries for the KICS remediate command 😊 

Usage:
  kics remediate [flags]

Flags:
  -h, --help                  help for remediate
      --include-ids strings   which remediation (similarity ids) should be remediated
                              example "f6b7acac2d541d8c15c88d2be51b0e6abd576750b71c580f2e3a9346f7ed0e67,6af5fc5d7c0ad0077348a090f7c09949369d24d5608bbdbd14376a15de62afd1" (default [all])
      --queries strings     paths to directory with queries (default [./assets/queries])
      --results string        points to the JSON results file with remediation

Global Flags:
     (...)
jycamier commented 1 year ago

Hi @rafaela-soares Thank you !

As there's a results.json to make remediation, IMHO, the most consistant way to make the feature is to stock the absolute path of your query maybe in the results.json ?

What do you think about it ?

rafaela-soares commented 1 year ago

Hello @jycamier

Thank you so much for the suggestion. I will talk to the team about it.

At the moment, the JSON report does not provide any information regarding the query path.

rafaela-soares commented 1 year ago

Hello again @jycamier

We will discuss this question at the next KICS Community Meeting (3 November, 4 pm Lisbon). It would be great if you could attend 😊