search

jfrog / terraform-provider-xray

Terraform provider to manage JFrog Xray
https://jfrog.com/xray/
Apache License 2.0
151 stars 12 forks source link

Running into state changes in policy when using All Severities #84

Closed oallauddin closed 1 year ago

oallauddin commented 2 years ago

Describe the bug I am using All Severities for the min_severity in our license and security policy. Every time I run terraform plan and terraform apply for code changes I see state changes to the security and license policy even though the resources were not touched. Getting the license and security policy using the REST API shows that the min_severity value to be unknown when selecting All Severities in the UI. Instead of passing the string "All Severities" to the REST API the provider can pass the string "unknown" to avoid state changes on each terraform plan and apply when using All Severities for the min_severity of license or security policy.

Requirements for and issue Example of state change. 

  # module.xray_security_policy.security_policy will be updated in-place
~ resource "xray_security_policy" "security_policy" {
        id          = "security-policy"
        name        = "security-policy"
        # (6 unchanged attributes hidden)

      ~ rule {
            name     = "severity-rule"
            # (1 unchanged attribute hidden)

          + criteria {
              + fix_version_dependant = false
              + min_severity          = "All Severities"
            }
          - criteria {
              - fix_version_dependant = false -> null
              - min_severity          = "unknown" -> null
            }
            # (1 unchanged block hidden)
        }
    }

Expected behavior There should be no state changes to a license or security policy if the resources have not been modified.

Additional context Add any other context about the problem here.

alexhung commented 2 years ago

@oallauddin Which version of Xray are you running? I am getting "All severities" from the API GET /xray/api/v2/policies and GET /xray/api/v2/policies/{name} with Xray 3.61.3

{
    "name": "Alex-Sec-Test",
    "type": "security",
    "author": "alexh",
    "rules": [
        {
            "name": "low-severity",
            "priority": 1,
            "actions": {
                "block_download": {
                    "unscanned": false,
                    "active": false
                }
            },
            "criteria": {
                "fix_version_dependant": false,
                "malicious_package": false,
                "min_severity": "All severities"
            }
        }
    ],
    "created": "2022-07-21T22:23:11.399Z",
    "modified": "2022-11-18T23:49:02.046Z"
}
oallauddin commented 1 year ago

@alexhung Using Xray 3.57.6. Also it is a project based policy.

jf xr curl api/v1/system/version

{"xray_version":"3.57.6","xray_revision":"e1bb4e8"}

jf xr curl api/v2/policies/test-policy?projectKey=test

{
  "name": "test-policy",
  "type": "security",
  "author": "user",
  "rules": [
    {
      "name": "test-rule",
      "priority": 1,
      "actions": {
        "block_download": {
          "unscanned": false,
          "active": false
        }
      },
      "criteria": {
        "fix_version_dependant": false,
        "min_severity": "Unknown"
      }
    }
  ],
  "created": "2022-11-21T13:23:57.291Z",
  "modified": "2022-11-21T13:26:13.919Z",
  "project_key": "test"
}

image

alexhung commented 1 year ago

@oallauddin Odd. I wonder if Xray API is doing some strange thing where it uses "Unknown" if the min severity was default to "All Severity" (i.e. user never explicitly set it). I'll poke around some more.

alexhung commented 1 year ago

@oallauddin So I can see that 'unknown' is in the payload sent to Xray UI API (POST /ui/api/v1/xray/ui/policies):

{
  "name": "Alex",
  "description": "",
  "type": "security",
  "rules": [
    {
      "name": "Alex",
      "criteria": {
        "malicious_package": false,
        "fix_version_dependant": false,
        "min_severity": "unknown"
      },
      "actions": {
        "webhooks": [],
        "mails": [],
        "block_download": {
          "active": false,
          "unscanned": false
        },
        "block_release_bundle_distribution": false,
        "fail_build": false,
        "notify_watch_recipients": false,
        "notify_deployer": false,
        "create_ticket_enabled": false
      },
      "priority": 1
    }
  ]
}

But when I use jf xr curl api/v2/policies/Alex I get 'All severities':

{
  "name": "Alex",
  "type": "security",
  "author": "alexh",
  "rules": [
    {
      "name": "Alex",
      "priority": 1,
      "actions": {
        "block_download": {
          "unscanned": false,
          "active": false
        }
      },
      "criteria": {
        "fix_version_dependant": false,
        "malicious_package": false,
        "min_severity": "All severities"
      }
    }
  ],
  "created": "2022-11-21T21:09:12.413Z",
  "modified": "2022-11-21T21:09:12.413Z"
}

Same with calling API directly.

alexhung commented 1 year ago

@oallauddin Found the fix in the release note for 3.60.2.

XRAY-9271 | Fixed an issue whereby, Policy REST APIs returned the minimal severity criteria of all severities as "Unknown"  instead of "All Severities".