engine

Documentation

Index

• Constants
• Variables
• func PtrStringToString(v *string) string
• type Inspector
  • func NewInspector(ctx context.Context, queriesSource source.QueriesSource, ...) (*Inspector, error)
  • func (c *Inspector) EnableCoverageReport()
  • func (c *Inspector) GetCoverageReport() cover.Report
  • func (c *Inspector) GetFailedQueries() map[string]error
  • func (c *Inspector) Inspect(ctx context.Context, scanID string, files model.FileMetadatas, ...) ([]model.Vulnerability, error)
  • func (c *Inspector) LenQueriesByPlat(platforms []string) int
• type QueryContext
• type Tracker
• type VulnerabilityBuilder

Constants

const (
	UndetectedVulnerabilityLine = -1
	DefaultQueryID              = "Undefined"
	DefaultQueryName            = "Anonymous"
	DefaultQueryDescription     = "Undefined"
	DefaultQueryDescriptionID   = "Undefined"
	DefaultQueryURI             = "https://github.com/Checkmarx/kics/"
	DefaultIssueType            = model.IssueTypeIncorrectValue
)

Default values for inspector

Variables

var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker,
	v interface{}, detector *dec.DetectLine) (model.Vulnerability, error) {
	vObj, ok := v.(map[string]interface{})
	if !ok {
		return model.Vulnerability{}, ErrInvalidResult
	}

	vObj = mergeWithMetadata(vObj, ctx.query.metadata.Metadata)

	var err error
	var output []byte

	output, err = json.Marshal(vObj)
	if err != nil {
		return model.Vulnerability{}, errors.Wrap(err, "failed to marshall query output")
	}

	var fileID *string

	fileID, err = mapKeyToString(vObj, "documentId", false)
	if err != nil {
		return model.Vulnerability{}, errors.Wrap(err, "failed to recognize file id")
	}

	file, ok := ctx.files[*fileID]
	if !ok {
		return model.Vulnerability{}, errors.New("failed to find file from query response")
	}

	logWithFields := log.With().
		Str("scanID", ctx.scanID).
		Str("fileName", file.FilePath).
		Str("queryName", ctx.query.metadata.Query).
		Logger()

	detector.SetupLogs(&logWithFields)

	linesVulne := model.VulnerabilityLines{
		Line:      -1,
		VulnLines: []model.CodeLine{},
	}

	similarityIDLineInfo := ""
	searchKey := ""
	if s, ok := vObj["searchKey"]; ok {
		searchKey = s.(string)
		similarityIDLineInfo = searchKey
		linesVulne = detector.DetectLine(&file, searchKey)
	} else {
		logWithFields.Error().Msg("Saving result. failed to detect line")
	}

	searchLineCalc := &searchLineCalculator{
		lineNr:               -1,
		vObj:                 vObj,
		file:                 file,
		detector:             detector,
		similarityIDLineInfo: similarityIDLineInfo,
		linesVulne:           linesVulne,
	}

	searchLineCalc.calculate()
	lineNumber := searchLineCalc.lineNr
	similarityIDLineInfo = searchLineCalc.similarityIDLineInfo
	linesVulne = searchLineCalc.linesVulne

	if linesVulne.Line == -1 {
		logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey)
		linesVulne.Line = 1
	}

	searchValue := ""
	if s, ok := vObj["searchValue"]; ok {
		searchValue = s.(string)
	}

	overrideKey := ""
	if s, ok := vObj["overrideKey"]; ok {
		overrideKey = s.(string)
	}

	queryID := getStringFromMap("id", DefaultQueryID, overrideKey, vObj, &logWithFields)

	var severity model.Severity = model.SeverityInfo
	var s *string

	if s, err = mapKeyToString(vObj, "severity", false); err == nil {
		sev := getSeverity(strings.ToUpper(*s))
		if sev == "" {
			logWithFields.Warn().Str("severity", *s).Msg("Saving result. invalid severity constant value")
		} else {
			severity = sev
			overrideValue := tryOverride(overrideKey, "severity", vObj)
			if overrideValue != nil {
				sev = getSeverity(strings.ToUpper(*overrideValue))
				if sev != "" {
					severity = sev
				}
			}
		}
	} else {
		logWithFields.Info().Msg("Saving result. failed to detect severity")
	}

	issueType := DefaultIssueType
	if v := mustMapKeyToString(vObj, "issueType"); v != nil {
		issueType = model.IssueType(*v)
	}

	var similarityID *string

	similarityID, err = similarity.ComputeSimilarityID(ctx.baseScanPaths, file.FilePath, queryID, similarityIDLineInfo, searchValue)
	if err != nil {
		logWithFields.Err(err).Send()
		tracker.FailedComputeSimilarityID()
	}

	return model.Vulnerability{
		ID:               0,
		SimilarityID:     PtrStringToString(similarityID),
		ScanID:           ctx.scanID,
		FileID:           file.ID,
		FileName:         file.FilePath,
		QueryName:        getStringFromMap("queryName", DefaultQueryName, overrideKey, vObj, &logWithFields),
		QueryID:          queryID,
		QueryURI:         getStringFromMap("descriptionUrl", DefaultQueryURI, overrideKey, vObj, &logWithFields),
		Category:         getStringFromMap("category", "", overrideKey, vObj, &logWithFields),
		Description:      getStringFromMap("descriptionText", "", overrideKey, vObj, &logWithFields),
		DescriptionID:    getStringFromMap("descriptionID", DefaultQueryDescriptionID, overrideKey, vObj, &logWithFields),
		Severity:         severity,
		Platform:         getStringFromMap("platform", "", overrideKey, vObj, &logWithFields),
		Line:             linesVulne.Line,
		VulnLines:        linesVulne.VulnLines,
		IssueType:        issueType,
		SearchKey:        searchKey,
		SearchLine:       lineNumber,
		SearchValue:      searchValue,
		KeyExpectedValue: PtrStringToString(mustMapKeyToString(vObj, "keyExpectedValue")),
		KeyActualValue:   PtrStringToString(mustMapKeyToString(vObj, "keyActualValue")),
		Value:            mustMapKeyToString(vObj, "value"),
		Output:           string(output),
	}, nil
}

DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan

var ErrInvalidResult = errors.New("query: invalid result format")

ErrInvalidResult - error representing invalid result

var ErrNoResult = errors.New("query: not result")

ErrNoResult - error representing when a query didn't return a result

Functions

func PtrStringToString

func PtrStringToString(v *string) string

PtrStringToString - converts a pointer to string to a string

Types

type Inspector

type Inspector struct {
	// contains filtered or unexported fields
}

Inspector represents a list of compiled queries, a builder for vulnerabilities, an information tracker a flag to enable coverage and the coverage report if it is enabled

func NewInspector

func NewInspector(
	ctx context.Context,
	queriesSource source.QueriesSource,
	vb VulnerabilityBuilder,
	tracker Tracker,
	queryParameters *source.QueryInspectorParameters,
	excludeResults map[string]bool,
	queryTimeout int) (*Inspector, error)

NewInspector initializes a inspector, compiling and loading queries for scan and its tracker

func (*Inspector) EnableCoverageReport

func (c *Inspector) EnableCoverageReport()

EnableCoverageReport enables the flag to create a coverage report

func (*Inspector) GetCoverageReport

func (c *Inspector) GetCoverageReport() cover.Report

GetCoverageReport returns the scan coverage report

func (*Inspector) GetFailedQueries

func (c *Inspector) GetFailedQueries() map[string]error

GetFailedQueries returns a map of failed queries and the associated error

func (*Inspector) Inspect

func (c *Inspector) Inspect(
	ctx context.Context,
	scanID string,
	files model.FileMetadatas,
	baseScanPaths []string,
	platforms []string,
	currentQuery chan<- int64) ([]model.Vulnerability, error)

Inspect scan files and return the a list of vulnerabilities found on the process

func (*Inspector) LenQueriesByPlat

func (c *Inspector) LenQueriesByPlat(platforms []string) int

LenQueriesByPlat returns the number of queries by platforms

type QueryContext

type QueryContext struct {
	// contains filtered or unexported fields
}

QueryContext contains the context where the query is executed, which scan it belongs, basic information of query, the query compiled and its payload

type Tracker

type Tracker interface {
	TrackQueryLoad(queryAggregation int)
	TrackQueryExecuting(queryAggregation int)
	TrackQueryExecution(queryAggregation int)
	TrackScanPath()
	TrackScanSecret()
	FailedDetectLine()
	FailedComputeSimilarityID()
	GetOutputLines() int
}

Tracker wraps an interface that contain basic methods: TrackQueryLoad, TrackQueryExecution and FailedDetectLine TrackQueryLoad increments the number of loaded queries TrackQueryExecution increments the number of queries executed FailedDetectLine decrements the number of queries executed GetOutputLines returns the number of lines to be displayed in results outputs

type VulnerabilityBuilder

type VulnerabilityBuilder func(ctx *QueryContext, tracker Tracker, v interface{},
	detector *detector.DetectLine) (model.Vulnerability, error)

VulnerabilityBuilder represents a function that will build a vulnerability