Documentation ¶
Index ¶
- Constants
- Variables
- func PtrStringToString(v *string) string
- func ShouldSkipVulnerability(command model.CommentsCommands, queryID string) bool
- type Inspector
- func (c *Inspector) DecodeQueryResults(ctx *QueryContext, results rego.ResultSet) ([]model.Vulnerability, error)
- func (c *Inspector) EnableCoverageReport()
- func (c *Inspector) GetCoverageReport() cover.Report
- func (c *Inspector) GetFailedQueries() map[string]error
- func (c *Inspector) Inspect(ctx context.Context, scanID string, files model.FileMetadatas, ...) ([]model.Vulnerability, error)
- func (c *Inspector) LenQueriesByPlat(platforms []string) int
- type PreparedQuery
- type QueryContext
- type QueryLoader
- type Tracker
- type VulnerabilityBuilder
Constants ¶
const ( UndetectedVulnerabilityLine = -1 DefaultQueryID = "Undefined" DefaultQueryName = "Anonymous" DefaultExperimental = false DefaultQueryDescription = "Undefined" DefaultQueryDescriptionID = "Undefined" DefaultQueryURI = "https://github.com/Checkmarx/kics/" DefaultIssueType = model.IssueTypeIncorrectValue )
Default values for inspector
Variables ¶
var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v interface{}, detector *dec.DetectLine) (*model.Vulnerability, error) { vObj, ok := v.(map[string]interface{}) if !ok { return &model.Vulnerability{}, ErrInvalidResult } vObj = mergeWithMetadata(vObj, ctx.Query.Metadata.Metadata) var err error var output []byte output, err = json.Marshal(vObj) if err != nil { return &model.Vulnerability{}, errors.Wrap(err, "failed to marshall query output") } var fileID *string fileID, err = mapKeyToString(vObj, "documentId", false) if err != nil { return &model.Vulnerability{}, errors.Wrap(err, "failed to recognize file id") } file, ok := ctx.Files[*fileID] if !ok { return &model.Vulnerability{}, errors.New("failed to find file from query response") } logWithFields := log.With(). Str("scanID", ctx.scanID). Str("fileName", file.FilePath). Str("queryName", ctx.Query.Metadata.Query). Logger() detector.SetupLogs(&logWithFields) linesVulne := model.VulnerabilityLines{ Line: -1, VulnLines: &[]model.CodeLine{}, } similarityIDLineInfo := "" searchKey := "" if s, ok := vObj["searchKey"]; ok { searchKey = s.(string) similarityIDLineInfo = searchKey intDoc := file.LineInfoDocument vulsSplit := strings.Split(searchKey, ".") if file.Kind == model.KindINI { vulsSplit, searchKey = sanitizeINIKey(vulsSplit) } if strings.Contains(vulsSplit[len(vulsSplit)-1], "RefMetadata") { return &model.Vulnerability{}, ErrNoResult } searchKey, _ = modifyVulSearchKeyReference(intDoc, searchKey, vulsSplit) vObj["searchKey"] = searchKey linesVulne = detector.DetectLine(&file, searchKey, &logWithFields) } else { logWithFields.Error().Msg("Saving result. failed to detect line") } lineNumber := 0 if file.Kind != model.KindHELM && len(file.ResolvedFiles) == 0 { searchLineCalc := &searchLineCalculator{ lineNr: -1, vObj: vObj, file: file, detector: detector, similarityIDLineInfo: similarityIDLineInfo, linesVulne: linesVulne, } lineNumber, similarityIDLineInfo, linesVulne = calculeSearchLine(searchLineCalc) } if linesVulne.Line == -1 { logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey) linesVulne.Line = 1 } searchValue := "" if s, ok := vObj["searchValue"]; ok { searchValue = s.(string) } overrideKey := "" if s, ok := vObj["overrideKey"]; ok { overrideKey = s.(string) } queryID := getStringFromMap("id", DefaultQueryID, overrideKey, vObj, &logWithFields) severity := getResolvedSeverity(vObj, &logWithFields, overrideKey) issueType := DefaultIssueType if v := mustMapKeyToString(vObj, "issueType"); v != nil { issueType = model.IssueType(*v) } var similarityID *string similarityID, err = similarity.ComputeSimilarityID(ctx.BaseScanPaths, linesVulne.ResolvedFile, queryID, similarityIDLineInfo, searchValue) if err != nil { logWithFields.Err(err).Send() tracker.FailedComputeSimilarityID() } platform := getStringFromMap("platform", "", overrideKey, vObj, &logWithFields) return &model.Vulnerability{ ID: 0, SimilarityID: PtrStringToString(similarityID), ScanID: ctx.scanID, FileID: file.ID, FileName: linesVulne.ResolvedFile, QueryName: getStringFromMap("queryName", DefaultQueryName, overrideKey, vObj, &logWithFields), QueryID: queryID, Experimental: getBoolFromMap("experimental", DefaultExperimental, overrideKey, vObj, &logWithFields), QueryURI: getStringFromMap("descriptionUrl", DefaultQueryURI, overrideKey, vObj, &logWithFields), Category: getStringFromMap("category", "", overrideKey, vObj, &logWithFields), Description: getStringFromMap("descriptionText", "", overrideKey, vObj, &logWithFields), DescriptionID: getStringFromMap("descriptionID", DefaultQueryDescriptionID, overrideKey, vObj, &logWithFields), Severity: severity, Platform: getStringFromMap("platform", "", overrideKey, vObj, &logWithFields), Line: linesVulne.Line, VulnLines: linesVulne.VulnLines, ResourceType: PtrStringToString(mustMapKeyToString(vObj, "resourceType")), ResourceName: PtrStringToString(mustMapKeyToString(vObj, "resourceName")), IssueType: issueType, SearchKey: searchKey, SearchLine: lineNumber, SearchValue: searchValue, KeyExpectedValue: PtrStringToString(mustMapKeyToString(vObj, "keyExpectedValue")), KeyActualValue: PtrStringToString(mustMapKeyToString(vObj, "keyActualValue")), Value: mustMapKeyToString(vObj, "value"), Output: string(output), CloudProvider: getCloudProvider(platform, overrideKey, vObj, &logWithFields), Remediation: PtrStringToString(mustMapKeyToString(vObj, "remediation")), RemediationType: PtrStringToString(mustMapKeyToString(vObj, "remediationType")), }, nil }
DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan
var ErrInvalidResult = errors.New("query: invalid result format")
ErrInvalidResult - error representing invalid result
var ErrNoResult = errors.New("query: not result")
ErrNoResult - error representing when a query didn't return a result
Functions ¶
func PtrStringToString ¶ added in v1.4.3
PtrStringToString - converts a pointer to string to a string
func ShouldSkipVulnerability ¶ added in v1.5.0
func ShouldSkipVulnerability(command model.CommentsCommands, queryID string) bool
ShouldSkipVulnerability verifies if the vulnerability in question should be ignored through comment commands
Types ¶
type Inspector ¶
type Inspector struct { QueryLoader *QueryLoader // contains filtered or unexported fields }
Inspector represents a list of compiled queries, a builder for vulnerabilities, an information tracker a flag to enable coverage and the coverage report if it is enabled
func NewInspector ¶
func NewInspector( ctx context.Context, queriesSource source.QueriesSource, vb VulnerabilityBuilder, tracker Tracker, queryParameters *source.QueryInspectorParameters, excludeResults map[string]bool, queryTimeout int, needsLog bool) (*Inspector, error)
NewInspector initializes a inspector, compiling and loading queries for scan and its tracker
func (*Inspector) DecodeQueryResults ¶ added in v1.5.12
func (c *Inspector) DecodeQueryResults(ctx *QueryContext, results rego.ResultSet) ([]model.Vulnerability, error)
DecodeQueryResults decodes the results into []model.Vulnerability
func (*Inspector) EnableCoverageReport ¶
func (c *Inspector) EnableCoverageReport()
EnableCoverageReport enables the flag to create a coverage report
func (*Inspector) GetCoverageReport ¶
GetCoverageReport returns the scan coverage report
func (*Inspector) GetFailedQueries ¶ added in v1.1.2
GetFailedQueries returns a map of failed queries and the associated error
func (*Inspector) Inspect ¶
func (c *Inspector) Inspect( ctx context.Context, scanID string, files model.FileMetadatas, baseScanPaths []string, platforms []string, currentQuery chan<- int64) ([]model.Vulnerability, error)
Inspect scan files and return the a list of vulnerabilities found on the process
func (*Inspector) LenQueriesByPlat ¶ added in v1.3.0
LenQueriesByPlat returns the number of queries by platforms
type PreparedQuery ¶ added in v1.5.12
type PreparedQuery struct { OpaQuery rego.PreparedEvalQuery Metadata model.QueryMetadata }
PreparedQuery includes the opaQuery and its metadata
type QueryContext ¶
type QueryContext struct { Ctx context.Context Files map[string]model.FileMetadata Query *PreparedQuery BaseScanPaths []string // contains filtered or unexported fields }
QueryContext contains the context where the query is executed, which scan it belongs, basic information of query, the query compiled and its payload
type QueryLoader ¶ added in v1.5.6
type QueryLoader struct { QueriesMetadata []model.QueryMetadata // contains filtered or unexported fields }
QueryLoader is responsible for loading the queries for the inspector
func (QueryLoader) LoadQuery ¶ added in v1.5.12
func (q QueryLoader) LoadQuery(ctx context.Context, query *model.QueryMetadata) (*rego.PreparedEvalQuery, error)
LoadQuery loads the query into memory so it can be freed when not used anymore
type Tracker ¶
type Tracker interface { TrackQueryLoad(queryAggregation int) TrackQueryExecuting(queryAggregation int) TrackQueryExecution(queryAggregation int) TrackScanPath() TrackScanSecret() FailedDetectLine() FailedComputeSimilarityID() GetOutputLines() int }
Tracker wraps an interface that contain basic methods: TrackQueryLoad, TrackQueryExecution and FailedDetectLine TrackQueryLoad increments the number of loaded queries TrackQueryExecution increments the number of queries executed FailedDetectLine decrements the number of queries executed GetOutputLines returns the number of lines to be displayed in results outputs
type VulnerabilityBuilder ¶
type VulnerabilityBuilder func(ctx *QueryContext, tracker Tracker, v interface{}, detector *detector.DetectLine) (*model.Vulnerability, error)
VulnerabilityBuilder represents a function that will build a vulnerability
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package mock is a generated GoMock package.
|
Package mock is a generated GoMock package. |
Package source (go:generate go run -mod=mod github.com/golang/mock/mockgen -package mock -source=./$GOFILE -destination=../mock/$GOFILE)
|
Package source (go:generate go run -mod=mod github.com/golang/mock/mockgen -package mock -source=./$GOFILE -destination=../mock/$GOFILE) |