From 3ee0986b138f2c473d34c79b336f5f815ae96b06 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 5 Aug 2023 15:43:14 +0100 Subject: [PATCH 01/23] fix(Sink): countLines, IgnoreLines and fileCommands fixed --- pkg/kics/resolver_sink.go | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 54c7ca9f24d..697f1b9d42f 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,6 +5,7 @@ import ( "context" "encoding/json" "fmt" + "regexp" "sort" sentryReport "github.com/Checkmarx/kics/internal/sentry" @@ -27,8 +28,6 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] for _, rfile := range resFiles.File { s.Tracker.TrackFileFound() - countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 - s.Tracker.TrackFileFoundCountLines(countLines) documents, err := s.Parser.Parse(rfile.FileName, rfile.Content) if err != nil { @@ -38,6 +37,21 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] log.Err(err).Msgf("failed to parse file content") return []string{}, nil } + + if kind == model.KindHELM { + ignoreList, err := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) + if err == nil { + documents.IgnoreLines = ignoreList + + //Need to ignore #KICS_HELM_ID Line + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + } + } else { + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 + } + + fileCommands := s.Parser.CommentsCommands(rfile.FileName, rfile.OriginalData) + for _, document := range documents.Docs { _, err = json.Marshal(document) if err != nil { @@ -65,6 +79,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] FilePath: rfile.FileName, Content: string(rfile.Content), HelmID: rfile.SplitID, + Commands: fileCommands, IDInfo: rfile.IDInfo, LinesIgnore: documents.IgnoreLines, ResolvedFiles: documents.ResolvedFiles, @@ -73,8 +88,20 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] s.saveToFile(ctx, &file) } s.Tracker.TrackFileParse() + s.Tracker.TrackFileFoundCountLines(documents.CountLines) s.Tracker.TrackFileParseCountLines(documents.CountLines - len(documents.IgnoreLines)) s.Tracker.TrackFileIgnoreCountLines(len(documents.IgnoreLines)) } return resFiles.Excluded, nil } + +func (s *Service) getOriginalIgnoreLines(filename string, originalFile []uint8) (ignoreLines []int, err error) { + refactor := regexp.MustCompile(`.*\n?.*KICS\_HELM\_ID.+\n`).ReplaceAll(originalFile, []uint8{}) + refactor = regexp.MustCompile(`{{-\s*(.*?)\s*}}`).ReplaceAll(refactor, []uint8{}) + + documentsOriginal, err := s.Parser.Parse(filename, refactor) + if err == nil { + ignoreLines = documentsOriginal.IgnoreLines + } + return +} From db329e35d52147bbe84df9f795f45d5b78f53520 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 5 Aug 2023 15:58:27 +0100 Subject: [PATCH 02/23] lint --- pkg/kics/resolver_sink.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 697f1b9d42f..bd6ab34985f 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -39,11 +39,11 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] } if kind == model.KindHELM { - ignoreList, err := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) + var ignoreList, err = s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) if err == nil { documents.IgnoreLines = ignoreList - //Need to ignore #KICS_HELM_ID Line + // Need to ignore #KICS_HELM_ID Line documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) } } else { From aaf4c641e5f27a07ff4ea1907406456c949fce78 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 5 Aug 2023 18:30:00 +0100 Subject: [PATCH 03/23] fix: helm detector pointer reference --- pkg/detector/helm/helm_detect.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/detector/helm/helm_detect.go b/pkg/detector/helm/helm_detect.go index 1ddf4f7b747..5614aeb315f 100644 --- a/pkg/detector/helm/helm_detect.go +++ b/pkg/detector/helm/helm_detect.go @@ -39,7 +39,10 @@ const ( func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, outputLines int, logWithFields *zerolog.Logger) model.VulnerabilityLines { searchKey = fmt.Sprintf("%s.%s", strings.TrimRight(strings.TrimLeft(file.HelmID, "# "), ":"), searchKey) - lines := *file.LinesOriginalData + + lines := make([]string, len(*file.LinesOriginalData)) + copy(lines, *file.LinesOriginalData) + curLineRes := detectCurlLine{ foundRes: false, lineRes: 0, From 7d976b0223b454159d1dcb2bd94d152ba5de11e8 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 8 Aug 2023 15:00:11 +0100 Subject: [PATCH 04/23] fixed lint --- pkg/kics/resolver_sink.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index bd6ab34985f..a6327d1e8c4 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -39,8 +39,8 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string) ([] } if kind == model.KindHELM { - var ignoreList, err = s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) - if err == nil { + ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) + if errorIL == nil { documents.IgnoreLines = ignoreList // Need to ignore #KICS_HELM_ID Line From 5c86b51d3f1044dec89ea18c81ef69785027105c Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 9 Aug 2023 11:47:35 +0100 Subject: [PATCH 05/23] Fixed multiline strings --- pkg/model/comment_yaml.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/pkg/model/comment_yaml.go b/pkg/model/comment_yaml.go index 543f19ce05e..47c441ac04e 100644 --- a/pkg/model/comment_yaml.go +++ b/pkg/model/comment_yaml.go @@ -1,6 +1,7 @@ package model import ( + "reflect" "strings" "sync" @@ -150,6 +151,7 @@ func processLine(kind yaml.Kind, content *yaml.Node, position int) (linesIgnore } else { nodeToIgnore = content.Content[position] } + linesIgnore = append(linesIgnore, nodeToIgnore.Line-1, nodeToIgnore.Line) return } @@ -175,13 +177,17 @@ func processBlock(kind yaml.Kind, content []*yaml.Node, position int) (linesIgno // getNodeLastLine returns the last line of a node func getNodeLastLine(node *yaml.Node) (lastLine int) { lastLine = node.Line - for _, content := range node.Content { - if content.Line > lastLine { - lastLine = content.Line - } - if lineContent := getNodeLastLine(content); lineContent > lastLine { - lastLine = lineContent + if len(node.Content) > 0 { + for _, content := range node.Content { + if content.Line > lastLine { + lastLine = content.Line + } + if lineContent := getNodeLastLine(content); lineContent > lastLine { + lastLine = lineContent + } } + } else if reflect.TypeOf(node.Value).Kind() == reflect.String { + lastLine += strings.Count(node.Value, "\n") } return From f49c8b57e23013db913019764a55c97399a83b73 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 9 Aug 2023 12:30:37 +0100 Subject: [PATCH 06/23] added tests --- pkg/model/comment_yaml_test.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/pkg/model/comment_yaml_test.go b/pkg/model/comment_yaml_test.go index fbbd3a9301a..02d411b0008 100644 --- a/pkg/model/comment_yaml_test.go +++ b/pkg/model/comment_yaml_test.go @@ -634,6 +634,30 @@ func Test_ignoreCommentsYAML(t *testing.T) { }, }, }, + { + name: "test_7: ignore_multiline_string", + want: []int{4, 5, 6, 7, 8, 9}, + args: args{ + &yaml.Node{ + Kind: yaml.MappingNode, + Content: []*yaml.Node{ + { + Kind: yaml.ScalarNode, + Value: "deploy.yml", + HeadComment: "# kics-scan ignore-block", + Line: 5, + Column: 3, + }, + { + Kind: yaml.ScalarNode, + Value: "---\nfoo\n bar: abc\nuploader-token: my-awesome-token\n", + Line: 5, + Column: 15, + }, + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 71944b6d324ff3a08dedebd47aef842ee99dee68 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 2 Feb 2024 09:46:29 +0000 Subject: [PATCH 07/23] updating the branch --- pkg/kics/resolver_sink.go | 6 +++--- pkg/parser/parser.go | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index b64a287f3a9..baa32e69c06 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -41,7 +41,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope } if kind == model.KindHELM { - ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData) + ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) if errorIL == nil { documents.IgnoreLines = ignoreList @@ -98,11 +98,11 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope return resFiles.Excluded, nil } -func (s *Service) getOriginalIgnoreLines(filename string, originalFile []uint8) (ignoreLines []int, err error) { +func (s *Service) getOriginalIgnoreLines(filename string, originalFile []uint8, openAPIResolveReferences, isMinified bool) (ignoreLines []int, err error) { refactor := regexp.MustCompile(`.*\n?.*KICS\_HELM\_ID.+\n`).ReplaceAll(originalFile, []uint8{}) refactor = regexp.MustCompile(`{{-\s*(.*?)\s*}}`).ReplaceAll(refactor, []uint8{}) - documentsOriginal, err := s.Parser.Parse(filename, refactor) + documentsOriginal, err := s.Parser.Parse(filename, refactor, openAPIResolveReferences, isMinified) if err == nil { ignoreLines = documentsOriginal.IgnoreLines } diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index 7be45c0823b..51bc3250d49 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -97,9 +97,14 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com if line == "" { continue } + //aqui joao + /*if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { + continue + }*/ if !strings.HasPrefix(line, commentToken) { break } + fields := strings.Fields(strings.TrimSpace(strings.TrimPrefix(line, commentToken))) if len(fields) > 1 && fields[0] == "kics-scan" && fields[1] != "" { commandParameters := strings.SplitN(fields[1], "=", 2) From 5ae721ec69aaf5537705413f2bbf58d24fb39b48 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 2 Feb 2024 11:03:17 +0000 Subject: [PATCH 08/23] block --- pkg/parser/parser.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index 51bc3250d49..b00ef30ad32 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -99,7 +99,7 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com } //aqui joao /*if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { - continue + continue }*/ if !strings.HasPrefix(line, commentToken) { break From c45c03edf261bfe03ca749508c68786a22c277a9 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Fri, 2 Feb 2024 16:33:35 +0000 Subject: [PATCH 09/23] support to ignore --- pkg/parser/parser.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index b00ef30ad32..c8bccda2946 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -98,9 +98,9 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com continue } //aqui joao - /*if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { - continue - }*/ + if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { + continue + } if !strings.HasPrefix(line, commentToken) { break } From 7c3658780b7ab3c31f031d369158543c2c3bd004 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 5 Feb 2024 08:45:45 +0000 Subject: [PATCH 10/23] test --- pkg/kics/resolver_sink.go | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index baa32e69c06..93cadec5f28 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -1,7 +1,6 @@ package kics import ( - "bytes" "context" "encoding/json" "fmt" @@ -39,19 +38,19 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope log.Err(err).Msgf("failed to parse file content") return []string{}, nil } + /* + if kind == model.KindHELM { + ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) + if errorIL == nil { + documents.IgnoreLines = ignoreList - if kind == model.KindHELM { - ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) - if errorIL == nil { - documents.IgnoreLines = ignoreList - - // Need to ignore #KICS_HELM_ID Line - documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + // Need to ignore #KICS_HELM_ID Line + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + } + } else { + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 } - } else { - documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 - } - + */ fileCommands := s.Parser.CommentsCommands(rfile.FileName, rfile.OriginalData) for _, document := range documents.Docs { From 0ddf08b8e448d6621eea5d64d0cae1d95b231314 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 5 Feb 2024 15:21:39 +0000 Subject: [PATCH 11/23] fix ignore-block --- pkg/kics/resolver_sink.go | 23 ++++++++++++----------- pkg/model/comment_yaml.go | 10 ++++++++++ pkg/model/comment_yaml_test.go | 27 +++++++++++++++++++++++++++ pkg/model/model.go | 3 ++- 4 files changed, 51 insertions(+), 12 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 93cadec5f28..baa32e69c06 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -1,6 +1,7 @@ package kics import ( + "bytes" "context" "encoding/json" "fmt" @@ -38,19 +39,19 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope log.Err(err).Msgf("failed to parse file content") return []string{}, nil } - /* - if kind == model.KindHELM { - ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) - if errorIL == nil { - documents.IgnoreLines = ignoreList - // Need to ignore #KICS_HELM_ID Line - documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) - } - } else { - documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 + if kind == model.KindHELM { + ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) + if errorIL == nil { + documents.IgnoreLines = ignoreList + + // Need to ignore #KICS_HELM_ID Line + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) } - */ + } else { + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 + } + fileCommands := s.Parser.CommentsCommands(rfile.FileName, rfile.OriginalData) for _, document := range documents.Docs { diff --git a/pkg/model/comment_yaml.go b/pkg/model/comment_yaml.go index 47c441ac04e..f7662b1ef15 100644 --- a/pkg/model/comment_yaml.go +++ b/pkg/model/comment_yaml.go @@ -196,6 +196,12 @@ func getNodeLastLine(node *yaml.Node) (lastLine int) { // value returns the value of the comment func (c *comment) value() (value CommentCommand) { comment := strings.ToLower(string(*c)) + if isHelm(comment) { + res := mytest.FindString(comment) + if len(res) > 0 { + comment = res + } + } // check if we are working with kics command if KICSCommentRgxp.MatchString(comment) { comment = KICSCommentRgxp.ReplaceAllString(comment, "") @@ -206,3 +212,7 @@ func (c *comment) value() (value CommentCommand) { } return CommentCommand(comment) } + +func isHelm(comment string) bool { + return strings.Contains(comment, "helm") +} diff --git a/pkg/model/comment_yaml_test.go b/pkg/model/comment_yaml_test.go index 02d411b0008..926a60ed3fb 100644 --- a/pkg/model/comment_yaml_test.go +++ b/pkg/model/comment_yaml_test.go @@ -1,6 +1,7 @@ package model import ( + "github.com/stretchr/testify/assert" "sort" "testing" @@ -671,3 +672,29 @@ func Test_ignoreCommentsYAML(t *testing.T) { }) } } + +func Test_value(t *testing.T) { + tests := []struct { + name string + input comment + want string + }{ + { + name: "Should return ignore-block", + input: comment("# source: test/templates/deployment.yaml\n# kics-scan ignore-block\n# kics_helm_id_2:"), + want: "ignore-block", + }, + { + name: "Should Not return ignore-block", + input: comment("# source: test/templates/deployment.yaml\n# kics ignore-block\n# kics_helm_id_2:"), + want: "# source: test/templates/deployment.yaml\n# kics ignore-block\n# kics_helm_id_2:", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + res := tt.input.value() + assert.Equal(t, string(res), tt.want) + }) + } +} diff --git a/pkg/model/model.go b/pkg/model/model.go index e85140be58b..f96618782d4 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -67,7 +67,8 @@ var ( var ( // KICSCommentRgxp is the regexp to identify if a comment is a KICS comment - KICSCommentRgxp = regexp.MustCompile(`^((/{2})|#|;)*\s*kics-scan\s*`) + KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan\s*`) + mytest = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan([^\n]*)\n`) // KICSCommentRgxpYaml is the regexp to identify if the comment has KICS comment at the end of the comment in YAML KICSCommentRgxpYaml = regexp.MustCompile(`((/{2})|#)*\s*kics-scan\s*(ignore-line|ignore-block)\s*\n*$`) ) From 2fd817ffe949d5c43a98f0c16c12b092f305d168 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Mon, 5 Feb 2024 15:44:17 +0000 Subject: [PATCH 12/23] improve code --- pkg/kics/resolver_sink.go | 4 +++- pkg/model/comment_yaml.go | 2 +- pkg/model/model.go | 3 ++- pkg/parser/parser.go | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index baa32e69c06..5856df67c07 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -98,7 +98,9 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope return resFiles.Excluded, nil } -func (s *Service) getOriginalIgnoreLines(filename string, originalFile []uint8, openAPIResolveReferences, isMinified bool) (ignoreLines []int, err error) { +func (s *Service) getOriginalIgnoreLines(filename string, + originalFile []uint8, + openAPIResolveReferences, isMinified bool) (ignoreLines []int, err error) { refactor := regexp.MustCompile(`.*\n?.*KICS\_HELM\_ID.+\n`).ReplaceAll(originalFile, []uint8{}) refactor = regexp.MustCompile(`{{-\s*(.*?)\s*}}`).ReplaceAll(refactor, []uint8{}) diff --git a/pkg/model/comment_yaml.go b/pkg/model/comment_yaml.go index f7662b1ef15..31b2f85b42d 100644 --- a/pkg/model/comment_yaml.go +++ b/pkg/model/comment_yaml.go @@ -197,7 +197,7 @@ func getNodeLastLine(node *yaml.Node) (lastLine int) { func (c *comment) value() (value CommentCommand) { comment := strings.ToLower(string(*c)) if isHelm(comment) { - res := mytest.FindString(comment) + res := KICSGetContentCommentRgxp.FindString(comment) if len(res) > 0 { comment = res } diff --git a/pkg/model/model.go b/pkg/model/model.go index f96618782d4..5b7282b2774 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -68,7 +68,8 @@ var ( var ( // KICSCommentRgxp is the regexp to identify if a comment is a KICS comment KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan\s*`) - mytest = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan([^\n]*)\n`) + // KICSGetContentCommentRgxp to gets the kics comment on the hel case + KICSGetContentCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan([^\n]*)\n`) // KICSCommentRgxpYaml is the regexp to identify if the comment has KICS comment at the end of the comment in YAML KICSCommentRgxpYaml = regexp.MustCompile(`((/{2})|#)*\s*kics-scan\s*(ignore-line|ignore-block)\s*\n*$`) ) diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index c8bccda2946..bd209ff300a 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -97,10 +97,10 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com if line == "" { continue } - //aqui joao if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { continue } + if !strings.HasPrefix(line, commentToken) { break } From 5ae5bad1f012ee12b69d8a8ff4df85431d533e01 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 10:21:43 +0000 Subject: [PATCH 13/23] fix --- pkg/model/model.go | 4 ++-- pkg/parser/buildah/parser_test.go | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/model/model.go b/pkg/model/model.go index 5b7282b2774..5ac93b83da4 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -67,9 +67,9 @@ var ( var ( // KICSCommentRgxp is the regexp to identify if a comment is a KICS comment - KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan\s*`) + KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*kics-scan\s*`) // KICSGetContentCommentRgxp to gets the kics comment on the hel case - KICSGetContentCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)+\s*kics-scan([^\n]*)\n`) + KICSGetContentCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*kics-scan([^\n]*)\n`) // KICSCommentRgxpYaml is the regexp to identify if the comment has KICS comment at the end of the comment in YAML KICSCommentRgxpYaml = regexp.MustCompile(`((/{2})|#)*\s*kics-scan\s*(ignore-line|ignore-block)\s*\n*$`) ) diff --git a/pkg/parser/buildah/parser_test.go b/pkg/parser/buildah/parser_test.go index cb27ee87f17..9704a2a9982 100644 --- a/pkg/parser/buildah/parser_test.go +++ b/pkg/parser/buildah/parser_test.go @@ -93,7 +93,8 @@ func TestParser_Parse(t *testing.T) { ]`, want1: []int{1, 3, 5}, wantErr: false, - }, { + }, + { name: "Buildah with normal comments + kics-scan ignore-line parse", p: &Parser{}, args: args{ @@ -137,7 +138,8 @@ func TestParser_Parse(t *testing.T) { ]`, want1: []int{1, 3, 4, 6}, wantErr: false, - }, { + }, + { name: "Buildah with kics-scan ignore-block related to from parse", p: &Parser{}, args: args{ From acd713d843fc7cf5735abfd1c33593afc5b4f289 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 12:34:43 +0000 Subject: [PATCH 14/23] e2e to helm ignore and ignore block --- e2e/fixtures/E2E_CLI_083_RESULT.json | 28 ++++++ e2e/fixtures/E2E_CLI_084_RESULT.json | 28 ++++++ e2e/testcases/e2e-cli-083_helm_ignore.go | 27 +++++ .../e2e-cli-084_helm_ignore_block.go | 27 +++++ test/fixtures/hem_ignore/test/.helmignore | 23 +++++ test/fixtures/hem_ignore/test/Chart.yaml | 24 +++++ .../hem_ignore/test/templates/NOTES.txt | 22 +++++ .../hem_ignore/test/templates/_helpers.tpl | 62 ++++++++++++ .../hem_ignore/test/templates/deployment.yaml | 72 ++++++++++++++ .../hem_ignore/test/templates/hpa.yaml | 32 ++++++ .../hem_ignore/test/templates/ingress.yaml | 61 ++++++++++++ .../hem_ignore/test/templates/service.yaml | 15 +++ .../test/templates/serviceaccount.yaml | 13 +++ .../test/templates/tests/test-connection.yaml | 15 +++ test/fixtures/hem_ignore/test/values.yaml | 98 +++++++++++++++++++ .../heml_ignore_block/test/.helmignore | 23 +++++ .../heml_ignore_block/test/Chart.yaml | 24 +++++ .../test/templates/NOTES.txt | 22 +++++ .../test/templates/_helpers.tpl | 62 ++++++++++++ .../test/templates/deployment.yaml | 72 ++++++++++++++ .../heml_ignore_block/test/templates/hpa.yaml | 32 ++++++ .../test/templates/ingress.yaml | 61 ++++++++++++ .../test/templates/service.yaml | 15 +++ .../test/templates/serviceaccount.yaml | 13 +++ .../test/templates/tests/test-connection.yaml | 15 +++ .../heml_ignore_block/test/values.yaml | 98 +++++++++++++++++++ 26 files changed, 984 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_083_RESULT.json create mode 100644 e2e/fixtures/E2E_CLI_084_RESULT.json create mode 100644 e2e/testcases/e2e-cli-083_helm_ignore.go create mode 100644 e2e/testcases/e2e-cli-084_helm_ignore_block.go create mode 100644 test/fixtures/hem_ignore/test/.helmignore create mode 100644 test/fixtures/hem_ignore/test/Chart.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/NOTES.txt create mode 100644 test/fixtures/hem_ignore/test/templates/_helpers.tpl create mode 100644 test/fixtures/hem_ignore/test/templates/deployment.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/hpa.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/ingress.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/service.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/serviceaccount.yaml create mode 100644 test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml create mode 100644 test/fixtures/hem_ignore/test/values.yaml create mode 100644 test/fixtures/heml_ignore_block/test/.helmignore create mode 100644 test/fixtures/heml_ignore_block/test/Chart.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/NOTES.txt create mode 100644 test/fixtures/heml_ignore_block/test/templates/_helpers.tpl create mode 100644 test/fixtures/heml_ignore_block/test/templates/deployment.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/hpa.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/ingress.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/service.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml create mode 100644 test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml create mode 100644 test/fixtures/heml_ignore_block/test/values.yaml diff --git a/e2e/fixtures/E2E_CLI_083_RESULT.json b/e2e/fixtures/E2E_CLI_083_RESULT.json new file mode 100644 index 00000000000..dbd4134315b --- /dev/null +++ b/e2e/fixtures/E2E_CLI_083_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 34, + "lines_ignored": 55, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T12:29:45.3845776Z", + "end": "2024-02-06T12:29:49.5261723Z", + "paths": [ + "/path/test/fixtures/helm_ignore" + ], + "queries": [] +} diff --git a/e2e/fixtures/E2E_CLI_084_RESULT.json b/e2e/fixtures/E2E_CLI_084_RESULT.json new file mode 100644 index 00000000000..6a57951a6a3 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_084_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 34, + "lines_ignored": 55, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T12:29:45.3845776Z", + "end": "2024-02-06T12:29:49.5261723Z", + "paths": [ + "/path/test/fixtures/helm_ignore_block" + ], + "queries": [] +} diff --git a/e2e/testcases/e2e-cli-083_helm_ignore.go b/e2e/testcases/e2e-cli-083_helm_ignore.go new file mode 100644 index 00000000000..63603571417 --- /dev/null +++ b/e2e/testcases/e2e-cli-083_helm_ignore.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-083 - KICS scan +// should perform a scan and return zero results ignoring the file +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return three different similarity ids on the results [E2E-CLI-078]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_084_RESULT", + "-p", "\"/path/test/fixtures/helm_ignore\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_083_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-084_helm_ignore_block.go b/e2e/testcases/e2e-cli-084_helm_ignore_block.go new file mode 100644 index 00000000000..f09e42b4484 --- /dev/null +++ b/e2e/testcases/e2e-cli-084_helm_ignore_block.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-084 - KICS scan +// should perform a scan and return zero results ignoring the block +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return three different similarity ids on the results [E2E-CLI-078]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_084_RESULT", + "-p", "\"/path/test/fixtures/helm_ignore_block\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_084_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{40}, + } + + Tests = append(Tests, testSample) +} diff --git a/test/fixtures/hem_ignore/test/.helmignore b/test/fixtures/hem_ignore/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/hem_ignore/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/hem_ignore/test/Chart.yaml b/test/fixtures/hem_ignore/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/hem_ignore/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/hem_ignore/test/templates/NOTES.txt b/test/fixtures/hem_ignore/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/_helpers.tpl b/test/fixtures/hem_ignore/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/deployment.yaml b/test/fixtures/hem_ignore/test/templates/deployment.yaml new file mode 100644 index 00000000000..7141dc146b6 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan ignore +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/hpa.yaml b/test/fixtures/hem_ignore/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/ingress.yaml b/test/fixtures/hem_ignore/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/service.yaml b/test/fixtures/hem_ignore/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/hem_ignore/test/templates/serviceaccount.yaml b/test/fixtures/hem_ignore/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml b/test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/hem_ignore/test/values.yaml b/test/fixtures/hem_ignore/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/hem_ignore/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/test/fixtures/heml_ignore_block/test/.helmignore b/test/fixtures/heml_ignore_block/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/heml_ignore_block/test/Chart.yaml b/test/fixtures/heml_ignore_block/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/heml_ignore_block/test/templates/NOTES.txt b/test/fixtures/heml_ignore_block/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/heml_ignore_block/test/templates/_helpers.tpl b/test/fixtures/heml_ignore_block/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/heml_ignore_block/test/templates/deployment.yaml b/test/fixtures/heml_ignore_block/test/templates/deployment.yaml new file mode 100644 index 00000000000..b67f7ab2cd1 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan ignore-block +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/test/fixtures/heml_ignore_block/test/templates/hpa.yaml b/test/fixtures/heml_ignore_block/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/heml_ignore_block/test/templates/ingress.yaml b/test/fixtures/heml_ignore_block/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/heml_ignore_block/test/templates/service.yaml b/test/fixtures/heml_ignore_block/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml b/test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml b/test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/heml_ignore_block/test/values.yaml b/test/fixtures/heml_ignore_block/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/heml_ignore_block/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 8cb6da514d44eaa3013874ab9b7db414ddaba138 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 13:44:32 +0000 Subject: [PATCH 15/23] fix --- e2e/testcases/e2e-cli-083_helm_ignore.go | 4 ++-- e2e/testcases/e2e-cli-084_helm_ignore_block.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/testcases/e2e-cli-083_helm_ignore.go b/e2e/testcases/e2e-cli-083_helm_ignore.go index 63603571417..0b56c278b95 100644 --- a/e2e/testcases/e2e-cli-083_helm_ignore.go +++ b/e2e/testcases/e2e-cli-083_helm_ignore.go @@ -4,11 +4,11 @@ package testcases // should perform a scan and return zero results ignoring the file func init() { //nolint testSample := TestCase{ - Name: "should perform a scan and return three different similarity ids on the results [E2E-CLI-078]", + Name: "should perform a scan and return zero results ignoring the file [E2E-CLI-083]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", - "--output-name", "E2E_CLI_084_RESULT", + "--output-name", "E2E_CLI_083_RESULT", "-p", "\"/path/test/fixtures/helm_ignore\"", "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", }, diff --git a/e2e/testcases/e2e-cli-084_helm_ignore_block.go b/e2e/testcases/e2e-cli-084_helm_ignore_block.go index f09e42b4484..17e979cb8ca 100644 --- a/e2e/testcases/e2e-cli-084_helm_ignore_block.go +++ b/e2e/testcases/e2e-cli-084_helm_ignore_block.go @@ -4,7 +4,7 @@ package testcases // should perform a scan and return zero results ignoring the block func init() { //nolint testSample := TestCase{ - Name: "should perform a scan and return three different similarity ids on the results [E2E-CLI-078]", + Name: "should perform a scan and return zero results ignoring the block [E2E-CLI-084]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", From f82787a708e31eb52f8a61618aeee800b4df2ff3 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 13:47:25 +0000 Subject: [PATCH 16/23] fix code --- e2e/testcases/e2e-cli-083_helm_ignore.go | 2 +- e2e/testcases/e2e-cli-084_helm_ignore_block.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-083_helm_ignore.go b/e2e/testcases/e2e-cli-083_helm_ignore.go index 0b56c278b95..450b9439d62 100644 --- a/e2e/testcases/e2e-cli-083_helm_ignore.go +++ b/e2e/testcases/e2e-cli-083_helm_ignore.go @@ -20,7 +20,7 @@ func init() { //nolint }, }, }, - WantStatus: []int{40}, + WantStatus: []int{0}, } Tests = append(Tests, testSample) diff --git a/e2e/testcases/e2e-cli-084_helm_ignore_block.go b/e2e/testcases/e2e-cli-084_helm_ignore_block.go index 17e979cb8ca..9511bd14da4 100644 --- a/e2e/testcases/e2e-cli-084_helm_ignore_block.go +++ b/e2e/testcases/e2e-cli-084_helm_ignore_block.go @@ -20,7 +20,7 @@ func init() { //nolint }, }, }, - WantStatus: []int{40}, + WantStatus: []int{0}, } Tests = append(Tests, testSample) From 315b8769d1e5ced5e809f95aea8f892e035fcc3f Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 14:05:52 +0000 Subject: [PATCH 17/23] fix paths --- test/fixtures/{hem_ignore => helm_ignore}/test/.helmignore | 0 test/fixtures/{hem_ignore => helm_ignore}/test/Chart.yaml | 0 .../fixtures/{hem_ignore => helm_ignore}/test/templates/NOTES.txt | 0 .../{hem_ignore => helm_ignore}/test/templates/_helpers.tpl | 0 .../{hem_ignore => helm_ignore}/test/templates/deployment.yaml | 0 test/fixtures/{hem_ignore => helm_ignore}/test/templates/hpa.yaml | 0 .../{hem_ignore => helm_ignore}/test/templates/ingress.yaml | 0 .../{hem_ignore => helm_ignore}/test/templates/service.yaml | 0 .../test/templates/serviceaccount.yaml | 0 .../test/templates/tests/test-connection.yaml | 0 test/fixtures/{hem_ignore => helm_ignore}/test/values.yaml | 0 .../{heml_ignore_block => helm_ignore_block}/test/.helmignore | 0 .../{heml_ignore_block => helm_ignore_block}/test/Chart.yaml | 0 .../test/templates/NOTES.txt | 0 .../test/templates/_helpers.tpl | 0 .../test/templates/deployment.yaml | 0 .../test/templates/hpa.yaml | 0 .../test/templates/ingress.yaml | 0 .../test/templates/service.yaml | 0 .../test/templates/serviceaccount.yaml | 0 .../test/templates/tests/test-connection.yaml | 0 .../{heml_ignore_block => helm_ignore_block}/test/values.yaml | 0 22 files changed, 0 insertions(+), 0 deletions(-) rename test/fixtures/{hem_ignore => helm_ignore}/test/.helmignore (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/Chart.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/NOTES.txt (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/_helpers.tpl (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/deployment.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/hpa.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/ingress.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/service.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/serviceaccount.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/templates/tests/test-connection.yaml (100%) rename test/fixtures/{hem_ignore => helm_ignore}/test/values.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/.helmignore (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/Chart.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/NOTES.txt (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/_helpers.tpl (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/deployment.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/hpa.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/ingress.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/service.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/serviceaccount.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/templates/tests/test-connection.yaml (100%) rename test/fixtures/{heml_ignore_block => helm_ignore_block}/test/values.yaml (100%) diff --git a/test/fixtures/hem_ignore/test/.helmignore b/test/fixtures/helm_ignore/test/.helmignore similarity index 100% rename from test/fixtures/hem_ignore/test/.helmignore rename to test/fixtures/helm_ignore/test/.helmignore diff --git a/test/fixtures/hem_ignore/test/Chart.yaml b/test/fixtures/helm_ignore/test/Chart.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/Chart.yaml rename to test/fixtures/helm_ignore/test/Chart.yaml diff --git a/test/fixtures/hem_ignore/test/templates/NOTES.txt b/test/fixtures/helm_ignore/test/templates/NOTES.txt similarity index 100% rename from test/fixtures/hem_ignore/test/templates/NOTES.txt rename to test/fixtures/helm_ignore/test/templates/NOTES.txt diff --git a/test/fixtures/hem_ignore/test/templates/_helpers.tpl b/test/fixtures/helm_ignore/test/templates/_helpers.tpl similarity index 100% rename from test/fixtures/hem_ignore/test/templates/_helpers.tpl rename to test/fixtures/helm_ignore/test/templates/_helpers.tpl diff --git a/test/fixtures/hem_ignore/test/templates/deployment.yaml b/test/fixtures/helm_ignore/test/templates/deployment.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/deployment.yaml rename to test/fixtures/helm_ignore/test/templates/deployment.yaml diff --git a/test/fixtures/hem_ignore/test/templates/hpa.yaml b/test/fixtures/helm_ignore/test/templates/hpa.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/hpa.yaml rename to test/fixtures/helm_ignore/test/templates/hpa.yaml diff --git a/test/fixtures/hem_ignore/test/templates/ingress.yaml b/test/fixtures/helm_ignore/test/templates/ingress.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/ingress.yaml rename to test/fixtures/helm_ignore/test/templates/ingress.yaml diff --git a/test/fixtures/hem_ignore/test/templates/service.yaml b/test/fixtures/helm_ignore/test/templates/service.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/service.yaml rename to test/fixtures/helm_ignore/test/templates/service.yaml diff --git a/test/fixtures/hem_ignore/test/templates/serviceaccount.yaml b/test/fixtures/helm_ignore/test/templates/serviceaccount.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/serviceaccount.yaml rename to test/fixtures/helm_ignore/test/templates/serviceaccount.yaml diff --git a/test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml b/test/fixtures/helm_ignore/test/templates/tests/test-connection.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/templates/tests/test-connection.yaml rename to test/fixtures/helm_ignore/test/templates/tests/test-connection.yaml diff --git a/test/fixtures/hem_ignore/test/values.yaml b/test/fixtures/helm_ignore/test/values.yaml similarity index 100% rename from test/fixtures/hem_ignore/test/values.yaml rename to test/fixtures/helm_ignore/test/values.yaml diff --git a/test/fixtures/heml_ignore_block/test/.helmignore b/test/fixtures/helm_ignore_block/test/.helmignore similarity index 100% rename from test/fixtures/heml_ignore_block/test/.helmignore rename to test/fixtures/helm_ignore_block/test/.helmignore diff --git a/test/fixtures/heml_ignore_block/test/Chart.yaml b/test/fixtures/helm_ignore_block/test/Chart.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/Chart.yaml rename to test/fixtures/helm_ignore_block/test/Chart.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/NOTES.txt b/test/fixtures/helm_ignore_block/test/templates/NOTES.txt similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/NOTES.txt rename to test/fixtures/helm_ignore_block/test/templates/NOTES.txt diff --git a/test/fixtures/heml_ignore_block/test/templates/_helpers.tpl b/test/fixtures/helm_ignore_block/test/templates/_helpers.tpl similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/_helpers.tpl rename to test/fixtures/helm_ignore_block/test/templates/_helpers.tpl diff --git a/test/fixtures/heml_ignore_block/test/templates/deployment.yaml b/test/fixtures/helm_ignore_block/test/templates/deployment.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/deployment.yaml rename to test/fixtures/helm_ignore_block/test/templates/deployment.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/hpa.yaml b/test/fixtures/helm_ignore_block/test/templates/hpa.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/hpa.yaml rename to test/fixtures/helm_ignore_block/test/templates/hpa.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/ingress.yaml b/test/fixtures/helm_ignore_block/test/templates/ingress.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/ingress.yaml rename to test/fixtures/helm_ignore_block/test/templates/ingress.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/service.yaml b/test/fixtures/helm_ignore_block/test/templates/service.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/service.yaml rename to test/fixtures/helm_ignore_block/test/templates/service.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml b/test/fixtures/helm_ignore_block/test/templates/serviceaccount.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/serviceaccount.yaml rename to test/fixtures/helm_ignore_block/test/templates/serviceaccount.yaml diff --git a/test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml b/test/fixtures/helm_ignore_block/test/templates/tests/test-connection.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/templates/tests/test-connection.yaml rename to test/fixtures/helm_ignore_block/test/templates/tests/test-connection.yaml diff --git a/test/fixtures/heml_ignore_block/test/values.yaml b/test/fixtures/helm_ignore_block/test/values.yaml similarity index 100% rename from test/fixtures/heml_ignore_block/test/values.yaml rename to test/fixtures/helm_ignore_block/test/values.yaml From fc2c21d8d080c7864ff2c34fabdd8a25295abd3d Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 14:31:47 +0000 Subject: [PATCH 18/23] fix --- e2e/fixtures/E2E_CLI_083_RESULT.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_083_RESULT.json b/e2e/fixtures/E2E_CLI_083_RESULT.json index dbd4134315b..b66b81c1626 100644 --- a/e2e/fixtures/E2E_CLI_083_RESULT.json +++ b/e2e/fixtures/E2E_CLI_083_RESULT.json @@ -3,8 +3,8 @@ "files_scanned": 4, "lines_scanned": 89, "files_parsed": 3, - "lines_parsed": 34, - "lines_ignored": 55, + "lines_parsed": 86, + "lines_ignored": 3, "files_failed_to_scan": 0, "queries_total": 1, "queries_failed_to_execute": 0, From 02643f1442c9ad260a9750d6786717a176aa7ee8 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Tue, 6 Feb 2024 15:08:23 +0000 Subject: [PATCH 19/23] e2e to test the query disable on helm --- e2e/fixtures/E2E_CLI_085_RESULT.json | 28 ++++++ .../e2e-cli-085_helm_disable_query.go | 27 +++++ .../helm_disable_query/test/.helmignore | 23 +++++ .../helm_disable_query/test/Chart.yaml | 24 +++++ .../test/templates/NOTES.txt | 22 +++++ .../test/templates/_helpers.tpl | 62 ++++++++++++ .../test/templates/deployment.yaml | 72 ++++++++++++++ .../test/templates/hpa.yaml | 32 ++++++ .../test/templates/ingress.yaml | 61 ++++++++++++ .../test/templates/service.yaml | 15 +++ .../test/templates/serviceaccount.yaml | 13 +++ .../test/templates/tests/test-connection.yaml | 15 +++ .../helm_disable_query/test/values.yaml | 98 +++++++++++++++++++ 13 files changed, 492 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_085_RESULT.json create mode 100644 e2e/testcases/e2e-cli-085_helm_disable_query.go create mode 100644 test/fixtures/helm_disable_query/test/.helmignore create mode 100644 test/fixtures/helm_disable_query/test/Chart.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/NOTES.txt create mode 100644 test/fixtures/helm_disable_query/test/templates/_helpers.tpl create mode 100644 test/fixtures/helm_disable_query/test/templates/deployment.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/hpa.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/ingress.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/service.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml create mode 100644 test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml create mode 100644 test/fixtures/helm_disable_query/test/values.yaml diff --git a/e2e/fixtures/E2E_CLI_085_RESULT.json b/e2e/fixtures/E2E_CLI_085_RESULT.json new file mode 100644 index 00000000000..77ba27a9eb3 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_085_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 86, + "lines_ignored": 3, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T15:01:20.657455Z", + "end": "2024-02-06T15:01:25.1183483Z", + "paths": [ + "/path/test/fixtures/helm_disable_query" + ], + "queries": [] +} diff --git a/e2e/testcases/e2e-cli-085_helm_disable_query.go b/e2e/testcases/e2e-cli-085_helm_disable_query.go new file mode 100644 index 00000000000..d120a35eeb8 --- /dev/null +++ b/e2e/testcases/e2e-cli-085_helm_disable_query.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-085 - KICS scan +// should perform a scan and return zero results ignoring the query +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return zero results ignoring the query [E2E-CLI-085]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_085_RESULT", + "-p", "\"/path/test/fixtures/helm_disable_query\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_085_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{0}, + } + + Tests = append(Tests, testSample) +} diff --git a/test/fixtures/helm_disable_query/test/.helmignore b/test/fixtures/helm_disable_query/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/helm_disable_query/test/Chart.yaml b/test/fixtures/helm_disable_query/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/helm_disable_query/test/templates/NOTES.txt b/test/fixtures/helm_disable_query/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/_helpers.tpl b/test/fixtures/helm_disable_query/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/deployment.yaml b/test/fixtures/helm_disable_query/test/templates/deployment.yaml new file mode 100644 index 00000000000..fb51959472e --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan disable=b7652612-de4e-4466-a0bf-1cd81f0c6063 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/hpa.yaml b/test/fixtures/helm_disable_query/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/ingress.yaml b/test/fixtures/helm_disable_query/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/service.yaml b/test/fixtures/helm_disable_query/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml b/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml b/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/helm_disable_query/test/values.yaml b/test/fixtures/helm_disable_query/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 8c28fba8e5153dc1996ad03d8ee5d2ed9f1f1406 Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 21 Feb 2024 09:38:11 +0000 Subject: [PATCH 20/23] improve logic to count files --- internal/tracker/ci.go | 31 ++++++++++++++++++++++++++----- pkg/kics/resolver_sink.go | 9 ++++----- pkg/kics/service.go | 4 ++-- pkg/kics/sink.go | 4 ++-- 4 files changed, 34 insertions(+), 14 deletions(-) diff --git a/internal/tracker/ci.go b/internal/tracker/ci.go index af939a805ee..98ee8c1827f 100644 --- a/internal/tracker/ci.go +++ b/internal/tracker/ci.go @@ -29,6 +29,9 @@ type CITracker struct { ParsedCountLines int IgnoreCountLines int Version model.Version + BagOfFilesParse map[string]int + BagOfFilesFound map[string]int + syncFileMutex sync.Mutex } // NewTracker will create a new instance of a tracker with the number of lines to display in results output @@ -39,7 +42,9 @@ func NewTracker(previewLines int) (*CITracker, error) { fmt.Errorf("output lines minimum is %v and maximum is %v", constants.MinimumPreviewLines, constants.MaximumPreviewLines) } return &CITracker{ - lines: previewLines, + lines: previewLines, + BagOfFilesParse: make(map[string]int), + BagOfFilesFound: make(map[string]int), }, nil } @@ -66,13 +71,29 @@ func (c *CITracker) TrackQueryExecution(queryAggregation int) { } // TrackFileFound adds a found file to be scanned -func (c *CITracker) TrackFileFound() { - c.FoundFiles++ +func (c *CITracker) TrackFileFound(path string) { + c.syncFileMutex.Lock() + defer c.syncFileMutex.Unlock() + count, value := c.BagOfFilesFound[path] + if !value { + c.BagOfFilesFound[path] = 1 + c.FoundFiles++ + } else { + c.BagOfFilesFound[path] = count + 1 + } } // TrackFileParse adds a successful parsed file to be scanned -func (c *CITracker) TrackFileParse() { - c.ParsedFiles++ +func (c *CITracker) TrackFileParse(path string) { + c.syncFileMutex.Lock() + defer c.syncFileMutex.Unlock() + count, value := c.BagOfFilesParse[path] + if !value { + c.BagOfFilesParse[path] = 1 + c.ParsedFiles++ + } else { + c.BagOfFilesParse[path] = count + 1 + } } // FailedDetectLine - queries that fail to detect line are counted as failed to execute queries diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 5856df67c07..368592139a9 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,15 +5,14 @@ import ( "context" "encoding/json" "fmt" - "regexp" - "sort" - sentryReport "github.com/Checkmarx/kics/internal/sentry" "github.com/Checkmarx/kics/pkg/minified" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/utils" "github.com/google/uuid" "github.com/rs/zerolog/log" + "regexp" + "sort" ) func (s *Service) resolverSink(ctx context.Context, filename, scanID string, openAPIResolveReferences bool) ([]string, error) { @@ -28,7 +27,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope } for _, rfile := range resFiles.File { - s.Tracker.TrackFileFound() + s.Tracker.TrackFileFound(rfile.FileName) isMinified := minified.IsMinified(rfile.FileName, rfile.Content) documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences, isMinified) @@ -90,7 +89,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope } s.saveToFile(ctx, &file) } - s.Tracker.TrackFileParse() + s.Tracker.TrackFileParse(rfile.FileName) s.Tracker.TrackFileFoundCountLines(documents.CountLines) s.Tracker.TrackFileParseCountLines(documents.CountLines - len(documents.IgnoreLines)) s.Tracker.TrackFileIgnoreCountLines(len(documents.IgnoreLines)) diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 5bc18e6bfc9..dd7618afd5f 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -40,8 +40,8 @@ type Storage interface { // TrackFileFound should increment the number of files to be scanned // TrackFileParse should increment the number of files parsed successfully to be scanned type Tracker interface { - TrackFileFound() - TrackFileParse() + TrackFileFound(path string) + TrackFileParse(path string) TrackFileFoundCountLines(countLines int) TrackFileParseCountLines(countLines int) TrackFileIgnoreCountLines(countLines int) diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index b165d399144..960b57fa74e 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -29,7 +29,7 @@ var ( func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte, openAPIResolveReferences bool) error { - s.Tracker.TrackFileFound() + s.Tracker.TrackFileFound(filename) log.Debug().Msgf("Starting to process file %s", filename) c, err := getContent(rc, data, s.MaxFileSize, filename) @@ -92,7 +92,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, s.saveToFile(ctx, &file) } - s.Tracker.TrackFileParse() + s.Tracker.TrackFileParse(filename) log.Debug().Msgf("Finished to process file %s", filename) s.Tracker.TrackFileParseCountLines(documents.CountLines - len(documents.IgnoreLines)) From 831200d685125a4dff0f8849e484efcb2a5e53bc Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 21 Feb 2024 10:21:15 +0000 Subject: [PATCH 21/23] linter --- pkg/kics/resolver_sink.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index 368592139a9..de005b8a4eb 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,14 +5,15 @@ import ( "context" "encoding/json" "fmt" + "regexp" + "sort" + sentryReport "github.com/Checkmarx/kics/internal/sentry" "github.com/Checkmarx/kics/pkg/minified" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/utils" "github.com/google/uuid" "github.com/rs/zerolog/log" - "regexp" - "sort" ) func (s *Service) resolverSink(ctx context.Context, filename, scanID string, openAPIResolveReferences bool) ([]string, error) { From c8920f2b3bef09562c046189736418626872a25b Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 21 Feb 2024 11:40:22 +0000 Subject: [PATCH 22/23] fix tests --- internal/tracker/ci_test.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/internal/tracker/ci_test.go b/internal/tracker/ci_test.go index 8e317346298..a0e3e899b1d 100644 --- a/internal/tracker/ci_test.go +++ b/internal/tracker/ci_test.go @@ -70,6 +70,8 @@ func TestCITracker(t *testing.T) { ParsedCountLines: tt.fields.ParsedCountLines, IgnoreCountLines: tt.fields.IgnoreCountLines, lines: tt.fields.lines, + BagOfFilesParse: make(map[string]int), + BagOfFilesFound: make(map[string]int), } t.Run(fmt.Sprintf(tt.name+"_LoadedQueries"), func(t *testing.T) { c.TrackQueryLoad(1) @@ -82,12 +84,12 @@ func TestCITracker(t *testing.T) { }) t.Run(fmt.Sprintf(tt.name+"_TrackFileFound"), func(t *testing.T) { - c.TrackFileFound() + c.TrackFileFound(tt.name) require.Equal(t, 1, c.FoundFiles) }) t.Run(fmt.Sprintf(tt.name+"_TrackFileParse"), func(t *testing.T) { - c.TrackFileParse() + c.TrackFileParse(tt.name) require.Equal(t, 1, c.ParsedFiles) }) t.Run(fmt.Sprintf(tt.name+"_TrackQueryExecuting"), func(t *testing.T) { @@ -152,7 +154,9 @@ func TestNewTracker(t *testing.T) { outputLines: 3, }, want: CITracker{ - lines: 3, + lines: 3, + BagOfFilesFound: make(map[string]int), + BagOfFilesParse: make(map[string]int), }, wantErr: false, }, From 5ac773a8491d965aead96a6b931e77682bc3f89f Mon Sep 17 00:00:00 2001 From: JoaoCxMartins Date: Wed, 21 Feb 2024 11:58:24 +0000 Subject: [PATCH 23/23] fix e2e --- e2e/fixtures/E2E_CLI_083_RESULT.json | 2 +- e2e/fixtures/E2E_CLI_084_RESULT.json | 2 +- e2e/fixtures/E2E_CLI_085_RESULT.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_083_RESULT.json b/e2e/fixtures/E2E_CLI_083_RESULT.json index b66b81c1626..48e32c5c69e 100644 --- a/e2e/fixtures/E2E_CLI_083_RESULT.json +++ b/e2e/fixtures/E2E_CLI_083_RESULT.json @@ -1,6 +1,6 @@ { "kics_version": "development", - "files_scanned": 4, + "files_scanned": 3, "lines_scanned": 89, "files_parsed": 3, "lines_parsed": 86, diff --git a/e2e/fixtures/E2E_CLI_084_RESULT.json b/e2e/fixtures/E2E_CLI_084_RESULT.json index 6a57951a6a3..5ba65bc25cd 100644 --- a/e2e/fixtures/E2E_CLI_084_RESULT.json +++ b/e2e/fixtures/E2E_CLI_084_RESULT.json @@ -1,6 +1,6 @@ { "kics_version": "development", - "files_scanned": 4, + "files_scanned": 3, "lines_scanned": 89, "files_parsed": 3, "lines_parsed": 34, diff --git a/e2e/fixtures/E2E_CLI_085_RESULT.json b/e2e/fixtures/E2E_CLI_085_RESULT.json index 77ba27a9eb3..1923c8afc79 100644 --- a/e2e/fixtures/E2E_CLI_085_RESULT.json +++ b/e2e/fixtures/E2E_CLI_085_RESULT.json @@ -1,6 +1,6 @@ { "kics_version": "development", - "files_scanned": 4, + "files_scanned": 3, "lines_scanned": 89, "files_parsed": 3, "lines_parsed": 86,