Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws): remove duplicate bucket logging rule #1423

Merged
merged 11 commits into from
Aug 30, 2023
Merged

fix(aws): remove duplicate bucket logging rule #1423

merged 11 commits into from
Aug 30, 2023

Conversation

nikpivkin
Copy link
Collaborator

@nikpivkin nikpivkin commented Aug 10, 2023
edited by simar7
Loading

We already have a bucket logging rule.

See aquasecurity/trivy#4975
Fixes aquasecurity/trivy#5004

@nikpivkin
Copy link
Collaborator Author

@simar7 The tests failed at the OPA install stage: sha256sum: checksum: no properly formatted SHA256 checksum lines found

@nikpivkin nikpivkin marked this pull request as ready for review August 10, 2023 07:50
@nikpivkin nikpivkin requested a review from simar7 as a code owner August 10, 2023 07:50
@simar7
Copy link
Member

simar7 commented Aug 10, 2023

I believe it's one of the existing Go rules that we've transformed into Rego. In this case we would want to remove the Go rule and keep the rego rule.

Does the rego rule scan the misconfiguration correctly?

@simar7
Copy link
Member

simar7 commented Aug 10, 2023

These are the rules I moved into the rules/ dir recently 91898b5 do we have any other rules that also exist in Go that overlap with these? If so, we should remove them (Go rules).

@nikpivkin
Copy link
Collaborator Author

@simar7 OK, I'll return rego and remove the GO rule. By the way, the rego rule contained an invalid AVD ID.

@davidbmleach
Copy link

Is it possible this duplication also generates a false positive when you do something like this?:

# tfsec:ignore:aws-s3-enable-bucket-logging
# tfsec:ignore:aws-s3-enable-versioning
resource "aws_s3_bucket" "this" {
  bucket        = var.name
}

@nikpivkin nikpivkin mentioned this pull request Aug 14, 2023
Closed
@nikpivkin
Copy link
Collaborator Author

Hi @davidbmleach

If this comment doesn't help you, could you describe in more detail what happened to you and what you expected to see?

simar7
simar7 reviewed Aug 14, 2023
View reviewed changes
rules/cloud/policies/aws/s3/enable_bucket_logging.cf.go Outdated
@@ -1,44 +0,0 @@
package s3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to keep the examples (in Go) still available to us as they are used for doc generation. An example on how to use them is here https://github.com/aquasecurity/defsec/blob/master/rules/cloud/policies/aws/rds/disable_public_access.rego#L22-L25

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 The good_example field specifies the GO file, but the file also contains a bad example and links. How does it work?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikpivkin they are loaded like such

defsec/pkg/rego/metadata.go

Line 266 in 063dcd6

if val, ok := sMap["good_examples"].(string); ok {

Copy link
Collaborator Author

@nikpivkin nikpivkin Aug 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 I think I found a code that parses GO files to generate documentation.

I have a couple of questions:

  • Why are only good examples generated for documentation, but not bad ones?
  • If there are several good examples, then only 1 is generated
  • Links in the metadata of the engine must be specified as values, not links to GO files, and it is impossible to specify multiple links:
#   terraform:
#       good_examples: "rules/cloud/policies/aws/s3/enable_bucket_logging.tf.go"
#       links: "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 By the way, the "RDS Publicly Accessible" rule is duplicated:

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 By the way, the "RDS Publicly Accessible" rule is duplicated:

New issue aquasecurity/trivy#5065

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 I think I found a code that parses GO files to generate documentation.

I have a couple of questions:

  • Why are only good examples generated for documentation, but not bad ones?
  • If there are several good examples, then only 1 is generated
  • Links in the metadata of the engine must be specified as values, not links to GO files, and it is impossible to specify multiple links:
#   terraform:
#       good_examples: "rules/cloud/policies/aws/s3/enable_bucket_logging.tf.go"
#       links: "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket"

All of the above are improvements that we can add. The existing documentation at the time of implementing mostly had good examples than bad so support was added for them at first.

simar7
simar7 reviewed Aug 14, 2023
View reviewed changes
rules/cloud/policies/aws/s3/enable_bucket_logging.tf.go Outdated
@@ -1,37 +0,0 @@
package s3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto for terraform example.

simar7
simar7 requested changes Aug 14, 2023
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left comments

@nikpivkin
Copy link
Collaborator Author

@simar7 I updated the config for golangci-lint and added ignoring U1000 (unused variables) for variables in those files referenced from Rego. I noticed that now golangci-linter uses the following linters to check dead code: unused, struct check, deadcode and varcheck. All of them except unsuded are deprecated. How about updating the config?

@simar7
Copy link
Member

simar7 commented Aug 30, 2023

@simar7 I updated the config for golangci-lint and added ignoring U1000 (unused variables) for variables in those files referenced from Rego. I noticed that now golangci-linter uses the following linters to check dead code: unused, struct check, deadcode and varcheck. All of them except unsuded are deprecated. How about updating the config?

Sounds good. Let's create a separate issue and track it there.

@simar7 simar7 self-requested a review August 30, 2023 05:24
@simar7 simar7 enabled auto-merge August 30, 2023 05:24
@simar7 simar7 added this pull request to the merge queue Aug 30, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 30, 2023
@simar7 simar7 added this pull request to the merge queue Aug 30, 2023
Merged via the queue into aquasecurity:master with commit 8caf7b8 Aug 30, 2023
8 checks passed
@simar7 simar7 mentioned this pull request Aug 30, 2023
Merged
@nikpivkin nikpivkin deleted the fix/aws-bucket-log branch October 7, 2023 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: s3 bucket logging warnings being flagged when ignored
3 participants
@nikpivkin @simar7 @davidbmleach