From 0fd1fd01304428e9219325e4626eaa61cdea8c45 Mon Sep 17 00:00:00 2001 From: Haseeb Zafar <39837756+realwebdev@users.noreply.github.com> Date: Fri, 3 Mar 2023 04:12:35 +0500 Subject: [PATCH] add: accessanalyzer adapter (#1179) * add: accessanalyzer adapter * add(cloud): listfinding call added * add: schema added * modify: initialized active field in accessanalyzer cloudformation and terraform --- .../cloud/aws/accessanalyzer/adapt.go | 18 +++++++++ .../aws/accessanalyzer/accessanalyzer.go | 13 ++++++ .../aws/accessanalyzer/analyzer.go | 24 +++++++++++ .../aws/accessanalyzer/accessanalyzer.go | 40 +++++++++++++++++++ pkg/providers/aws/accessanalyzer/aa.go | 13 ++++-- pkg/rego/schemas/cloud.json | 10 +++++ 6 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 internal/adapters/cloudformation/aws/accessanalyzer/accessanalyzer.go create mode 100644 internal/adapters/cloudformation/aws/accessanalyzer/analyzer.go create mode 100644 internal/adapters/terraform/aws/accessanalyzer/accessanalyzer.go diff --git a/internal/adapters/cloud/aws/accessanalyzer/adapt.go b/internal/adapters/cloud/aws/accessanalyzer/adapt.go index 440d2b7b4..06c2453bd 100644 --- a/internal/adapters/cloud/aws/accessanalyzer/adapt.go +++ b/internal/adapters/cloud/aws/accessanalyzer/adapt.go @@ -84,10 +84,28 @@ func (a *adapter) adaptAnalyzer(apiAnalyzer aatypes.AnalyzerSummary) (*accessana if apiAnalyzer.Name != nil { name = *apiAnalyzer.Name } + + var findings []accessanalyzer.Findings + output, err := a.api.ListFindings(a.Context(), &api.ListFindingsInput{ + AnalyzerArn: apiAnalyzer.Arn, + }) + if err != nil { + return nil, err + } + if output.Findings != nil { + for _, r := range output.Findings { + findings = append(findings, accessanalyzer.Findings{ + Metadata: metadata, + }) + _ = r + } + } + return &accessanalyzer.Analyzer{ Metadata: metadata, ARN: types.String(*apiAnalyzer.Arn, metadata), Name: types.String(name, metadata), Active: types.Bool(apiAnalyzer.Status == aatypes.AnalyzerStatusActive, metadata), + Findings: findings, }, nil } diff --git a/internal/adapters/cloudformation/aws/accessanalyzer/accessanalyzer.go b/internal/adapters/cloudformation/aws/accessanalyzer/accessanalyzer.go new file mode 100644 index 000000000..221cd2238 --- /dev/null +++ b/internal/adapters/cloudformation/aws/accessanalyzer/accessanalyzer.go @@ -0,0 +1,13 @@ +package accessanalyzer + +import ( + "github.com/aquasecurity/defsec/pkg/providers/aws/accessanalyzer" + "github.com/aquasecurity/defsec/pkg/scanners/cloudformation/parser" +) + +// Adapt ... +func Adapt(cfFile parser.FileContext) accessanalyzer.AccessAnalyzer { + return accessanalyzer.AccessAnalyzer{ + Analyzers: getAccessAnalyzer(cfFile), + } +} diff --git a/internal/adapters/cloudformation/aws/accessanalyzer/analyzer.go b/internal/adapters/cloudformation/aws/accessanalyzer/analyzer.go new file mode 100644 index 000000000..c22092af7 --- /dev/null +++ b/internal/adapters/cloudformation/aws/accessanalyzer/analyzer.go @@ -0,0 +1,24 @@ +package accessanalyzer + +import ( + "github.com/aquasecurity/defsec/pkg/providers/aws/accessanalyzer" + "github.com/aquasecurity/defsec/pkg/scanners/cloudformation/parser" + "github.com/aquasecurity/defsec/pkg/types" +) + +func getAccessAnalyzer(ctx parser.FileContext) (analyzers []accessanalyzer.Analyzer) { + + analyzersList := ctx.GetResourcesByType("AWS::AccessAnalyzer::Analyzer") + + for _, r := range analyzersList { + aa := accessanalyzer.Analyzer{ + Metadata: r.Metadata(), + Name: r.GetStringProperty("AnalyzerName"), + ARN: r.StringDefault(""), + Active: types.BoolDefault(false, r.Metadata()), + } + + analyzers = append(analyzers, aa) + } + return analyzers +} diff --git a/internal/adapters/terraform/aws/accessanalyzer/accessanalyzer.go b/internal/adapters/terraform/aws/accessanalyzer/accessanalyzer.go new file mode 100644 index 000000000..97fcf3871 --- /dev/null +++ b/internal/adapters/terraform/aws/accessanalyzer/accessanalyzer.go @@ -0,0 +1,40 @@ +package accessanalyzer + +import ( + "github.com/aquasecurity/defsec/pkg/providers/aws/accessanalyzer" + "github.com/aquasecurity/defsec/pkg/terraform" + "github.com/aquasecurity/defsec/pkg/types" +) + +func Adapt(modules terraform.Modules) accessanalyzer.AccessAnalyzer { + return accessanalyzer.AccessAnalyzer{ + Analyzers: adaptTrails(modules), + } +} + +func adaptTrails(modules terraform.Modules) []accessanalyzer.Analyzer { + var analyzer []accessanalyzer.Analyzer + + for _, module := range modules { + for _, resource := range module.GetResourcesByType("aws_accessanalyzer_analyzer") { + analyzer = append(analyzer, adaptAnalyzers(resource)) + } + } + return analyzer +} + +func adaptAnalyzers(resource *terraform.Block) accessanalyzer.Analyzer { + + analyzerName := resource.GetAttribute("analyzer_name") + analyzerNameAttr := analyzerName.AsStringValueOrDefault("", resource) + + arnAnalyzer := resource.GetAttribute("arn") + arnAnalyzerAttr := arnAnalyzer.AsStringValueOrDefault("", resource) + + return accessanalyzer.Analyzer{ + Metadata: resource.GetMetadata(), + Name: analyzerNameAttr, + ARN: arnAnalyzerAttr, + Active: types.BoolDefault(false, resource.GetMetadata()), + } +} diff --git a/pkg/providers/aws/accessanalyzer/aa.go b/pkg/providers/aws/accessanalyzer/aa.go index 210feea3a..fc23065be 100644 --- a/pkg/providers/aws/accessanalyzer/aa.go +++ b/pkg/providers/aws/accessanalyzer/aa.go @@ -7,8 +7,13 @@ type AccessAnalyzer struct { } type Analyzer struct { - types.Metadata - ARN types.StringValue - Name types.StringValue - Active types.BoolValue + Metadata types.Metadata + ARN types.StringValue + Name types.StringValue + Active types.BoolValue + Findings []Findings +} + +type Findings struct { + Metadata types.Metadata } diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json index 8971e3666..d6e80f1cd 100644 --- a/pkg/rego/schemas/cloud.json +++ b/pkg/rego/schemas/cloud.json @@ -203,12 +203,22 @@ "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue" }, + "findings": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Findings" + } + }, "name": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue" } } }, + "github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Findings": { + "type": "object" + }, "github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.apigateway.APIGateway": { "type": "object", "properties": {