From 8155ee8a39b7ab6f7aeb9d12eaee6e83c5357f60 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Mon, 19 Aug 2024 19:45:59 +0600 Subject: [PATCH 1/2] fix(misconf): wrap Azure PortRange in IaC types Signed-off-by: nikpivkin --- pkg/iac/adapters/arm/network/adapt.go | 8 ++++---- pkg/iac/adapters/terraform/azure/network/adapt.go | 12 ++++++------ .../adapters/terraform/azure/network/adapt_test.go | 8 ++++---- pkg/iac/providers/azure/network/network.go | 6 +++--- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/pkg/iac/adapters/arm/network/adapt.go b/pkg/iac/adapters/arm/network/adapt.go index 5201b84761e7..214cf75c3c90 100644 --- a/pkg/iac/adapters/arm/network/adapt.go +++ b/pkg/iac/adapters/arm/network/adapt.go @@ -27,11 +27,11 @@ func adaptSecurityGroups(deployment azure.Deployment) (sgs []network.SecurityGro func adaptSecurityGroup(resource azure.Resource, deployment azure.Deployment) network.SecurityGroup { return network.SecurityGroup{ Metadata: resource.Metadata, - Rules: adaptSecurityGroupRules(resource, deployment), + Rules: adaptSecurityGroupRules(deployment), } } -func adaptSecurityGroupRules(resource azure.Resource, deployment azure.Deployment) (rules []network.SecurityGroupRule) { +func adaptSecurityGroupRules(deployment azure.Deployment) (rules []network.SecurityGroupRule) { for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkSecurityGroups/securityRules") { rules = append(rules, adaptSecurityGroupRule(resource)) } @@ -120,7 +120,7 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange { return network.PortRange{ Metadata: m, - Start: start, - End: end, + Start: iacTypes.Int(start, m), + End: iacTypes.Int(end, m), } } diff --git a/pkg/iac/adapters/terraform/azure/network/adapt.go b/pkg/iac/adapters/terraform/azure/network/adapt.go index b2866cd9100a..4bbcca6c5fd2 100644 --- a/pkg/iac/adapters/terraform/azure/network/adapt.go +++ b/pkg/iac/adapters/terraform/azure/network/adapt.go @@ -136,8 +136,8 @@ func (a *adapter) adaptSource(ruleBlock *terraform.Block, rule *network.Security f := sourcePortRangeAttr.AsNumber() rule.SourcePorts = append(rule.SourcePorts, network.PortRange{ Metadata: sourcePortRangeAttr.GetMetadata(), - Start: int(f), - End: int(f), + Start: iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()), + End: iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()), }) } } @@ -160,8 +160,8 @@ func (a *adapter) adaptDestination(ruleBlock *terraform.Block, rule *network.Sec f := destPortRangeAttr.AsNumber() rule.DestinationPorts = append(rule.DestinationPorts, network.PortRange{ Metadata: destPortRangeAttr.GetMetadata(), - Start: int(f), - End: int(f), + Start: iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()), + End: iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()), }) } } @@ -189,8 +189,8 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange { return network.PortRange{ Metadata: m, - Start: start, - End: end, + Start: iacTypes.Int(start, m), + End: iacTypes.Int(end, m), } } diff --git a/pkg/iac/adapters/terraform/azure/network/adapt_test.go b/pkg/iac/adapters/terraform/azure/network/adapt_test.go index 15b966b06ffc..99931b6b2d3e 100644 --- a/pkg/iac/adapters/terraform/azure/network/adapt_test.go +++ b/pkg/iac/adapters/terraform/azure/network/adapt_test.go @@ -65,15 +65,15 @@ func Test_Adapt(t *testing.T) { SourcePorts: []network.PortRange{ { Metadata: iacTypes.NewTestMetadata(), - Start: 0, - End: 65535, + Start: iacTypes.IntTest(0), + End: iacTypes.IntTest(65535), }, }, DestinationPorts: []network.PortRange{ { Metadata: iacTypes.NewTestMetadata(), - Start: 3389, - End: 3389, + Start: iacTypes.IntTest(3389), + End: iacTypes.IntTest(3389), }, }, Protocol: iacTypes.String("TCP", iacTypes.NewTestMetadata()), diff --git a/pkg/iac/providers/azure/network/network.go b/pkg/iac/providers/azure/network/network.go index 71c56b62b465..4fdc56e44e86 100755 --- a/pkg/iac/providers/azure/network/network.go +++ b/pkg/iac/providers/azure/network/network.go @@ -27,12 +27,12 @@ type SecurityGroupRule struct { type PortRange struct { Metadata iacTypes.Metadata - Start int - End int + Start iacTypes.IntValue + End iacTypes.IntValue } func (r PortRange) Includes(port int) bool { - return port >= r.Start && port <= r.End + return port >= r.Start.Value() && port <= r.End.Value() } type NetworkWatcherFlowLog struct { From 5a3f9703a696d505b093dcb9c35a2e7b87261ba9 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Mon, 19 Aug 2024 20:25:10 +0600 Subject: [PATCH 2/2] chore: generate cloud schema Signed-off-by: nikpivkin --- pkg/iac/rego/schemas/cloud.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json index a4bab9423d38..530ba5bfaa1f 100644 --- a/pkg/iac/rego/schemas/cloud.json +++ b/pkg/iac/rego/schemas/cloud.json @@ -5207,10 +5207,12 @@ "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.Metadata" }, "end": { - "type": "integer" + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" }, "start": { - "type": "integer" + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" } } },