Merge branch 'master' into patch-1

deploy/helm/values.yaml

@@ -1,5 +1,5 @@
 terrascan_webhook_key: terrakey
-terrascan_container_image: tenable/terrascan:1.15.0
+terrascan_container_image: tenable/terrascan:1.16.0
 terrascan_service_type: ClusterIP
 use_debug: true
 # provide secrets for admission controller

deploy/kustomize/base/deployment.yaml

@@ -20,7 +20,7 @@ spec:
               name: terrascan-data-sync
       containers:
       - name: terrascan-server
-        image: tenable/terrascan:1.15.0
+        image: tenable/terrascan:1.16.0
         imagePullPolicy: IfNotPresent
         resources:
           limits:

go.mod

@@ -45,13 +45,13 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.20.2
 	github.com/open-policy-agent/opa v0.22.0
-	github.com/owenrumney/go-sarif v1.0.12
+	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/pelletier/go-toml v1.9.3
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/afero v1.6.0
 	github.com/spf13/cobra v1.1.3
 	github.com/stretchr/testify v1.7.0
-	github.com/zclconf/go-cty v1.9.1
+	github.com/zclconf/go-cty v1.10.0
 	go.uber.org/zap v1.16.0
 	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f
 	golang.org/x/tools v0.1.12 // indirect
@@ -177,7 +177,6 @@ require (
 	go.uber.org/atomic v1.6.0 // indirect
 	go.uber.org/multierr v1.5.0 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
 	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect

go.sum

@@ -1158,8 +1158,9 @@ github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
-github.com/owenrumney/go-sarif v1.0.12 h1:8cgnqe7MbXGDJYEiMc0jeFi7opwgWM8GWBPAAnn2Ut8=
-github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
+github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
+github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U=
+github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/packer-community/winrmcp v0.0.0-20180921211025-c76d91c1e7db/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -1435,8 +1436,8 @@ github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLE
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc=
-github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
+github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
@@ -1530,7 +1531,6 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e h1:qyrTQ++p1afMkO4DPEeLGq/3oTsdlvdH4vqZUBWzUKM=
-golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

pkg/iac-providers/cft/v1/load-file.go

@@ -135,14 +135,14 @@ func (a *CFTV1) cleanTemplate(templateMap map[string]interface{}, absFilePath st
 		resourceData, err := json.Marshal(resourceInfo)
 		if err != nil {
 			zap.S().Debug("failed to marshal json for resource", zap.String("resource", resourceName), zap.Error(err))
-			multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()})
+			a.errIacLoadDirs = multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()})
 			continue
 		}
 
 		template, err := goformation.ParseJSON(resourceData)
 		if err != nil {
 			zap.S().Debug("failed to generate template for resource", zap.String("resource", resourceName), zap.Error(err))
-			multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()})
+			a.errIacLoadDirs = multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()})
 			continue
 		}
 

pkg/iac-providers/output/types.go

@@ -41,6 +41,7 @@ type ResourceConfig struct {
 	MinSeverity         string             `json:"min_severity"`
 	ContainerImages     []ContainerDetails `json:"container_images,omitempty"`
 	InitContainerImages []ContainerDetails `json:"init_container_images,omitempty"`
+	IsRemoteModule      *bool              `json:"is_remote_module,omitempty"`
 }
 
 // ContainerDetails holds information about container name, image and vulberabilities

pkg/iac-providers/terraform/commons/load-dir.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -209,12 +210,16 @@ func (t TerraformDirectoryLoader) loadDirRecursive(dirList []string) (output.All
 				// resolve references
 				resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj))
 
+				var isRemoteModule bool
 				// source file path
-				resourceConfig.Source, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir)
+				resourceConfig.Source, isRemoteModule, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir)
 				if err != nil {
 					t.addError(err.Error(), dir)
 					continue
 				}
+				if isRemoteModule {
+					resourceConfig.IsRemoteModule = &isRemoteModule
+				}
 
 				// tf plan directory relative path
 				planRoot, err := filepath.Rel(t.absRootDir, dir)
@@ -332,14 +337,18 @@ func (t TerraformDirectoryLoader) loadDirNonRecursive() (output.AllResourceConfi
 
 			// resolve references
 			resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj))
-
+			var isRemoteModule bool
 			// source file path
-			resourceConfig.Source, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir)
+			resourceConfig.Source, isRemoteModule, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir)
 			if err != nil {
 				errMessage := fmt.Sprintf("failed to get resource's filepath: %v", err)
 				return allResourcesConfig, multierror.Append(t.errIacLoadDirs, results.DirScanErr{IacType: "terraform", Directory: t.absRootDir, ErrMessage: errMessage})
 			}
 
+			if isRemoteModule {
+				resourceConfig.IsRemoteModule = &isRemoteModule
+			}
+
 			// add tf plan directory relative path
 			resourceConfig.PlanRoot = fmt.Sprintf(".%s", string(os.PathSeparator))
 
@@ -489,29 +498,38 @@ func GetRemoteLocation(cache map[string]string, resourcePath string) (remoteURL,
 }
 
 // GetConfigSource - get the source path for the resource
-func GetConfigSource(remoteURLMapping map[string]string, resourceConfig output.ResourceConfig, absRootDir string) (string, error) {
+func GetConfigSource(remoteURLMapping map[string]string, resourceConfig output.ResourceConfig, absRootDir string) (string, bool, error) {
 	var (
-		source string
-		err    error
-		rel    string
+		source   string
+		err      error
+		rel      string
+		isRemote bool
 	)
+
 	// Get source path if remote module used
 	remoteURL, tempDir := GetRemoteLocation(remoteURLMapping, resourceConfig.Source)
 	if remoteURL != "" {
 		rel, err = filepath.Rel(tempDir, resourceConfig.Source)
 		if err != nil {
 			errMessage := fmt.Sprintf("failed to get remote resource's %s filepath: %v", resourceConfig.Name, err)
-			return source, errors.New(errMessage)
+			return source, false, errors.New(errMessage)
+		}
+		isRemote = true
+
+		source = filepath.Join(url.PathEscape(remoteURL), rel)
+		source, err = url.PathUnescape(source)
+		if err != nil {
+			errMessage := fmt.Sprintf("failed to get remote resource's %s filepath: %v", resourceConfig.Name, err)
+			return source, false, errors.New(errMessage)
 		}
-		source = filepath.Join(filepath.Clean(remoteURL), rel)
 	} else {
 		// source file path
 		source, err = filepath.Rel(absRootDir, resourceConfig.Source)
 		if err != nil {
-			return source, err
+			return source, false, err
 		}
 	}
-	return source, nil
+	return source, isRemote, nil
 }
 
 // GetRemoteModuleIfPresentInTerraformSrc - Gets the remote module if present in terraform init cache

pkg/iac-providers/terraform/commons/load-dir_test.go

@@ -257,7 +257,7 @@ func TestGetConfigSource(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := GetConfigSource(tt.args.remoteURLMapping, tt.args.resourceConfig, tt.args.absRootDir)
+			got, _, err := GetConfigSource(tt.args.remoteURLMapping, tt.args.resourceConfig, tt.args.absRootDir)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("GetConfigSource() error = %v, wantErr %v", err, tt.wantErr)
 				return

pkg/mapper/iac-providers/cft/config/elasticloadbalancingv2-listener.go

@@ -25,6 +25,7 @@ import (
 type ElasticLoadBalancingV2ListenerConfig struct {
 	Config
 	Protocol      string                `json:"protocol"`
+	Port          int                   `json:"port"`
 	DefaultAction []DefaultActionConfig `json:"default_action"`
 }
 
@@ -36,6 +37,7 @@ type DefaultActionConfig struct {
 // RedirectConfig holds config for redirect attirbute of default_action
 type RedirectConfig struct {
 	Protocol string `json:"protocol"`
+	Port     string `json:"port"`
 }
 
 // GetElasticLoadBalancingV2ListenerConfig returns config for aws_lb_listener
@@ -49,13 +51,15 @@ func GetElasticLoadBalancingV2ListenerConfig(l *elasticloadbalancingv2.Listener)
 		cf := ElasticLoadBalancingV2ListenerConfig{
 			Config:   Config{},
 			Protocol: functions.GetVal(l.Protocol),
+			Port:     functions.GetVal(l.Port),
 		}
 		if action.RedirectConfig != nil {
 			defaultAction := []DefaultActionConfig{
 				{
 					RedirectConfig: []RedirectConfig{
 						{
 							Protocol: functions.GetVal(action.RedirectConfig.Protocol),
+							Port:     functions.GetVal(action.RedirectConfig.Port),
 						},
 					},
 				},

pkg/mapper/iac-providers/cft/config/s3-bucket-policy.go

@@ -26,6 +26,7 @@ import (
 type S3BucketPolicyConfig struct {
 	Config
 	PolicyDocument string `json:"policy"`
+	Bucket         string `json:"bucket"`
 }
 
 // GetS3BucketPolicyConfig returns config for aws_s3_bucket_policy
@@ -34,6 +35,7 @@ func GetS3BucketPolicyConfig(p *s3.BucketPolicy) []AWSResourceConfig {
 		Config: Config{
 			Name: p.Bucket,
 		},
+		Bucket: p.Bucket,
 	}
 
 	policyDocument, err := json.Marshal(p.PolicyDocument)

pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego

@@ -2,5 +2,5 @@ package accurics
 
 {{.prefix}}cloudTrailMultiRegionEnabled[cloud_trail.id]{
     cloud_trail = input.aws_cloudtrail[_]
-    object.get(cloud_trail, "is_multi_region_trail", "undefined") == "undefined"
-}
+    object.get(cloud_trail.config, "is_multi_region_trail", "undefined") == "undefined"
+}

pkg/writer/github_sarif_test.go

@@ -18,9 +18,8 @@ const violationTemplateForGH = `{
             {
               "tool": {
                 "driver": {
-                  "name": "terrascan",
-                  "version": "%s",
                   "informationUri": "https://github.com/tenable/terrascan",
+                  "name": "terrascan",
                   "rules": [
                     {
                       "id": "AWS.S3Bucket.DS.High.1043",
@@ -33,12 +32,14 @@ const violationTemplateForGH = `{
                         "severity": "HIGH"
                       }
                     }
-                  ]
+                  ],
+                  "version": "%s"
                 }
               },
               "results": [
                 {
                   "ruleId": "AWS.S3Bucket.DS.High.1043",
+                  "ruleIndex": 0,
                   "level": "error",
                   "message": {
                     "text": "S3 bucket Access is allowed to all AWS Account Users."
@@ -48,7 +49,7 @@ const violationTemplateForGH = `{
                       "physicalLocation": {
                         "artifactLocation": {
                           "uri": "%s",
-						  "uriBaseId": "test"
+                          "uriBaseId": "test"
                         },
                         "region": {
                           "startLine": 20

pkg/writer/sarif.go

@@ -22,7 +22,7 @@ import (
 	"strings"
 
 	"github.com/go-errors/errors"
-	"github.com/owenrumney/go-sarif/sarif"
+	"github.com/owenrumney/go-sarif/v2/sarif"
 	"github.com/tenable/terrascan/pkg/policy"
 	"github.com/tenable/terrascan/pkg/utils"
 	"github.com/tenable/terrascan/pkg/version"
@@ -49,7 +49,7 @@ func writeSarif(data interface{}, writers []io.Writer, forGithub bool) error {
 		return err
 	}
 
-	run := sarif.NewRun("terrascan", "https://github.com/tenable/terrascan")
+	run := sarif.NewRunWithInformationURI("terrascan", "https://github.com/tenable/terrascan")
 	run.Tool.Driver.WithVersion(version.GetNumeric())
 	// add a run to the report
 	report.AddRun(run)
@@ -97,10 +97,26 @@ func writeSarif(data interface{}, writers []io.Writer, forGithub bool) error {
 				WithKind(violation.ResourceType).WithName(violation.ResourceName))
 		}
 
-		run.AddResult(rule.ID).
+		run.AddResult(sarif.NewRuleResult(rule.ID).
 			WithMessage(sarif.NewTextMessage(violation.Description)).
 			WithLevel(getSarifLevel(violation.Severity)).
-			WithLocation(location)
+			WithLocations([]*sarif.Location{location}))
+	}
+
+	if len(outputData.DirScanErrors) > 0 {
+		notifications := []*sarif.Notification{}
+
+		for _, dirScanError := range outputData.DirScanErrors {
+			notifications = append(notifications,
+				sarif.NewNotification().
+					WithLevel("warning").
+					WithMessage(sarif.NewTextMessage(dirScanError.ErrMessage)))
+		}
+
+		invocation := sarif.NewInvocation().
+			WithExecutionSuccess(true).
+			WithToolExecutionNotifications(notifications)
+		run.Invocations = append(run.Invocations, invocation)
 	}
 
 	for _, writer := range writers {