diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 359bb00c9..0c78fe2b3 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -1,5 +1,5 @@ terrascan_webhook_key: terrakey -terrascan_container_image: tenable/terrascan:1.15.0 +terrascan_container_image: tenable/terrascan:1.16.0 terrascan_service_type: ClusterIP use_debug: true # provide secrets for admission controller diff --git a/deploy/kustomize/base/deployment.yaml b/deploy/kustomize/base/deployment.yaml index 171f7003c..02ddb99ee 100644 --- a/deploy/kustomize/base/deployment.yaml +++ b/deploy/kustomize/base/deployment.yaml @@ -20,7 +20,7 @@ spec: name: terrascan-data-sync containers: - name: terrascan-server - image: tenable/terrascan:1.15.0 + image: tenable/terrascan:1.16.0 imagePullPolicy: IfNotPresent resources: limits: diff --git a/go.mod b/go.mod index ae79891e1..91cc390ff 100644 --- a/go.mod +++ b/go.mod @@ -45,13 +45,13 @@ require ( github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.20.2 github.com/open-policy-agent/opa v0.22.0 - github.com/owenrumney/go-sarif v1.0.12 + github.com/owenrumney/go-sarif/v2 v2.1.2 github.com/pelletier/go-toml v1.9.3 github.com/pkg/errors v0.9.1 github.com/spf13/afero v1.6.0 github.com/spf13/cobra v1.1.3 github.com/stretchr/testify v1.7.0 - github.com/zclconf/go-cty v1.9.1 + github.com/zclconf/go-cty v1.10.0 go.uber.org/zap v1.16.0 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f golang.org/x/tools v0.1.12 // indirect @@ -177,7 +177,6 @@ require ( go.uber.org/atomic v1.6.0 // indirect go.uber.org/multierr v1.5.0 // indirect golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect - golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect diff --git a/go.sum b/go.sum index 49aa7dc9d..a089ca02c 100644 --- a/go.sum +++ b/go.sum @@ -1158,8 +1158,9 @@ github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= -github.com/owenrumney/go-sarif v1.0.12 h1:8cgnqe7MbXGDJYEiMc0jeFi7opwgWM8GWBPAAnn2Ut8= -github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho= +github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= +github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U= +github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/packer-community/winrmcp v0.0.0-20180921211025-c76d91c1e7db/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk= github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -1435,8 +1436,8 @@ github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLE github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc= -github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0= +github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0= github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= @@ -1530,7 +1531,6 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e h1:qyrTQ++p1afMkO4DPEeLGq/3oTsdlvdH4vqZUBWzUKM= -golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= diff --git a/pkg/iac-providers/cft/v1/load-file.go b/pkg/iac-providers/cft/v1/load-file.go index 2e6780193..c2bd9e9ba 100644 --- a/pkg/iac-providers/cft/v1/load-file.go +++ b/pkg/iac-providers/cft/v1/load-file.go @@ -135,14 +135,14 @@ func (a *CFTV1) cleanTemplate(templateMap map[string]interface{}, absFilePath st resourceData, err := json.Marshal(resourceInfo) if err != nil { zap.S().Debug("failed to marshal json for resource", zap.String("resource", resourceName), zap.Error(err)) - multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()}) + a.errIacLoadDirs = multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()}) continue } template, err := goformation.ParseJSON(resourceData) if err != nil { zap.S().Debug("failed to generate template for resource", zap.String("resource", resourceName), zap.Error(err)) - multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()}) + a.errIacLoadDirs = multierr.Append(a.errIacLoadDirs, results.DirScanErr{IacType: "cft", Directory: filepath.Dir(absFilePath), ErrMessage: err.Error()}) continue } diff --git a/pkg/iac-providers/output/types.go b/pkg/iac-providers/output/types.go index cf665445e..526eab94c 100644 --- a/pkg/iac-providers/output/types.go +++ b/pkg/iac-providers/output/types.go @@ -41,6 +41,7 @@ type ResourceConfig struct { MinSeverity string `json:"min_severity"` ContainerImages []ContainerDetails `json:"container_images,omitempty"` InitContainerImages []ContainerDetails `json:"init_container_images,omitempty"` + IsRemoteModule *bool `json:"is_remote_module,omitempty"` } // ContainerDetails holds information about container name, image and vulberabilities diff --git a/pkg/iac-providers/terraform/commons/load-dir.go b/pkg/iac-providers/terraform/commons/load-dir.go index 1ec931aa3..ad6cb49b4 100644 --- a/pkg/iac-providers/terraform/commons/load-dir.go +++ b/pkg/iac-providers/terraform/commons/load-dir.go @@ -20,6 +20,7 @@ import ( "encoding/json" "errors" "fmt" + "net/url" "os" "path/filepath" "strings" @@ -209,12 +210,16 @@ func (t TerraformDirectoryLoader) loadDirRecursive(dirList []string) (output.All // resolve references resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj)) + var isRemoteModule bool // source file path - resourceConfig.Source, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir) + resourceConfig.Source, isRemoteModule, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir) if err != nil { t.addError(err.Error(), dir) continue } + if isRemoteModule { + resourceConfig.IsRemoteModule = &isRemoteModule + } // tf plan directory relative path planRoot, err := filepath.Rel(t.absRootDir, dir) @@ -332,14 +337,18 @@ func (t TerraformDirectoryLoader) loadDirNonRecursive() (output.AllResourceConfi // resolve references resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj)) - + var isRemoteModule bool // source file path - resourceConfig.Source, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir) + resourceConfig.Source, isRemoteModule, err = GetConfigSource(remoteURLMapping, resourceConfig, t.absRootDir) if err != nil { errMessage := fmt.Sprintf("failed to get resource's filepath: %v", err) return allResourcesConfig, multierror.Append(t.errIacLoadDirs, results.DirScanErr{IacType: "terraform", Directory: t.absRootDir, ErrMessage: errMessage}) } + if isRemoteModule { + resourceConfig.IsRemoteModule = &isRemoteModule + } + // add tf plan directory relative path resourceConfig.PlanRoot = fmt.Sprintf(".%s", string(os.PathSeparator)) @@ -489,29 +498,38 @@ func GetRemoteLocation(cache map[string]string, resourcePath string) (remoteURL, } // GetConfigSource - get the source path for the resource -func GetConfigSource(remoteURLMapping map[string]string, resourceConfig output.ResourceConfig, absRootDir string) (string, error) { +func GetConfigSource(remoteURLMapping map[string]string, resourceConfig output.ResourceConfig, absRootDir string) (string, bool, error) { var ( - source string - err error - rel string + source string + err error + rel string + isRemote bool ) + // Get source path if remote module used remoteURL, tempDir := GetRemoteLocation(remoteURLMapping, resourceConfig.Source) if remoteURL != "" { rel, err = filepath.Rel(tempDir, resourceConfig.Source) if err != nil { errMessage := fmt.Sprintf("failed to get remote resource's %s filepath: %v", resourceConfig.Name, err) - return source, errors.New(errMessage) + return source, false, errors.New(errMessage) + } + isRemote = true + + source = filepath.Join(url.PathEscape(remoteURL), rel) + source, err = url.PathUnescape(source) + if err != nil { + errMessage := fmt.Sprintf("failed to get remote resource's %s filepath: %v", resourceConfig.Name, err) + return source, false, errors.New(errMessage) } - source = filepath.Join(filepath.Clean(remoteURL), rel) } else { // source file path source, err = filepath.Rel(absRootDir, resourceConfig.Source) if err != nil { - return source, err + return source, false, err } } - return source, nil + return source, isRemote, nil } // GetRemoteModuleIfPresentInTerraformSrc - Gets the remote module if present in terraform init cache diff --git a/pkg/iac-providers/terraform/commons/load-dir_test.go b/pkg/iac-providers/terraform/commons/load-dir_test.go index 3f5b09f9c..15c0332da 100644 --- a/pkg/iac-providers/terraform/commons/load-dir_test.go +++ b/pkg/iac-providers/terraform/commons/load-dir_test.go @@ -257,7 +257,7 @@ func TestGetConfigSource(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := GetConfigSource(tt.args.remoteURLMapping, tt.args.resourceConfig, tt.args.absRootDir) + got, _, err := GetConfigSource(tt.args.remoteURLMapping, tt.args.resourceConfig, tt.args.absRootDir) if (err != nil) != tt.wantErr { t.Errorf("GetConfigSource() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/mapper/iac-providers/cft/config/elasticloadbalancingv2-listener.go b/pkg/mapper/iac-providers/cft/config/elasticloadbalancingv2-listener.go index e2592e4db..4eb032bad 100644 --- a/pkg/mapper/iac-providers/cft/config/elasticloadbalancingv2-listener.go +++ b/pkg/mapper/iac-providers/cft/config/elasticloadbalancingv2-listener.go @@ -25,6 +25,7 @@ import ( type ElasticLoadBalancingV2ListenerConfig struct { Config Protocol string `json:"protocol"` + Port int `json:"port"` DefaultAction []DefaultActionConfig `json:"default_action"` } @@ -36,6 +37,7 @@ type DefaultActionConfig struct { // RedirectConfig holds config for redirect attirbute of default_action type RedirectConfig struct { Protocol string `json:"protocol"` + Port string `json:"port"` } // GetElasticLoadBalancingV2ListenerConfig returns config for aws_lb_listener @@ -49,6 +51,7 @@ func GetElasticLoadBalancingV2ListenerConfig(l *elasticloadbalancingv2.Listener) cf := ElasticLoadBalancingV2ListenerConfig{ Config: Config{}, Protocol: functions.GetVal(l.Protocol), + Port: functions.GetVal(l.Port), } if action.RedirectConfig != nil { defaultAction := []DefaultActionConfig{ @@ -56,6 +59,7 @@ func GetElasticLoadBalancingV2ListenerConfig(l *elasticloadbalancingv2.Listener) RedirectConfig: []RedirectConfig{ { Protocol: functions.GetVal(action.RedirectConfig.Protocol), + Port: functions.GetVal(action.RedirectConfig.Port), }, }, }, diff --git a/pkg/mapper/iac-providers/cft/config/s3-bucket-policy.go b/pkg/mapper/iac-providers/cft/config/s3-bucket-policy.go index b8f9770c0..7cf85864d 100644 --- a/pkg/mapper/iac-providers/cft/config/s3-bucket-policy.go +++ b/pkg/mapper/iac-providers/cft/config/s3-bucket-policy.go @@ -26,6 +26,7 @@ import ( type S3BucketPolicyConfig struct { Config PolicyDocument string `json:"policy"` + Bucket string `json:"bucket"` } // GetS3BucketPolicyConfig returns config for aws_s3_bucket_policy @@ -34,6 +35,7 @@ func GetS3BucketPolicyConfig(p *s3.BucketPolicy) []AWSResourceConfig { Config: Config{ Name: p.Bucket, }, + Bucket: p.Bucket, } policyDocument, err := json.Marshal(p.PolicyDocument) diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego b/pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego index faa17c965..d5546c134 100644 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego @@ -2,5 +2,5 @@ package accurics {{.prefix}}cloudTrailMultiRegionEnabled[cloud_trail.id]{ cloud_trail = input.aws_cloudtrail[_] - object.get(cloud_trail, "is_multi_region_trail", "undefined") == "undefined" -} \ No newline at end of file + object.get(cloud_trail.config, "is_multi_region_trail", "undefined") == "undefined" +} diff --git a/pkg/writer/github_sarif_test.go b/pkg/writer/github_sarif_test.go index 62a1ae981..767c80bd4 100644 --- a/pkg/writer/github_sarif_test.go +++ b/pkg/writer/github_sarif_test.go @@ -18,9 +18,8 @@ const violationTemplateForGH = `{ { "tool": { "driver": { - "name": "terrascan", - "version": "%s", "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AWS.S3Bucket.DS.High.1043", @@ -33,12 +32,14 @@ const violationTemplateForGH = `{ "severity": "HIGH" } } - ] + ], + "version": "%s" } }, "results": [ { "ruleId": "AWS.S3Bucket.DS.High.1043", + "ruleIndex": 0, "level": "error", "message": { "text": "S3 bucket Access is allowed to all AWS Account Users." @@ -48,7 +49,7 @@ const violationTemplateForGH = `{ "physicalLocation": { "artifactLocation": { "uri": "%s", - "uriBaseId": "test" + "uriBaseId": "test" }, "region": { "startLine": 20 diff --git a/pkg/writer/sarif.go b/pkg/writer/sarif.go index 7a225ee1c..65a7c2651 100644 --- a/pkg/writer/sarif.go +++ b/pkg/writer/sarif.go @@ -22,7 +22,7 @@ import ( "strings" "github.com/go-errors/errors" - "github.com/owenrumney/go-sarif/sarif" + "github.com/owenrumney/go-sarif/v2/sarif" "github.com/tenable/terrascan/pkg/policy" "github.com/tenable/terrascan/pkg/utils" "github.com/tenable/terrascan/pkg/version" @@ -49,7 +49,7 @@ func writeSarif(data interface{}, writers []io.Writer, forGithub bool) error { return err } - run := sarif.NewRun("terrascan", "https://github.com/tenable/terrascan") + run := sarif.NewRunWithInformationURI("terrascan", "https://github.com/tenable/terrascan") run.Tool.Driver.WithVersion(version.GetNumeric()) // add a run to the report report.AddRun(run) @@ -97,10 +97,26 @@ func writeSarif(data interface{}, writers []io.Writer, forGithub bool) error { WithKind(violation.ResourceType).WithName(violation.ResourceName)) } - run.AddResult(rule.ID). + run.AddResult(sarif.NewRuleResult(rule.ID). WithMessage(sarif.NewTextMessage(violation.Description)). WithLevel(getSarifLevel(violation.Severity)). - WithLocation(location) + WithLocations([]*sarif.Location{location})) + } + + if len(outputData.DirScanErrors) > 0 { + notifications := []*sarif.Notification{} + + for _, dirScanError := range outputData.DirScanErrors { + notifications = append(notifications, + sarif.NewNotification(). + WithLevel("warning"). + WithMessage(sarif.NewTextMessage(dirScanError.ErrMessage))) + } + + invocation := sarif.NewInvocation(). + WithExecutionSuccess(true). + WithToolExecutionNotifications(notifications) + run.Invocations = append(run.Invocations, invocation) } for _, writer := range writers { diff --git a/pkg/writer/sarif_test.go b/pkg/writer/sarif_test.go index 5ecd36ade..d398c9a03 100644 --- a/pkg/writer/sarif_test.go +++ b/pkg/writer/sarif_test.go @@ -24,9 +24,8 @@ const violationTemplate = `{ { "tool": { "driver": { - "name": "terrascan", - "version": "%s", "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AWS.S3Bucket.DS.High.1043", @@ -39,12 +38,14 @@ const violationTemplate = `{ "severity": "HIGH" } } - ] + ], + "version": "%s" } }, "results": [ { "ruleId": "AWS.S3Bucket.DS.High.1043", + "ruleIndex": 0, "level": "error", "message": { "text": "S3 bucket Access is allowed to all AWS Account Users." @@ -82,9 +83,10 @@ var expectedSarifOutput2 = fmt.Sprintf(`{ { "tool": { "driver": { + "informationUri": "https://github.com/tenable/terrascan", "name": "terrascan", - "version": "%s", - "informationUri": "https://github.com/tenable/terrascan" + "rules": [], + "version": "%s" } }, "results": [] @@ -99,9 +101,38 @@ var expectedSarifOutput3 = fmt.Sprintf(`{ { "tool": { "driver": { + "informationUri": "https://github.com/tenable/terrascan", "name": "terrascan", - "version": "%s", + "rules": [ + { + "id": "AWS.S3Bucket.DS.High.1043", + "name": "s3EnforceUserACL", + "shortDescription": { + "text": "S3 bucket Access is allowed to all AWS Account Users." + }, + "properties": { + "category": "S3", + "severity": "HIGH" + } + } + ], + "version": "%s" + } + }, + "results": [] + } + ] + }`, version.GetNumeric()) + +var expectedSarifOutput4 = fmt.Sprintf(`{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", + "runs": [ + { + "tool": { + "driver": { "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AWS.S3Bucket.DS.High.1043", @@ -114,9 +145,29 @@ var expectedSarifOutput3 = fmt.Sprintf(`{ "severity": "HIGH" } } - ] + ], + "version": "%s" } }, + "invocations": [ + { + "executionSuccessful": true, + "toolExecutionNotifications": [ + { + "level": "warning", + "message": { + "text": "kustomization.y(a)ml file not found in the directory test/e2e/test_data/iac/aws/aws_db_instance_violation" + } + }, + { + "level": "warning", + "message": { + "text": "no helm charts found in directory test/e2e/test_data/iac/aws/aws_db_instance_violation" + } + } + ] + } + ], "results": [] } ] @@ -150,6 +201,11 @@ func TestSarifWriter(t *testing.T) { input: outputWithPassedRules, expectedOutput: expectedSarifOutput3, }, + { + name: "Human Readable Writer: with directory scan error", + input: outputWithDirScanErrors, + expectedOutput: expectedSarifOutput4, + }, } for _, tt := range tests { diff --git a/pkg/writer/yaml_test.go b/pkg/writer/yaml_test.go index 736bee1bb..08c1df1fa 100644 --- a/pkg/writer/yaml_test.go +++ b/pkg/writer/yaml_test.go @@ -102,7 +102,8 @@ const ( maxseverity: "" minseverity: "" containerimages: [] - initcontainerimages: []` + initcontainerimages: [] + isremotemodule: null` scanTestOutputYAML = `results: violations: diff --git a/release_checklist.md b/release_checklist.md index bde289c54..e6afa2c1f 100644 --- a/release_checklist.md +++ b/release_checklist.md @@ -43,7 +43,7 @@ Run the commands below to update Brew to the latest Terrascan version. If you ar ``` $ export TERRASCAN_VERSION= -$ brew bump-formula-pr --no-browse --url https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz --sha256 $(curl -sL https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz | sha256sum | awk '{print $1}') +$ brew bump-formula-pr --no-browse --url https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz --sha256 $(curl -sL https://github.com/tenable/terrascan/archive/${TERRASCAN_VERSION}.tar.gz | sha256sum | awk '{print $1}') terrascan ``` ### Update helm chart and kustomize directory diff --git a/test/e2e/scan/golden/docker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt b/test/e2e/scan/golden/docker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt index 095152e32..072553b05 100644 --- a/test/e2e/scan/golden/docker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt +++ b/test/e2e/scan/golden/docker_scan/dockerfiles/dockerfile_platform_flag_violations/dockerfile_platform_flag_sarif.txt @@ -5,9 +5,8 @@ { "tool": { "driver": { - "name": "terrascan", - "version": "1.9.0", "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AC_DOCKER_0001", @@ -20,12 +19,14 @@ "severity": "MEDIUM" } } - ] + ], + "version": "1.16.0" } }, "results": [ { "ruleId": "AC_DOCKER_0001", + "ruleIndex": 0, "level": "warning", "message": { "text": "Ensure platform flag with FROM command is not used for Docker file" diff --git a/test/e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt b/test/e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt index 8e1a06078..f28815ccd 100644 --- a/test/e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt +++ b/test/e2e/scan/golden/k8s_scans/k8s/kubernetes_ingress_violations/kubernetes_ingress_sarif.txt @@ -5,9 +5,8 @@ { "tool": { "driver": { - "name": "terrascan", - "version": "1.9.0", "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AC_K8S_0001", @@ -20,12 +19,14 @@ "severity": "HIGH" } } - ] + ], + "version": "1.16.0" } }, "results": [ { "ruleId": "AC_K8S_0001", + "ruleIndex": 0, "level": "error", "message": { "text": "TLS disabled can affect the confidentiality of the data in transit" diff --git a/test/e2e/scan/golden/terraform_scans/aws/aws_ami_violations/aws_ami_violation_sarif.txt b/test/e2e/scan/golden/terraform_scans/aws/aws_ami_violations/aws_ami_violation_sarif.txt index 9da991abe..91bb14e2b 100644 --- a/test/e2e/scan/golden/terraform_scans/aws/aws_ami_violations/aws_ami_violation_sarif.txt +++ b/test/e2e/scan/golden/terraform_scans/aws/aws_ami_violations/aws_ami_violation_sarif.txt @@ -5,9 +5,8 @@ { "tool": { "driver": { - "name": "terrascan", - "version": "1.9.0", "informationUri": "https://github.com/tenable/terrascan", + "name": "terrascan", "rules": [ { "id": "AC_AWS_0001", @@ -20,12 +19,14 @@ "severity": "MEDIUM" } } - ] + ], + "version": "1.16.0" } }, "results": [ { "ruleId": "AC_AWS_0001", + "ruleIndex": 0, "level": "warning", "message": { "text": "Enable AWS AMI Encryption"