def test_account_suppression(self):
instance = BcPlatformIntegration()
instance.repo_id = 'org/repo'
suppressions_integration = SuppressionsIntegration(instance)
suppression = {
"suppressionType": "Accounts",
"policyId": "BC_AWS_S3_13",
"comment": "testing checkov",
"accountIds": ["org/repo", "not/valid"],
"checkovPolicyId": "CKV_AWS_18",
}
record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None)
record2 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None)
self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
def test_repo_match(self):
integration = BcPlatformIntegration()
integration.repo_id = 'org/repo'
suppressions_integration = SuppressionsIntegration(integration)
suppressions_integration._init_repo_regex()
self.assertTrue(suppressions_integration._repo_matches('org/repo'))
self.assertTrue(suppressions_integration._repo_matches('xyz_org/repo'))
self.assertTrue(
suppressions_integration._repo_matches('80001234_org/repo'))
self.assertFalse(suppressions_integration._repo_matches('org/repo1'))
self.assertFalse(
suppressions_integration._repo_matches('xyz_org/repo1'))
self.assertFalse(
suppressions_integration._repo_matches('80001234_org/repo1'))
def test_resource_suppression(self):
instance = BcPlatformIntegration()
instance.repo_id = 'org/repo'
suppressions_integration = SuppressionsIntegration(instance)
suppression = {
"suppressionType": "Resources",
"policyId": "BC_AWS_S3_13",
"comment": "No justification comment provided.",
"resources": [
{
"accountId": "org/repo",
"resourceId": "/terraform/aws/s3.tf:aws_s3_bucket.operations",
}
],
"checkovPolicyId": "CKV_AWS_18",
}
record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource='aws_s3_bucket.operations', evaluations=None,
check_class=None, file_abs_path=',.', entity_tags=None)
record1.repo_file_path = '/terraform/aws/s3.tf'
record2 = Record(check_id='CKV_AWS_13', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource='aws_s3_bucket.no', evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None)
record2.repo_file_path = '/terraform/aws/s3.tf'
record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource='aws_s3_bucket.operations', evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None)
record3.repo_file_path = '/terraform/aws/s3.tf'
self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
def test_suppression_valid(self):
instance = BcPlatformIntegration()
instance.repo_id = 'org/repo'
instance.bc_id_mapping = {'BC_AWS_1': 'CKV_AWS_20'}
suppressions_integration = SuppressionsIntegration(instance)
suppression = {
"suppressionType": "Accounts",
"policyId": "BC_AWS_1",
"creationDate": 1608816140086,
"comment": "No justification comment provided.",
"accountIds": ["org/repo"]
}
self.assertTrue(
suppressions_integration._suppression_valid_for_run(suppression))
suppression = {
"suppressionType": "Resources",
"policyId": "BC_AWS_1",
"creationDate": 1608816140086,
"comment": "No justification comment provided.",
"resources": {
"accountId": "org/repo",
"resourceId": "/s3.tf"
}
}
self.assertTrue(
suppressions_integration._suppression_valid_for_run(suppression))
suppression = {
"suppressionType": "Tags",
"policyId": "BC_AWS_1",
"creationDate": 1610035761349,
"comment": "No justification comment provided.",
"tags": [{
"value": "test_1",
"key": "test_num"
}]
}
self.assertTrue(
suppressions_integration._suppression_valid_for_run(suppression))
suppression = {
"suppressionType": "Policy",
"policyId": "BC_AWS_1",
"creationDate": 1602670330384,
"comment": "No justification comment provided."
}
self.assertTrue(
suppressions_integration._suppression_valid_for_run(suppression))
suppression = {
"suppressionType": "Accounts",
"policyId": "BC_AWS_1",
"creationDate": 1608816140086,
"comment": "No justification comment provided.",
"accountIds": ["other/repo"]
}
self.assertFalse(
suppressions_integration._suppression_valid_for_run(suppression))
suppression = {
"suppressionType": "Tags",
"policyId": "NOT_A_POLICY",
"creationDate": 1610035761349,
"comment": "No justification comment provided.",
"tags": [{
"value": "test_1",
"key": "test_num"
}]
}
self.assertFalse(
suppressions_integration._suppression_valid_for_run(suppression))
# custom policy
suppression = {
"suppressionType": "Tags",
"policyId": "bcorg_aws_1234567891011",
"creationDate": 1610035761349,
"comment": "No justification comment provided.",
"tags": [{
"value": "test_1",
"key": "test_num"
}]
}
self.assertTrue(
suppressions_integration._suppression_valid_for_run(suppression))
