def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None, reportMutatorData=None):
# Moves report generation logic out of checkov.kubernetes.runner.run() def.
# Allows us to overriding report file information for "child" frameworks such as Kustomize, Helm
# Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both).
kustomizeMetadata = reportMutatorData['kustomizeMetadata'],
kustomizeFileMappings = reportMutatorData['kustomizeFileMappings']
for check, check_result in results.items():
resource_id = get_resource_id(entity_conf)
entity_context = self.context[k8_file][resource_id]
if file_abs_path in kustomizeFileMappings:
realKustomizeEnvMetadata = kustomizeMetadata[0][kustomizeFileMappings[file_abs_path]]
if 'overlay' in realKustomizeEnvMetadata["type"]:
kustomizeResourceID = f'{realKustomizeEnvMetadata["type"]}:{str(realKustomizeEnvMetadata["overlay_name"])}:{resource_id}'
else:
kustomizeResourceID = f'{realKustomizeEnvMetadata["type"]}:{resource_id}'
else:
kustomizeResourceID = "Unknown error. This is a bug."
record = Record(
check_id=check.id, bc_check_id=check.bc_id, check_name=check.name,
check_result=check_result, code_block=entity_context.get("code_lines"), file_path=realKustomizeEnvMetadata['filePath'],
file_line_range=[0,0],
resource=kustomizeResourceID, evaluations=variable_evaluations,
check_class=check.__class__.__module__, file_abs_path=realKustomizeEnvMetadata['filePath'])
record.set_guideline(check.guideline)
report.add_record(record=record)
return report
def _create_vertices(self):
for file_path, file_conf in self.definitions.items():
for resource in file_conf:
if resource.get('kind') == "List":
file_conf.extend(resource.get("items", []))
file_conf.remove(resource)
for resource in file_conf:
resource_type = resource.get('kind')
metadata = resource.get('metadata') or {}
# TODO: add support for generateName
if is_invalid_k8_definition(resource) or metadata.get("ownerReferences") or not metadata.get('name'):
logging.info(f"failed to create a vertex in file {file_path}")
file_conf.remove(resource)
continue
config = deepcopy(resource)
attributes = deepcopy(config)
attributes["resource_type"] = resource_type
attributes["__startline__"] = resource["__startline__"]
attributes["__endline__"] = resource["__endline__"]
block_id = get_resource_id(resource)
self.vertices.append(KubernetesBlock(
block_name=block_id,
resource_type=resource_type,
config=config,
path=file_path,
attributes=attributes
))
for i, vertex in enumerate(self.vertices):
self.vertices_by_block_type[vertex.block_type].append(i)
self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)
def mutateKubernetesResults(self,
results,
report,
k8_file=None,
k8_file_path=None,
file_abs_path=None,
entity_conf=None,
variable_evaluations=None,
reportMutatorData=None):
# Moves report generation logic out of run() method in Runner class.
# Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm
# Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both).
for check, check_result in results.items():
resource_id = get_resource_id(entity_conf)
entity_context = self.context[k8_file][resource_id]
record = Record(check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=check_result,
code_block=entity_context.get("code_lines"),
file_path=k8_file_path,
file_line_range=[
entity_context.get("start_line"),
entity_context.get("end_line")
],
resource=resource_id,
evaluations=variable_evaluations,
check_class=check.__class__.__module__,
file_abs_path=file_abs_path)
record.set_guideline(check.guideline)
report.add_record(record=record)
return report
def check_definitions(self, root_folder, runner_filter, report):
for k8_file in self.definitions.keys():
# There are a few cases here. If -f was used, there could be a leading / because it's an absolute path,
# or there will be no leading slash; root_folder will always be none.
# If -d is used, root_folder will be the value given, and -f will start with a / (hardcoded above).
# The goal here is simply to get a valid path to the file (which sls_file does not always give).
if k8_file[0] == '/':
path_to_convert = (root_folder +
k8_file) if root_folder else k8_file
else:
path_to_convert = (os.path.join(
root_folder, k8_file)) if root_folder else k8_file
file_abs_path = os.path.abspath(path_to_convert)
# Run for each definition
for entity_conf in self.definitions[k8_file]:
entity_type = entity_conf.get("kind")
# Skip List and Kustomization Templates (for now)
if entity_type == "Kustomization":
continue
skipped_checks = get_skipped_checks(entity_conf)
results = registry.scan(k8_file, entity_conf, skipped_checks,
runner_filter)
# TODO? - Variable Eval Message!
variable_evaluations = {}
for check, check_result in results.items():
resource_id = get_resource_id(entity_conf)
entity_context = self.context[k8_file][resource_id]
record = Record(
check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=check_result,
code_block=entity_context.get("code_lines"),
file_path=k8_file,
file_line_range=[
entity_context.get("start_line"),
entity_context.get("end_line")
],
resource=resource_id,
evaluations=variable_evaluations,
check_class=check.__class__.__module__,
file_abs_path=file_abs_path)
record.set_guideline(check.guideline)
report.add_record(record=record)
return report