def test_account_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' suppressions_integration = SuppressionsIntegration(instance) suppression = { "suppressionType": "Accounts", "policyId": "BC_AWS_S3_13", "comment": "testing checkov", "accountIds": ["org/repo", "not/valid"], "checkovPolicyId": "CKV_AWS_18", } record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, resource=None, evaluations=None, check_class=None, file_abs_path='.', entity_tags=None) record2 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, resource=None, evaluations=None, check_class=None, file_abs_path='.', entity_tags=None) self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
def test_repo_match(self): integration = BcPlatformIntegration() integration.repo_id = 'org/repo' suppressions_integration = SuppressionsIntegration(integration) suppressions_integration._init_repo_regex() self.assertTrue(suppressions_integration._repo_matches('org/repo')) self.assertTrue(suppressions_integration._repo_matches('xyz_org/repo')) self.assertTrue( suppressions_integration._repo_matches('80001234_org/repo')) self.assertFalse(suppressions_integration._repo_matches('org/repo1')) self.assertFalse( suppressions_integration._repo_matches('xyz_org/repo1')) self.assertFalse( suppressions_integration._repo_matches('80001234_org/repo1'))
def test_resource_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' suppressions_integration = SuppressionsIntegration(instance) suppression = { "suppressionType": "Resources", "policyId": "BC_AWS_S3_13", "comment": "No justification comment provided.", "resources": [ { "accountId": "org/repo", "resourceId": "/terraform/aws/s3.tf:aws_s3_bucket.operations", } ], "checkovPolicyId": "CKV_AWS_18", } record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, resource='aws_s3_bucket.operations', evaluations=None, check_class=None, file_abs_path=',.', entity_tags=None) record1.repo_file_path = '/terraform/aws/s3.tf' record2 = Record(check_id='CKV_AWS_13', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, resource='aws_s3_bucket.no', evaluations=None, check_class=None, file_abs_path='.', entity_tags=None) record2.repo_file_path = '/terraform/aws/s3.tf' record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, resource='aws_s3_bucket.operations', evaluations=None, check_class=None, file_abs_path='.', entity_tags=None) record3.repo_file_path = '/terraform/aws/s3.tf' self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
def test_suppression_valid(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' instance.bc_id_mapping = {'BC_AWS_1': 'CKV_AWS_20'} suppressions_integration = SuppressionsIntegration(instance) suppression = { "suppressionType": "Accounts", "policyId": "BC_AWS_1", "creationDate": 1608816140086, "comment": "No justification comment provided.", "accountIds": ["org/repo"] } self.assertTrue( suppressions_integration._suppression_valid_for_run(suppression)) suppression = { "suppressionType": "Resources", "policyId": "BC_AWS_1", "creationDate": 1608816140086, "comment": "No justification comment provided.", "resources": { "accountId": "org/repo", "resourceId": "/s3.tf" } } self.assertTrue( suppressions_integration._suppression_valid_for_run(suppression)) suppression = { "suppressionType": "Tags", "policyId": "BC_AWS_1", "creationDate": 1610035761349, "comment": "No justification comment provided.", "tags": [{ "value": "test_1", "key": "test_num" }] } self.assertTrue( suppressions_integration._suppression_valid_for_run(suppression)) suppression = { "suppressionType": "Policy", "policyId": "BC_AWS_1", "creationDate": 1602670330384, "comment": "No justification comment provided." } self.assertTrue( suppressions_integration._suppression_valid_for_run(suppression)) suppression = { "suppressionType": "Accounts", "policyId": "BC_AWS_1", "creationDate": 1608816140086, "comment": "No justification comment provided.", "accountIds": ["other/repo"] } self.assertFalse( suppressions_integration._suppression_valid_for_run(suppression)) suppression = { "suppressionType": "Tags", "policyId": "NOT_A_POLICY", "creationDate": 1610035761349, "comment": "No justification comment provided.", "tags": [{ "value": "test_1", "key": "test_num" }] } self.assertFalse( suppressions_integration._suppression_valid_for_run(suppression)) # custom policy suppression = { "suppressionType": "Tags", "policyId": "bcorg_aws_1234567891011", "creationDate": 1610035761349, "comment": "No justification comment provided.", "tags": [{ "value": "test_1", "key": "test_num" }] } self.assertTrue( suppressions_integration._suppression_valid_for_run(suppression))