def _collect_skip_comments(self, definition_blocks): """ Collects checkov skip comments to all definition blocks :param definition_blocks: parsed definition blocks :return: context enriched with with skipped checks per skipped entity """ bc_id_mapping = bc_integration.get_id_mapping() parsed_file_lines = self.filtered_lines comments = [(line_num, { "id": re.search(COMMENT_REGEX, x).group(2), "suppress_comment": re.search(COMMENT_REGEX, x).group(3)[1:] if re.search( COMMENT_REGEX, x).group(3) else "No comment provided" }) for (line_num, x) in parsed_file_lines if re.search(COMMENT_REGEX, x)] for entity_block in definition_blocks: skipped_checks = [] entity_context_path = self.get_entity_context_path(entity_block) context_search = dpath.search(self.context, entity_context_path, yielded=True) for _, entity_context in context_search: for (skip_check_line_num, skip_check) in comments: if entity_context[ 'start_line'] < skip_check_line_num < entity_context[ 'end_line']: if bc_id_mapping and skip_check['id'] in bc_id_mapping: skip_check['id'] = bc_id_mapping[skip_check['id']] skipped_checks.append(skip_check) dpath.new(self.context, entity_context_path + ['skipped_checks'], skipped_checks) return self.context
def collect_skip_comments(resource): skipped_checks = [] bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() if "metadata" in resource: if "checkov" in resource["metadata"]: for index, item in enumerate( force_list(resource["metadata"]["checkov"])): skip_search = re.search(COMMENT_REGEX, str(item)) if skip_search: skipped_check = { 'id': skip_search.group(1), 'suppress_comment': skip_search.group(2)[1:] if skip_search.group(2) else "No comment provided" } if bc_id_mapping and skipped_check[ "id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[ skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get( skipped_check["id"]) skipped_checks.append(skipped_check) return skipped_checks
def collect_skip_comments( entity_code_lines: List[Tuple[int, str]]) -> List[_SkippedCheck]: skipped_checks = [] bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() for line in entity_code_lines: skip_search = re.search(COMMENT_REGEX, str(line)) if skip_search: skipped_check: _SkippedCheck = { "id": skip_search.group(2), "suppress_comment": skip_search.group(3)[1:] if skip_search.group(3) else "No comment provided", } # No matter which ID was used to skip, save the pair of IDs in the appropriate fields if bc_id_mapping and skipped_check["id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get( skipped_check["id"]) skipped_checks.append(skipped_check) return skipped_checks
def collect_skip_comments( entity_code_lines: List[Tuple[int, str]], resource_config: Optional[DictNode] = None) -> List[_SkippedCheck]: skipped_checks = [] bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() for line in entity_code_lines: skip_search = re.search(COMMENT_REGEX, str(line)) if skip_search: skipped_check: _SkippedCheck = { "id": skip_search.group(2), "suppress_comment": skip_search.group(3)[1:] if skip_search.group(3) else "No comment provided", } # No matter which ID was used to skip, save the pair of IDs in the appropriate fields if bc_id_mapping and skipped_check["id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get( skipped_check["id"]) skipped_checks.append(skipped_check) if resource_config: metadata = resource_config.get("Metadata") if metadata: ckv_skip = metadata.get("checkov", {}).get("skip", []) bc_skip = metadata.get("bridgecrew", {}).get("skip", []) if ckv_skip or bc_skip: for skip in itertools.chain(ckv_skip, bc_skip): skip_id = skip.get("id") skip_comment = skip.get("comment", "No comment provided") if skip_id is None: logging.warning( "Check suppression is missing key 'id'") continue skipped_check = { "id": skip_id, "suppress_comment": skip_comment } if bc_id_mapping and skipped_check[ "id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[ skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get( skipped_check["id"]) skipped_checks.append(skipped_check) return skipped_checks
def _collect_skip_comments( self, definition_blocks: List[Dict[str, Any]]) -> Dict[str, Any]: """ Collects checkov skip comments to all definition blocks :param definition_blocks: parsed definition blocks :return: context enriched with with skipped checks per skipped entity """ bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() parsed_file_lines = self.filtered_lines optional_comment_lines = [ line for line in parsed_file_lines if self.is_optional_comment_line(line[1]) ] comments = [( line_num, { "id": match.group(2), "suppress_comment": match.group(3)[1:] if match.group(3) else "No comment provided", }, ) for (line_num, x) in optional_comment_lines for match in [re.search(COMMENT_REGEX, x)] if match] for entity_block in definition_blocks: skipped_checks = [] entity_context_path = self.get_entity_context_path(entity_block) entity_context = self.context found = True for k in entity_context_path: if k in entity_context: entity_context = entity_context[k] else: logging.warning( f'Failed to find context for {".".join(entity_context_path)}' ) found = False break if not found: continue for (skip_check_line_num, skip_check) in comments: if entity_context[ "start_line"] < skip_check_line_num < entity_context[ "end_line"]: # No matter which ID was used to skip, save the pair of IDs in the appropriate fields if bc_id_mapping and skip_check["id"] in bc_id_mapping: skip_check["bc_id"] = skip_check["id"] skip_check["id"] = bc_id_mapping[skip_check["id"]] elif ckv_to_bc_id_mapping: skip_check["bc_id"] = ckv_to_bc_id_mapping.get( skip_check["id"]) skipped_checks.append(skip_check) dpath.new(self.context, entity_context_path + ["skipped_checks"], skipped_checks) return self.context
def get_skipped_checks(entity_conf): skipped = [] metadata = {} bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() if not isinstance(entity_conf, dict): return skipped if entity_conf["kind"] == "containers" or entity_conf[ "kind"] == "initContainers": metadata = entity_conf["parent_metadata"] else: if "metadata" in entity_conf.keys(): metadata = entity_conf["metadata"] if "annotations" in metadata.keys( ) and metadata["annotations"] is not None: if isinstance(metadata["annotations"], dict): metadata["annotations"] = force_list(metadata["annotations"]) for annotation in metadata["annotations"]: if not isinstance(annotation, dict): logging.debug( f"Parse of Annotation Failed for {annotation}: {entity_conf}" ) continue for key in annotation: skipped_item = {} if "checkov.io/skip" in key or "bridgecrew.io/skip" in key: if "CKV_K8S" in annotation[key] or "BC_K8S" in annotation[ key]: if "=" in annotation[key]: (skipped_item["id"], skipped_item["suppress_comment"] ) = annotation[key].split("=") else: skipped_item["id"] = annotation[key] skipped_item[ "suppress_comment"] = "No comment provided" # No matter which ID was used to skip, save the pair of IDs in the appropriate fields if bc_id_mapping and skipped_item[ "id"] in bc_id_mapping: skipped_item["bc_id"] = skipped_item["id"] skipped_item["id"] = bc_id_mapping[ skipped_item["id"]] elif ckv_to_bc_id_mapping: skipped_item["bc_id"] = ckv_to_bc_id_mapping.get( skipped_item["id"]) skipped.append(skipped_item) else: logging.debug( "Parse of Annotation Failed for {}: {}".format( metadata["annotations"][key], entity_conf, indent=2)) continue return skipped
def collect_skipped_checks(parse_result): skipped_checks = [] bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() if COMMENT_INSTRUCTION in parse_result: for comment in parse_result[COMMENT_INSTRUCTION]: skip_search = re.search(COMMENT_REGEX, comment["value"]) if skip_search: skipped_check = { 'id': skip_search.group(2), 'suppress_comment': skip_search.group(3)[1:] if skip_search.group( 3) else "No comment provided" } # No matter which ID was used to skip, save the pair of IDs in the appropriate fields if bc_id_mapping and skipped_check["id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(skipped_check["id"]) skipped_checks.append(skipped_check) return skipped_checks
def _collect_skip_comments( self, definition_blocks: List[Dict[str, Any]]) -> Dict[str, Any]: """ Collects checkov skip comments to all definition blocks :param definition_blocks: parsed definition blocks :return: context enriched with with skipped checks per skipped entity """ bc_id_mapping = bc_integration.get_id_mapping() parsed_file_lines = self.filtered_lines comments = [( line_num, { "id": match.group(2), "suppress_comment": match.group(3)[1:] if match.group(3) else "No comment provided", }, ) for (line_num, x) in parsed_file_lines for match in [re.search(COMMENT_REGEX, x)] if match] for entity_block in definition_blocks: skipped_checks = [] entity_context_path = self.get_entity_context_path(entity_block) context_search = dpath.search(self.context, entity_context_path, yielded=True) for _, entity_context in context_search: for (skip_check_line_num, skip_check) in comments: if entity_context[ "start_line"] < skip_check_line_num < entity_context[ "end_line"]: if bc_id_mapping and skip_check["id"] in bc_id_mapping: skip_check["id"] = bc_id_mapping[skip_check["id"]] skipped_checks.append(skip_check) dpath.new(self.context, entity_context_path + ["skipped_checks"], skipped_checks) return self.context