def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None, reportMutatorData=None): # Moves report generation logic out of checkov.kubernetes.runner.run() def. # Allows us to overriding report file information for "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). kustomizeMetadata = reportMutatorData['kustomizeMetadata'], kustomizeFileMappings = reportMutatorData['kustomizeFileMappings'] for check, check_result in results.items(): resource_id = get_resource_id(entity_conf) entity_context = self.context[k8_file][resource_id] if file_abs_path in kustomizeFileMappings: realKustomizeEnvMetadata = kustomizeMetadata[0][kustomizeFileMappings[file_abs_path]] if 'overlay' in realKustomizeEnvMetadata["type"]: kustomizeResourceID = f'{realKustomizeEnvMetadata["type"]}:{str(realKustomizeEnvMetadata["overlay_name"])}:{resource_id}' else: kustomizeResourceID = f'{realKustomizeEnvMetadata["type"]}:{resource_id}' else: kustomizeResourceID = "Unknown error. This is a bug." record = Record( check_id=check.id, bc_check_id=check.bc_id, check_name=check.name, check_result=check_result, code_block=entity_context.get("code_lines"), file_path=realKustomizeEnvMetadata['filePath'], file_line_range=[0,0], resource=kustomizeResourceID, evaluations=variable_evaluations, check_class=check.__class__.__module__, file_abs_path=realKustomizeEnvMetadata['filePath']) record.set_guideline(check.guideline) report.add_record(record=record) return report
def _create_vertices(self): for file_path, file_conf in self.definitions.items(): for resource in file_conf: if resource.get('kind') == "List": file_conf.extend(resource.get("items", [])) file_conf.remove(resource) for resource in file_conf: resource_type = resource.get('kind') metadata = resource.get('metadata') or {} # TODO: add support for generateName if is_invalid_k8_definition(resource) or metadata.get("ownerReferences") or not metadata.get('name'): logging.info(f"failed to create a vertex in file {file_path}") file_conf.remove(resource) continue config = deepcopy(resource) attributes = deepcopy(config) attributes["resource_type"] = resource_type attributes["__startline__"] = resource["__startline__"] attributes["__endline__"] = resource["__endline__"] block_id = get_resource_id(resource) self.vertices.append(KubernetesBlock( block_name=block_id, resource_type=resource_type, config=config, path=file_path, attributes=attributes )) for i, vertex in enumerate(self.vertices): self.vertices_by_block_type[vertex.block_type].append(i) self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)
def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None, reportMutatorData=None): # Moves report generation logic out of run() method in Runner class. # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). for check, check_result in results.items(): resource_id = get_resource_id(entity_conf) entity_context = self.context[k8_file][resource_id] record = Record(check_id=check.id, bc_check_id=check.bc_id, check_name=check.name, check_result=check_result, code_block=entity_context.get("code_lines"), file_path=k8_file_path, file_line_range=[ entity_context.get("start_line"), entity_context.get("end_line") ], resource=resource_id, evaluations=variable_evaluations, check_class=check.__class__.__module__, file_abs_path=file_abs_path) record.set_guideline(check.guideline) report.add_record(record=record) return report
def check_definitions(self, root_folder, runner_filter, report): for k8_file in self.definitions.keys(): # There are a few cases here. If -f was used, there could be a leading / because it's an absolute path, # or there will be no leading slash; root_folder will always be none. # If -d is used, root_folder will be the value given, and -f will start with a / (hardcoded above). # The goal here is simply to get a valid path to the file (which sls_file does not always give). if k8_file[0] == '/': path_to_convert = (root_folder + k8_file) if root_folder else k8_file else: path_to_convert = (os.path.join( root_folder, k8_file)) if root_folder else k8_file file_abs_path = os.path.abspath(path_to_convert) # Run for each definition for entity_conf in self.definitions[k8_file]: entity_type = entity_conf.get("kind") # Skip List and Kustomization Templates (for now) if entity_type == "Kustomization": continue skipped_checks = get_skipped_checks(entity_conf) results = registry.scan(k8_file, entity_conf, skipped_checks, runner_filter) # TODO? - Variable Eval Message! variable_evaluations = {} for check, check_result in results.items(): resource_id = get_resource_id(entity_conf) entity_context = self.context[k8_file][resource_id] record = Record( check_id=check.id, bc_check_id=check.bc_id, check_name=check.name, check_result=check_result, code_block=entity_context.get("code_lines"), file_path=k8_file, file_line_range=[ entity_context.get("start_line"), entity_context.get("end_line") ], resource=resource_id, evaluations=variable_evaluations, check_class=check.__class__.__module__, file_abs_path=file_abs_path) record.set_guideline(check.guideline) report.add_record(record=record) return report