예제 #1
0
 def _collect_skip_comments(self, definition_blocks):
     """
     Collects checkov skip comments to all definition blocks
     :param definition_blocks: parsed definition blocks
     :return: context enriched with with skipped checks per skipped entity
     """
     bc_id_mapping = bc_integration.get_id_mapping()
     parsed_file_lines = self.filtered_lines
     comments = [(line_num, {
         "id":
         re.search(COMMENT_REGEX, x).group(2),
         "suppress_comment":
         re.search(COMMENT_REGEX, x).group(3)[1:] if re.search(
             COMMENT_REGEX, x).group(3) else "No comment provided"
     }) for (line_num, x) in parsed_file_lines
                 if re.search(COMMENT_REGEX, x)]
     for entity_block in definition_blocks:
         skipped_checks = []
         entity_context_path = self.get_entity_context_path(entity_block)
         context_search = dpath.search(self.context,
                                       entity_context_path,
                                       yielded=True)
         for _, entity_context in context_search:
             for (skip_check_line_num, skip_check) in comments:
                 if entity_context[
                         'start_line'] < skip_check_line_num < entity_context[
                             'end_line']:
                     if bc_id_mapping and skip_check['id'] in bc_id_mapping:
                         skip_check['id'] = bc_id_mapping[skip_check['id']]
                     skipped_checks.append(skip_check)
         dpath.new(self.context, entity_context_path + ['skipped_checks'],
                   skipped_checks)
     return self.context
예제 #2
0
    def collect_skip_comments(resource):
        skipped_checks = []
        bc_id_mapping = bc_integration.get_id_mapping()
        ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
        if "metadata" in resource:
            if "checkov" in resource["metadata"]:
                for index, item in enumerate(
                        force_list(resource["metadata"]["checkov"])):
                    skip_search = re.search(COMMENT_REGEX, str(item))
                    if skip_search:
                        skipped_check = {
                            'id':
                            skip_search.group(1),
                            'suppress_comment':
                            skip_search.group(2)[1:]
                            if skip_search.group(2) else "No comment provided"
                        }
                        if bc_id_mapping and skipped_check[
                                "id"] in bc_id_mapping:
                            skipped_check["bc_id"] = skipped_check["id"]
                            skipped_check["id"] = bc_id_mapping[
                                skipped_check["id"]]
                        elif ckv_to_bc_id_mapping:
                            skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(
                                skipped_check["id"])

                        skipped_checks.append(skipped_check)

        return skipped_checks
예제 #3
0
    def collect_skip_comments(
            entity_code_lines: List[Tuple[int, str]]) -> List[_SkippedCheck]:
        skipped_checks = []
        bc_id_mapping = bc_integration.get_id_mapping()
        ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
        for line in entity_code_lines:
            skip_search = re.search(COMMENT_REGEX, str(line))
            if skip_search:
                skipped_check: _SkippedCheck = {
                    "id":
                    skip_search.group(2),
                    "suppress_comment":
                    skip_search.group(3)[1:]
                    if skip_search.group(3) else "No comment provided",
                }
                # No matter which ID was used to skip, save the pair of IDs in the appropriate fields
                if bc_id_mapping and skipped_check["id"] in bc_id_mapping:
                    skipped_check["bc_id"] = skipped_check["id"]
                    skipped_check["id"] = bc_id_mapping[skipped_check["id"]]
                elif ckv_to_bc_id_mapping:
                    skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(
                        skipped_check["id"])

                skipped_checks.append(skipped_check)
        return skipped_checks
예제 #4
0
    def collect_skip_comments(
            entity_code_lines: List[Tuple[int, str]],
            resource_config: Optional[DictNode] = None) -> List[_SkippedCheck]:
        skipped_checks = []
        bc_id_mapping = bc_integration.get_id_mapping()
        ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
        for line in entity_code_lines:
            skip_search = re.search(COMMENT_REGEX, str(line))
            if skip_search:
                skipped_check: _SkippedCheck = {
                    "id":
                    skip_search.group(2),
                    "suppress_comment":
                    skip_search.group(3)[1:]
                    if skip_search.group(3) else "No comment provided",
                }
                # No matter which ID was used to skip, save the pair of IDs in the appropriate fields
                if bc_id_mapping and skipped_check["id"] in bc_id_mapping:
                    skipped_check["bc_id"] = skipped_check["id"]
                    skipped_check["id"] = bc_id_mapping[skipped_check["id"]]
                elif ckv_to_bc_id_mapping:
                    skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(
                        skipped_check["id"])

                skipped_checks.append(skipped_check)
        if resource_config:
            metadata = resource_config.get("Metadata")
            if metadata:
                ckv_skip = metadata.get("checkov", {}).get("skip", [])
                bc_skip = metadata.get("bridgecrew", {}).get("skip", [])
                if ckv_skip or bc_skip:
                    for skip in itertools.chain(ckv_skip, bc_skip):
                        skip_id = skip.get("id")
                        skip_comment = skip.get("comment",
                                                "No comment provided")
                        if skip_id is None:
                            logging.warning(
                                "Check suppression is missing key 'id'")
                            continue

                        skipped_check = {
                            "id": skip_id,
                            "suppress_comment": skip_comment
                        }
                        if bc_id_mapping and skipped_check[
                                "id"] in bc_id_mapping:
                            skipped_check["bc_id"] = skipped_check["id"]
                            skipped_check["id"] = bc_id_mapping[
                                skipped_check["id"]]
                        elif ckv_to_bc_id_mapping:
                            skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(
                                skipped_check["id"])

                        skipped_checks.append(skipped_check)

        return skipped_checks
예제 #5
0
 def _collect_skip_comments(
         self, definition_blocks: List[Dict[str, Any]]) -> Dict[str, Any]:
     """
     Collects checkov skip comments to all definition blocks
     :param definition_blocks: parsed definition blocks
     :return: context enriched with with skipped checks per skipped entity
     """
     bc_id_mapping = bc_integration.get_id_mapping()
     ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
     parsed_file_lines = self.filtered_lines
     optional_comment_lines = [
         line for line in parsed_file_lines
         if self.is_optional_comment_line(line[1])
     ]
     comments = [(
         line_num,
         {
             "id":
             match.group(2),
             "suppress_comment":
             match.group(3)[1:]
             if match.group(3) else "No comment provided",
         },
     ) for (line_num, x) in optional_comment_lines
                 for match in [re.search(COMMENT_REGEX, x)] if match]
     for entity_block in definition_blocks:
         skipped_checks = []
         entity_context_path = self.get_entity_context_path(entity_block)
         entity_context = self.context
         found = True
         for k in entity_context_path:
             if k in entity_context:
                 entity_context = entity_context[k]
             else:
                 logging.warning(
                     f'Failed to find context for {".".join(entity_context_path)}'
                 )
                 found = False
                 break
         if not found:
             continue
         for (skip_check_line_num, skip_check) in comments:
             if entity_context[
                     "start_line"] < skip_check_line_num < entity_context[
                         "end_line"]:
                 # No matter which ID was used to skip, save the pair of IDs in the appropriate fields
                 if bc_id_mapping and skip_check["id"] in bc_id_mapping:
                     skip_check["bc_id"] = skip_check["id"]
                     skip_check["id"] = bc_id_mapping[skip_check["id"]]
                 elif ckv_to_bc_id_mapping:
                     skip_check["bc_id"] = ckv_to_bc_id_mapping.get(
                         skip_check["id"])
                 skipped_checks.append(skip_check)
         dpath.new(self.context, entity_context_path + ["skipped_checks"],
                   skipped_checks)
     return self.context
예제 #6
0
def get_skipped_checks(entity_conf):
    skipped = []
    metadata = {}
    bc_id_mapping = bc_integration.get_id_mapping()
    ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
    if not isinstance(entity_conf, dict):
        return skipped
    if entity_conf["kind"] == "containers" or entity_conf[
            "kind"] == "initContainers":
        metadata = entity_conf["parent_metadata"]
    else:
        if "metadata" in entity_conf.keys():
            metadata = entity_conf["metadata"]
    if "annotations" in metadata.keys(
    ) and metadata["annotations"] is not None:
        if isinstance(metadata["annotations"], dict):
            metadata["annotations"] = force_list(metadata["annotations"])
        for annotation in metadata["annotations"]:
            if not isinstance(annotation, dict):
                logging.debug(
                    f"Parse of Annotation Failed for {annotation}: {entity_conf}"
                )
                continue
            for key in annotation:
                skipped_item = {}
                if "checkov.io/skip" in key or "bridgecrew.io/skip" in key:
                    if "CKV_K8S" in annotation[key] or "BC_K8S" in annotation[
                            key]:
                        if "=" in annotation[key]:
                            (skipped_item["id"],
                             skipped_item["suppress_comment"]
                             ) = annotation[key].split("=")
                        else:
                            skipped_item["id"] = annotation[key]
                            skipped_item[
                                "suppress_comment"] = "No comment provided"

                        # No matter which ID was used to skip, save the pair of IDs in the appropriate fields
                        if bc_id_mapping and skipped_item[
                                "id"] in bc_id_mapping:
                            skipped_item["bc_id"] = skipped_item["id"]
                            skipped_item["id"] = bc_id_mapping[
                                skipped_item["id"]]
                        elif ckv_to_bc_id_mapping:
                            skipped_item["bc_id"] = ckv_to_bc_id_mapping.get(
                                skipped_item["id"])
                        skipped.append(skipped_item)
                    else:
                        logging.debug(
                            "Parse of Annotation Failed for {}: {}".format(
                                metadata["annotations"][key],
                                entity_conf,
                                indent=2))
                        continue
    return skipped
예제 #7
0
파일: parser.py 프로젝트: tsmithv11/checkov
def collect_skipped_checks(parse_result):
    skipped_checks = []
    bc_id_mapping = bc_integration.get_id_mapping()
    ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
    if COMMENT_INSTRUCTION in parse_result:
        for comment in parse_result[COMMENT_INSTRUCTION]:
            skip_search = re.search(COMMENT_REGEX, comment["value"])
            if skip_search:
                skipped_check = {
                    'id': skip_search.group(2),
                    'suppress_comment': skip_search.group(3)[1:] if skip_search.group(
                        3) else "No comment provided"
                }
                # No matter which ID was used to skip, save the pair of IDs in the appropriate fields
                if bc_id_mapping and skipped_check["id"] in bc_id_mapping:
                    skipped_check["bc_id"] = skipped_check["id"]
                    skipped_check["id"] = bc_id_mapping[skipped_check["id"]]
                elif ckv_to_bc_id_mapping:
                    skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(skipped_check["id"])
                skipped_checks.append(skipped_check)
    return skipped_checks
예제 #8
0
 def _collect_skip_comments(
         self, definition_blocks: List[Dict[str, Any]]) -> Dict[str, Any]:
     """
     Collects checkov skip comments to all definition blocks
     :param definition_blocks: parsed definition blocks
     :return: context enriched with with skipped checks per skipped entity
     """
     bc_id_mapping = bc_integration.get_id_mapping()
     parsed_file_lines = self.filtered_lines
     comments = [(
         line_num,
         {
             "id":
             match.group(2),
             "suppress_comment":
             match.group(3)[1:]
             if match.group(3) else "No comment provided",
         },
     ) for (line_num, x) in parsed_file_lines
                 for match in [re.search(COMMENT_REGEX, x)] if match]
     for entity_block in definition_blocks:
         skipped_checks = []
         entity_context_path = self.get_entity_context_path(entity_block)
         context_search = dpath.search(self.context,
                                       entity_context_path,
                                       yielded=True)
         for _, entity_context in context_search:
             for (skip_check_line_num, skip_check) in comments:
                 if entity_context[
                         "start_line"] < skip_check_line_num < entity_context[
                             "end_line"]:
                     if bc_id_mapping and skip_check["id"] in bc_id_mapping:
                         skip_check["id"] = bc_id_mapping[skip_check["id"]]
                     skipped_checks.append(skip_check)
         dpath.new(self.context, entity_context_path + ["skipped_checks"],
                   skipped_checks)
     return self.context