engine

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 23, 2026 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.

* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.

* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.

* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.

Index

Constants

View Source 
const (
	UndetectedVulnerabilityLine = -1
	DefaultQueryID              = "Undefined"
	DefaultQueryName            = "Anonymous"
	DefaultExperimental         = false
	DefaultQueryDescription     = "Undefined"
	DefaultQueryDescriptionID   = "Undefined"
	DefaultQueryURI             = "https://github.com/DataDog/datadog-iac-scanner/"
	DefaultIssueType            = model.IssueTypeIncorrectValue
)

Default values for inspector

Variables

View Source 
var DefaultVulnerabilityBuilder = func(ctx context.Context, qCtx *QueryContext,
	tracker Tracker,
	v interface{},
	detector *dec.DetectLine,
	useOldSeverities bool,
	kicsComputeNewSimID bool,
	queryDuration time.Duration) (*model.Vulnerability, error) {
	contextLogger := logger.FromContext(ctx)
	vObj, ok := v.(map[string]interface{})
	if !ok {
		return &model.Vulnerability{}, ErrInvalidResult
	}

	vObj = mergeWithMetadata(vObj, qCtx.Query.Metadata.Metadata)

	var err error
	var output []byte

	output, err = json.Marshal(vObj)
	if err != nil {
		return &model.Vulnerability{}, errors.Wrap(err, "failed to marshall query output")
	}

	var fileID *string

	fileID, err = mapKeyToString(ctx, vObj, "documentId", false)
	if err != nil {
		return &model.Vulnerability{}, errors.Wrap(err, "failed to recognize file id")
	}

	file, ok := qCtx.Files[*fileID]
	if !ok {
		return &model.Vulnerability{}, errors.New("failed to find file from query response")
	}

	logWithFields := contextLogger.With().
		Str("scanID", qCtx.scanID).
		Str("fileName", file.FilePath).
		Str("queryName", qCtx.Query.Metadata.Query).
		Logger()

	detector.SetupLogs(&logWithFields)

	linesVulne := model.VulnerabilityLines{
		Line:                  -1,
		VulnLines:             &[]model.CodeLine{},
		LineWithVulnerability: "",
	}

	similarityIDLineInfo := ""
	searchKey := ""
	if s, ok := vObj["searchKey"]; ok {
		searchKey = s.(string)
		similarityIDLineInfo = searchKey
		intDoc := file.LineInfoDocument
		vulsSplit := strings.Split(searchKey, ".")

		if file.Kind == model.KindINI {
			vulsSplit, searchKey = sanitizeINIKey(vulsSplit)
		}

		if strings.Contains(vulsSplit[len(vulsSplit)-1], "RefMetadata") {
			return &model.Vulnerability{}, ErrNoResult
		}

		searchKey, _ = modifyVulSearchKeyReference(intDoc, searchKey, vulsSplit)
		vObj["searchKey"] = searchKey
		linesVulne = detector.DetectLine(ctx, &file, searchKey)
	} else {
		logWithFields.Error().Msg("Saving result. failed to detect line")
	}

	lineNumber := 0
	var similarityIDLineInfoOld = similarityIDLineInfo

	if !slices.Contains([]model.FileKind{model.KindHELM, model.KindTerraform}, file.Kind) && len(file.ResolvedFiles) == 0 {
		searchLineCalc := &searchLineCalculator{
			lineNr:               -1,
			vObj:                 vObj,
			file:                 file,
			detector:             detector,
			similarityIDLineInfo: similarityIDLineInfo,
			linesVulne:           linesVulne,
		}

		lineNumber, similarityIDLineInfoOld, linesVulne = calculeSearchLine(ctx, searchLineCalc)
	}

	if linesVulne.Line == -1 {
		logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey)
		linesVulne.Line = 1
	}

	searchValue := ""
	if s, ok := vObj["searchValue"]; ok {
		searchValue = s.(string)
	}

	overrideKey := ""
	if s, ok := vObj["overrideKey"]; ok {
		overrideKey = s.(string)
	}

	platform := getStringFromMap(ctx, "platform", "", overrideKey, vObj, &logWithFields)
	resourceType := PtrStringToString(mustMapKeyToString(ctx, vObj, "resourceType"))
	if strings.EqualFold(platform, "ansible") {
		resourceType = utils.NormalizeAnsibleResourceType(resourceType)
	}

	queryID := getStringFromMap(ctx, "id", DefaultQueryID, overrideKey, vObj, &logWithFields)

	severity := getResolvedSeverity(ctx, vObj, &logWithFields, overrideKey, useOldSeverities)

	issueType := DefaultIssueType
	if v := mustMapKeyToString(ctx, vObj, "issueType"); v != nil {
		issueType = model.IssueType(*v)
	}

	similarityID, oldSimilarityID := generateSimilaritiesID(ctx, qCtx, linesVulne.ResolvedFile, queryID, similarityIDLineInfo, searchValue,
		searchKey, similarityIDLineInfoOld, kicsComputeNewSimID, &logWithFields, tracker)

	return &model.Vulnerability{
		ID:              0,
		SimilarityID:    PtrStringToString(similarityID),
		OldSimilarityID: PtrStringToString(oldSimilarityID),
		ScanID:          qCtx.scanID,
		FileID:          file.ID,
		FileName:        linesVulne.ResolvedFile,
		QueryName:       getStringFromMap(ctx, "queryName", DefaultQueryName, overrideKey, vObj, &logWithFields),
		QueryID:         queryID,
		Experimental:    getBoolFromMap(ctx, "experimental", DefaultExperimental, overrideKey, vObj, &logWithFields),
		QueryURI:        getStringFromMap(ctx, "descriptionUrl", DefaultQueryURI, overrideKey, vObj, &logWithFields),
		Category:        getStringFromMap(ctx, "category", "", overrideKey, vObj, &logWithFields),
		Description:     getStringFromMap(ctx, "descriptionText", "", overrideKey, vObj, &logWithFields),
		DescriptionID:   getStringFromMap(ctx, "descriptionID", DefaultQueryDescriptionID, overrideKey, vObj, &logWithFields),
		Severity:        severity,
		Platform:        platform,
		CWE:             getStringFromMap(ctx, "cwe", "", overrideKey, vObj, &logWithFields),
		Line:            linesVulne.Line,
		VulnerabilityLocation: model.ResourceLocation{
			Start: linesVulne.VulnerablilityLocation.Start,
			End:   linesVulne.VulnerablilityLocation.End,
		},
		RemediationLocation: model.ResourceLocation{
			Start: linesVulne.RemediationLocation.Start,
			End:   linesVulne.RemediationLocation.End,
		},
		VulnLines:             linesVulne.VulnLines,
		ResourceType:          resourceType,
		ResourceName:          PtrStringToString(mustMapKeyToString(ctx, vObj, "resourceName")),
		IssueType:             issueType,
		SearchKey:             searchKey,
		SearchLine:            lineNumber,
		SearchValue:           searchValue,
		KeyExpectedValue:      PtrStringToString(mustMapKeyToString(ctx, vObj, "keyExpectedValue")),
		KeyActualValue:        PtrStringToString(mustMapKeyToString(ctx, vObj, "keyActualValue")),
		Value:                 mustMapKeyToString(ctx, vObj, "value"),
		Output:                string(output),
		CloudProvider:         getCloudProvider(ctx, overrideKey, vObj, &logWithFields),
		Remediation:           PtrStringToString(mustMapKeyToString(ctx, vObj, "remediation")),
		RemediationType:       PtrStringToString(mustMapKeyToString(ctx, vObj, "remediationType")),
		QueryDuration:         queryDuration,
		LineWithVulnerability: linesVulne.LineWithVulnerability,
		ResourceSource:        linesVulne.ResourceSource,
		FileSource:            linesVulne.FileSource,
		BlockLocation:         linesVulne.BlockLocation,
		Frameworks: append(extractDefaultFrameworks(ctx, qCtx.Query.Metadata.Metadata, qCtx.FlagEvaluator),
			extractCustomFrameworks(ctx, qCtx.Query.Metadata.Metadata, qCtx.FlagEvaluator)...),
	}, nil
}

DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan

View Source 
var ErrInvalidResult = errors.New("query: invalid result format")

ErrInvalidResult - error representing invalid result

View Source 
var ErrNoResult = errors.New("query: not result")

ErrNoResult - error representing when a query didn't return a result

Functions

func PtrStringToString 

func PtrStringToString(v *string) string

PtrStringToString - converts a pointer to string to a string

func ShouldSkipVulnerability 

func ShouldSkipVulnerability(command model.CommentsCommands, queryID string) bool

ShouldSkipVulnerability verifies if the vulnerability in question should be ignored through comment commands

Types

type InspectionJob 

type InspectionJob struct {
	// contains filtered or unexported fields
}

type Inspector 

type Inspector struct {
	QueryLoader *QueryLoader
	// contains filtered or unexported fields
}

Inspector represents a list of compiled queries, a builder for vulnerabilities, an information tracker a flag to enable coverage and the coverage report if it is enabled

func NewInspector 

func NewInspector(
	ctx context.Context,
	queriesSource source.QueriesSource,
	vb VulnerabilityBuilder,
	tracker Tracker,
	queryParameters *source.QueryInspectorParameters,
	excludeResults map[string]bool,
	queryTimeout int,
	useOldSeverities bool,
	needsLog bool,
	numWorkers int,
	kicsComputeNewSimID bool,
	flagEvaluator featureflags.FlagEvaluator,
) (*Inspector, error)

NewInspector initializes a inspector, compiling and loading queries for scan and its tracker

func (*Inspector) DecodeQueryResults 

func (c *Inspector) DecodeQueryResults(
	ctx context.Context,
	qCtx *QueryContext,
	ctxTimeout context.Context,
	results rego.ResultSet,
	queryDuration time.Duration) ([]model.Vulnerability, error)

DecodeQueryResults decodes the results into []model.Vulnerability

func (*Inspector) EnableCoverageReport 

func (c *Inspector) EnableCoverageReport()

EnableCoverageReport enables the flag to create a coverage report

func (*Inspector) GetCoverageReport 

func (c *Inspector) GetCoverageReport() cover.Report

GetCoverageReport returns the scan coverage report

func (*Inspector) GetFailedQueries 

func (c *Inspector) GetFailedQueries() map[string]error

GetFailedQueries returns a map of failed queries and the associated error

func (*Inspector) Inspect 

func (c *Inspector) Inspect(
	ctx context.Context,
	scanID string,
	files model.FileMetadatas,
	baseScanPaths []string,
	platforms []string) ([]model.Vulnerability, error)

func (*Inspector) LenQueriesByPlat 

func (c *Inspector) LenQueriesByPlat(platforms []string) int

LenQueriesByPlat returns the number of queries by platforms

func (*Inspector) TransformJsonencodeInPayload 

func (c *Inspector) TransformJsonencodeInPayload(ctx context.Context, value ast.Value) ast.Value

type PreparedQuery 

type PreparedQuery struct {
	OpaQuery rego.PreparedEvalQuery
	Metadata model.QueryMetadata
}

PreparedQuery includes the opaQuery and its metadata

type QueryContext 

type QueryContext struct {
	Ctx context.Context

	Files map[string]model.FileMetadata
	Query *PreparedQuery

	BaseScanPaths []string
	FlagEvaluator featureflags.FlagEvaluator
	// contains filtered or unexported fields
}

QueryContext contains the context where the query is executed, which scan it belongs, basic information of query, the query compiled and its payload

type QueryLoader 

type QueryLoader struct {
	QueriesMetadata []model.QueryMetadata
	// contains filtered or unexported fields
}

QueryLoader is responsible for loading the queries for the inspector

func (QueryLoader) LoadQuery 

func (q QueryLoader) LoadQuery(ctx context.Context, query *model.QueryMetadata,
	modules []tfmodules.ParsedModule) (*rego.PreparedEvalQuery, error)

LoadQuery loads the query into memory so it can be freed when not used anymore

type QueryResult 

type QueryResult struct {
	// contains filtered or unexported fields
}

type Tracker 

type Tracker interface {
	TrackQueryLoad(queryAggregation int)
	TrackQueryExecuting(queryAggregation int)
	TrackQueryExecution(queryAggregation int)
	FailedDetectLine()
	FailedComputeSimilarityID()
	FailedComputeOldSimilarityID()
	GetOutputLines() int
}

Tracker wraps an interface that contain basic methods: TrackQueryLoad, TrackQueryExecution and FailedDetectLine TrackQueryLoad increments the number of loaded queries TrackQueryExecution increments the number of queries executed FailedDetectLine decrements the number of queries executed GetOutputLines returns the number of lines to be displayed in results outputs

type VulnerabilityBuilder 

type VulnerabilityBuilder func(ctx context.Context, qCtx *QueryContext, tracker Tracker, v interface{},
	detector *detector.DetectLine, useOldSeverities bool, kicsComputeNewSimID bool, queryDuration time.Duration) (*model.Vulnerability, error)

VulnerabilityBuilder represents a function that will build a vulnerability

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.