Merge pull request #2570 from bridgecrewio/new_yaml_operator_jsonpath_exists

new operator jsonpath exists

Author: matansha

checkov/common/checks_infra/checks_parser.py

@@ -27,6 +27,7 @@
     LessThanAttributeSolver,
     LessThanOrEqualAttributeSolver,
     JsonpathEqualsAttributeSolver,
+    JsonpathExistsAttributeSolver
 )
 from checkov.common.checks_infra.solvers.attribute_solvers.not_subset_attribute_solver import NotSubsetAttributeSolver
 from checkov.common.checks_infra.solvers.attribute_solvers.subset_attribute_solver import SubsetAttributeSolver
@@ -57,7 +58,8 @@
     "less_than_or_equal": LessThanOrEqualAttributeSolver,
     "subset": SubsetAttributeSolver,
     "not_subset": NotSubsetAttributeSolver,
-    "jsonpath_equals": JsonpathEqualsAttributeSolver
+    "jsonpath_equals": JsonpathEqualsAttributeSolver,
+    "jsonpath_exists": JsonpathExistsAttributeSolver
 }
 
 operators_to_complex_solver_classes = {

checkov/common/checks_infra/solvers/attribute_solvers/__init__.py

@@ -17,3 +17,5 @@
 from checkov.common.checks_infra.solvers.attribute_solvers.less_than_attribute_solver import LessThanAttributeSolver
 from checkov.common.checks_infra.solvers.attribute_solvers.less_than_or_equal_attribute_solver import LessThanOrEqualAttributeSolver
 from checkov.common.checks_infra.solvers.attribute_solvers.jsonpath_equals_attribute_solver import JsonpathEqualsAttributeSolver
+from checkov.common.checks_infra.solvers.attribute_solvers.jsonpath_exists_attribute_solver import JsonpathExistsAttributeSolver
+

checkov/common/checks_infra/solvers/attribute_solvers/jsonpath_exists_attribute_solver.py

@@ -0,0 +1,16 @@
+from typing import List, Optional, Any, Dict
+
+from checkov.common.checks_infra.solvers.attribute_solvers.jsonpath_equals_attribute_solver import JsonpathEqualsAttributeSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class JsonpathExistsAttributeSolver(JsonpathEqualsAttributeSolver):
+    operator = Operators.JSONPATH_EXISTS
+
+    def __init__(self, resource_types: List[str], attribute: Optional[str], value: Any) -> None:
+        super().__init__(resource_types=resource_types,
+                         attribute=attribute, value=value)
+
+    def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
+        return vertex.get(attribute) is not None
+

checkov/common/graph/checks_infra/enums.py

@@ -45,3 +45,4 @@ class Operators:
     AND = 'and'
     OR = 'or'
     JSONPATH_EQUALS = 'jsonpath_equals'
+    JSONPATH_EXISTS = 'jsonpath_exists'

docs/3.Custom Policies/YAML Custom Policies.md

@@ -90,33 +90,22 @@ definition:
 | Not Ends With         | `not_ending_with`       |
 | Greater Than          | `greater_than`          |
 | Greater Than Or Equal | `greater_than_or_equal` |
-| Less Than | `less_than` |
-| Less Than Or Equal | `less_than_or_equal` |
-| Subset | `subset` |
-| Not Subset | `not_subset` |
-
-### Attribute Condition: Keys and Values
-
-| Key | Type | Value(s) |
-| --- | --- | --- |
-| `cond_type` | string | Must be `attribute` |
-| `resource_type` | collection of strings | Use either `all` or `[resource types from list]` |
-| `attribute` | string | Attribute of defined resource types. For example, `automated_snapshot_retention_period` |
-| `operator` | string | - `equals`, `not_equals`, `regex_match`, `not_regex_match`, `exists`, `not exists`, `any`, `contains`, `not_contains`, `within`, `starting_with`, `not_starting_with`, `ending_with`, `not_ending_with`, `greater_than`, `greater_than_or_equal`, `less_than`, `less_than_or_equal`, `subset`, `not_subset` |
-| `value` (not relevant for operator: `exists`/`not_exists`) | string | User input. |
 | Less Than             | `less_than`             |
 | Less Than Or Equal    | `less_than_or_equal`    |
+| Subset                | `subset`                |
+| Not Subset            | `not_subset`            |
 | Json Path Equals      | `jsonpath_equals`       |
+| Json Path Exists      | `jsonpath_exists`       |
 
 ### Attribute Condition: Keys and Values
 
-| Key | Type | Value(s)                                                                                                                                                                                                                                                                              |
-| --- | --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `cond_type` | string | Must be `attribute`                                                                                                                                                                                                                                                                   |
-| `resource_type` | collection of strings | Use either `all` or `[resource types from list]`                                                                                                                                                                                                                                      |
-| `attribute` | string | Attribute of defined resource types. For example, `automated_snapshot_retention_period`                                                                                                                                                                                               |
-| `operator` | string | - `equals`, `not_equals`, `regex_match`, `not_regex_match`, `exists`, `not exists`, `any`, `contains`, `not_contains`, `within`, `starting_with`, `not_starting_with`, `ending_with`, `not_ending_with`, `greater_than`, `greater_than_or_equal`, `less_than`, `less_than_or_equal`, `jsonpath_equals` |
-| `value` (not relevant for operator: `exists`/`not_exists`) | string | User input.                                                                                                                                                                                                                                                                           |
+| Key | Type | Value(s)                                                                                                                                                                                                                                                                                                 |
+| --- | --- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `cond_type` | string | Must be `attribute`                                                                                                                                                                                                                                                                                      |
+| `resource_type` | collection of strings | Use either `all` or `[resource types from list]`                                                                                                                                                                                                                                                         |
+| `attribute` | string | Attribute of defined resource types. For example, `automated_snapshot_retention_period`                                                                                                                                                                                                                  |
+| `operator` | string | - `equals`, `not_equals`, `regex_match`, `not_regex_match`, `exists`, `not exists`, `any`, `contains`, `not_contains`, `within`, `starting_with`, `not_starting_with`, `ending_with`, `not_ending_with`, `greater_than`, `greater_than_or_equal`, `less_than`, `less_than_or_equal`, `jsonpath_equals`, `jsonpath_exists` |
+| `value` (not relevant for operator: `exists`/`not_exists`) | string | User input.                                                                                                                                                                                                                                                                                              |
 
 
 ## Connection State Block

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/AzureSecureRule.yaml

@@ -0,0 +1,11 @@
+metadata:
+  id: "AzureSecureRule"
+scope:
+  provider: "AZURE"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "azurerm_network_security_group"
+  attribute: "security_rule[?(@.name == 'rule_we_care_about')].source_address_prefixes[*]"
+  operator: "jsonpath_equals"
+  value: "allowed_ip"

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py

@@ -27,3 +27,12 @@ def test_jsonpath_equals_solver_wildcard(self):
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_jsonpath_equals_azure_rule(self):
+        root_folder = '../../../resources/azure_secure_rule'
+        check_id = "AzureSecureRule"
+        should_pass = ['azurerm_network_security_group.sg_fail']
+        should_fail = ['azurerm_network_security_group.sg_fail2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/AzureSecureRule.yaml

@@ -0,0 +1,11 @@
+metadata:
+  id: "AzureSecureRule"
+scope:
+  provider: "AZURE"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "azurerm_resource_group"
+    - "azurerm_network_security_group"
+  attribute: "security_rule[?(@.name == 'rule_we_do not_care_about')].source_address_prefixes"
+  operator: "jsonpath_exists"

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/CkSshPortOpenForAll.yaml

@@ -0,0 +1,17 @@
+metadata:
+  id: "CkSshPortOpenForAll"
+scope:
+  provider: "AWS"
+definition:
+  and:
+    - cond_type: "attribute"
+      resource_types:
+        - "aws_security_group"
+      attribute: "ingress[?(@.to_port == 22 & @.from_port == 22)].cidr_blocks[*]"
+      operator: "jsonpath_exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "aws_security_group"
+      attribute: "ingress[?(@.to_port == 443 & @.from_port == 443)].cidr_blocks[?(@ == '8.0.4.19/92')]"
+      operator: "jsonpath_exists"
+

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/PublicDBSG.yaml

@@ -0,0 +1,12 @@
+metadata:
+  id: "PublicDBSG"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "aws_db_security_group"
+    - "aws_security_group"
+  attribute: "ingress.cidr_blocks"
+  operator: "jsonpath_exists"
+

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/__init__.py

@@ -0,0 +1,17 @@
+resource "xyz" "pass" {
+  arr {
+    name = "a"
+    value = "a"
+  }
+  arr {
+    name = "b"
+    value = "x"
+  }
+}
+
+resource "xyz" "fail" {
+  arr {
+    name = "b"
+    value = "x"
+  }
+}

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/example.tf

@@ -0,0 +1,11 @@
+metadata:
+  id: "example"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+  - "xyz"
+  attribute: "arr[?(@.name == 'a')]"
+  operator: "jsonpath_exists"
+

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/example.yaml

@@ -0,0 +1,47 @@
+import os
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
+
+
+class TestJsonpathExistsSolver(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = TEST_DIRNAME
+        super().setUp()
+
+    def test_jsonpath_exists_solver_simple(self):
+        root_folder = '../../../resources/public_security_groups'
+        check_id = "PublicDBSG"
+        should_pass = ['aws_security_group.aws_security_group_private']
+        should_fail = ['aws_db_security_group.aws_db_security_group_public']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_jsonpath_exists_solver_wildcard(self):
+        root_folder = '../../../resources/security_group_multiple_rules3'
+        check_id = "CkSshPortOpenForAll"
+        should_pass = ['aws_security_group.sg1']
+        should_fail = ['aws_security_group.sg2', 'aws_security_group.sg3']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_jsonpath_exists_azure_rule(self):
+        root_folder = '../../../resources/azure_secure_rule'
+        check_id = "AzureSecureRule"
+        should_pass = ['azurerm_network_security_group.sg_fail']
+        should_fail = ['azurerm_network_security_group.sg_fail2']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_jsonpath_exists_example(self):
+        root_folder = './'
+        check_id = "example"
+        should_pass = ['xyz.pass']
+        should_fail = ['xyz.fail']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)

tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/test_solver.py

@@ -0,0 +1,46 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_network_security_group" "example" {
+  name                = "acceptanceTestSecurityGroup1"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_network_security_group" "sg_fail" {
+  # this will fail DoNotUseInlineRule
+  name                = "sg-fail"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  security_rule = [
+    {
+      name                    = "rule_we_care_about"
+      source_address_prefixes = ["allowed_ip"]
+    },
+    {
+      name                    = "rule_we_do not_care_about"
+      source_address_prefixes = ["some_other_ip"]
+    }
+  ]
+}
+
+resource "azurerm_network_security_group" "sg_fail2" {
+  # this will fail DoNotUseInlineRule
+  name                = "sg-fail"
+  location            = "azurerm_resource_group.example.location"
+  resource_group_name = "azurerm_resource_group.example.name"
+
+  security_rule = [
+    {
+      name                    = "rule_we_care_about"
+      source_address_prefixes = ["disallowed_ip"]
+    },
+    {
+      name                    = "rule_we_do not_care_about2"
+      source_address_prefixes = ["allowed_ip"]
+    }
+  ]
+}