checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

feat(terraform): add new gcp postgresql checks

Open losisin opened this issue 1 year ago • 3 comments

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Add new Google Cloud PostgreSql checks for: log_statement , log_hostname , log_min_error_statement and cloudsql.enable_pgaudit. I also takes into account default values from cloud provider.

Fixes #3531

Description

These are from CIS 1.3, sections 6.2.4, 6.2.5, 6.2.7 and 6.2.9. Default values from cloud provider and from here

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] I have added tests that prove my feature, policy, or fix is effective and works
  • [x] New and existing tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules

losisin avatar Sep 19 '22 07:09 losisin

@gruebel @JamesWoolfenden is this PR something that would be of interest?

losisin avatar Sep 20 '22 06:09 losisin

hey @losisin yeah definitely great work 🚀 I just need to find some time to go through them all 😄 next time it would be better to split the PR into 2 or 4 PRs then reviewing is also faster.

gruebel avatar Sep 20 '22 10:09 gruebel

@gruebel next time will do!

losisin avatar Sep 20 '22 14:09 losisin

I agree 💯 although my python skills are very humble :). If you refer to something like this, I would be definitely interested. Same PR or we merge this one and then refactor all gcp postgres checks at slower pace?

losisin avatar Sep 22 '22 19:09 losisin

Just wanted to say thank you for including the benchmark!

tsmithv11 avatar Sep 23 '22 07:09 tsmithv11

@gruebel is the latest commit what you had in mind?

losisin avatar Sep 23 '22 18:09 losisin

I really don't understand how is this possible? It's work in progress in my own branch in fork of this repository. what on earth is going on?

=================================== FAILURES ===================================
_______________ TestScannerRegistry.test_non_colliding_check_ids _______________
[gw1] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python

self = <tests.terraform.test_scanner_registry.TestScannerRegistry testMethod=test_non_colliding_check_ids>

    def test_non_colliding_check_ids(self):
        check_id_check_class_map = {}
        for (resource_type, checks) in registry.checks.items():
            for check in checks:
                check_id_check_class_map.setdefault(check.id, []).append(check)
    
        for check_id, check_classes in check_id_check_class_map.items():
>           self.assertEqual(len(set(check_classes)), 1,"collision on check_id={}".format(check_id))
E           AssertionError: 2 != 1 : collision on check_id=CKV_GCP_107

tests/terraform/test_scanner_registry.py:27: AssertionError
_________________ TestRunnerValid.test_check_ids_dont_collide __________________
[gw0] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python

self = <tests.terraform.runner.test_runner.TestRunnerValid testMethod=test_check_ids_dont_collide>

    def test_check_ids_dont_collide(self):
        runner = Runner()
        unique_checks = {}
        bad_checks = []
        for registry in list(runner.block_type_registries.values()):
            checks = [check for entity_type in list(registry.checks.values()) for check in entity_type]
            for check in checks:
                if check.id not in unique_checks:
                    unique_checks[check.id] = check
                elif check != unique_checks[check.id]:
                    # A single check can have multiple resource blocks it checks, which means it will show up multiple times in the registry
                    bad_checks.append(f'{check.id}: {check.name}')
                    print(f'{check.id}: {check.name}')
>       self.assertEqual(len(bad_checks), 0, f'Bad checks: {bad_checks}')
E       AssertionError: 2 != 0 : Bad checks: ['CKV_GCP_107: Cloud functions should not be public', 'CKV_GCP_107: Cloud functions should not be public']

Can someone help me out?

losisin avatar Sep 27 '22 06:09 losisin

Hi aleks, Your check id has been used up by a new check that was already merged but not yet in your branch. Merge with master and pick a new check id that isn't in use yet and you'll be golden. This happens all the time, especially if your pr takes a while to get merged. James

On Tue, 27 Sept 2022 at 07:18, Aleksandar Stojanov @.***> wrote:

I really don't understand how is this possible? It's work in progress in my own branch in fork of this repository. what on earth is going on?

=================================== FAILURES =================================== _______________ TestScannerRegistry.test_non_colliding_check_ids _______________ [gw1] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python

self = <tests.terraform.test_scanner_registry.TestScannerRegistry testMethod=test_non_colliding_check_ids>

def test_non_colliding_check_ids(self):
    check_id_check_class_map = {}
    for (resource_type, checks) in registry.checks.items():
        for check in checks:
            check_id_check_class_map.setdefault(check.id, []).append(check)

    for check_id, check_classes in check_id_check_class_map.items():

      self.assertEqual(len(set(check_classes)), 1,"collision on check_id={}".format(check_id))

E AssertionError: 2 != 1 : collision on check_id=CKV_GCP_107

tests/terraform/test_scanner_registry.py:27: AssertionError _________________ TestRunnerValid.test_check_ids_dont_collide __________________ [gw0] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python

self = <tests.terraform.runner.test_runner.TestRunnerValid testMethod=test_check_ids_dont_collide>

def test_check_ids_dont_collide(self):
    runner = Runner()
    unique_checks = {}
    bad_checks = []
    for registry in list(runner.block_type_registries.values()):
        checks = [check for entity_type in list(registry.checks.values()) for check in entity_type]
        for check in checks:
            if check.id not in unique_checks:
                unique_checks[check.id] = check
            elif check != unique_checks[check.id]:
                # A single check can have multiple resource blocks it checks, which means it will show up multiple times in the registry
                bad_checks.append(f'{check.id}: {check.name}')
                print(f'{check.id}: {check.name}')

  self.assertEqual(len(bad_checks), 0, f'Bad checks: {bad_checks}')

E AssertionError: 2 != 0 : Bad checks: ['CKV_GCP_107: Cloud functions should not be public', 'CKV_GCP_107: Cloud functions should not be public']

Can someone help me out?

— Reply to this email directly, view it on GitHub https://urldefense.com/v3/__https://github.com/bridgecrewio/checkov/pull/3532*issuecomment-1259030663__;Iw!!Mt_FR42WkD9csi9Y!cYw3M1ma7f3g3l1ip-I1TtX0aUyWn_j7gxVL-vpyB9ZXu-CdrExXN2wQqHV8wWMw4pIgC4bEnQoADjXWfWfeYE1tg3TYeTB7vfU$, or unsubscribe https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AALDV4FJFNYRRCKMMH3XZOLWAKGUBANCNFSM6AAAAAAQP27CNQ__;!!Mt_FR42WkD9csi9Y!cYw3M1ma7f3g3l1ip-I1TtX0aUyWn_j7gxVL-vpyB9ZXu-CdrExXN2wQqHV8wWMw4pIgC4bEnQoADjXWfWfeYE1tg3TYABKDjnU$ . You are receiving this because you were mentioned.Message ID: @.***>

JamesWoolfenden avatar Oct 11 '22 09:10 JamesWoolfenden