1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package com.hack23.sonar.cloudformation.reports.checkov;
21
22 import static org.junit.Assert.assertFalse;
23
24 import java.io.IOException;
25 import java.io.InputStreamReader;
26 import java.nio.charset.StandardCharsets;
27 import java.util.HashMap;
28 import java.util.List;
29 import java.util.Map;
30
31 import org.apache.commons.csv.CSVFormat;
32 import org.apache.commons.csv.CSVParser;
33 import org.apache.commons.csv.CSVRecord;
34 import org.junit.Test;
35
36
37
38
39 public class CheckovSonarqubeRuleGeneratorTest {
40
41
42 private final static String XML_ENTRY =" <rule>\n"
43 + " <key>{IaC}-{RULE_ID}</key>\n"
44 + " <name>{NAME}</name>\n"
45 + " <internalKey>{IaC}-{RULE_ID}</internalKey>\n"
46 + " <description>{NAME}</description>\n"
47 + " <severity>CRITICAL</severity>\n"
48 + " <cardinality>SINGLE</cardinality>\n"
49 + " <status>READY</status>\n"
50 + " <type>VULNERABILITY</type>\n"
51 + " <tag>security</tag>\n"
52 + " <tag>checkov</tag>\n"
53 + " <tag>{IaC}</tag>{EXTRA_TAGS}\n"
54 + " <remediationFunction>CONSTANT_ISSUE</remediationFunction>\n"
55 + " <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>\n"
56 + " </rule>";
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96 private static Map<String,String> NIST_POLICY_STRING_MAPPING = new HashMap<>();
97
98
99 private static final String DETECT_SC_13 ="encrypted at rest";
100
101
102 private static final String DETECT2_SC_13 ="securely encrypted";
103
104
105 private static final String SC_13_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-311</tag>\n <tag>800-53-sc-13</tag>";
106
107
108 private static final String DETECT_SC_12 ="Ensure rotation";
109
110
111 private static final String SC_12_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-320</tag>\n <tag>800-53-sc-12</tag>";
112
113
114 private static final String DETECT_SC_8 ="encryption transit";
115
116
117 private static final String DETECT2_SC_8 ="https";
118
119
120 private static final String DETECT3_SC_8 ="uses SSL";
121
122
123 private static final String DETECT4_SC_8 ="node-to-node encryption";
124
125
126 private static final String SC_8_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-311</tag>\n <tag>800-53-sc-8</tag>";
127
128
129 private static final String DETECT_AC_6 ="IAM policies";
130
131
132 private static final String DETECT_IA_5 ="IAM password policy";
133
134
135 private static final String IA_5_TAGS ="\n <tag>owasp-a3</tag>\n <tag>cweid-257</tag>\n <tag>800-53-ia-5</tag>";
136
137
138 private static final String AC_6_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-272</tag>\n <tag>800-53-ac-6</tag>";
139
140
141 private static final String DETECT_AC_4_GROUP ="security group";
142
143
144 private static final String AC_4_TAGS_GROUP ="\n <tag>owasp-a6</tag>\n <tag>cweid-732</tag>\n <tag>800-53-ac-4</tag>";
145
146
147 private static final String DETECT_AC_4 ="public";
148
149
150 private static final String AC_4_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-732</tag>\n <tag>800-53-ac-4</tag>";
151
152
153 private static final String DETECT_AU_12 ="logging";
154
155
156 private static final String AU_12_TAGS ="\n <tag>owasp-a10</tag>\n <tag>cweid-778</tag>\n <tag>800-53-au-12</tag>";
157
158
159 private static final String DETECT_CP_9 ="retention backup";
160
161
162 private static final String CP_9_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-693</tag>\n <tag>800-53-cp-9</tag>";
163
164
165 private static final String DETECT_AU_11 ="retention log";
166
167
168 private static final String AU_11_TAGS ="\n <tag>owasp-a6</tag>\n <tag>cweid-779</tag>\n <tag>800-53-au-11</tag>";
169
170 static {
171 NIST_POLICY_STRING_MAPPING.put(DETECT_SC_13,SC_13_TAGS);
172 NIST_POLICY_STRING_MAPPING.put(DETECT2_SC_13,SC_13_TAGS);
173 NIST_POLICY_STRING_MAPPING.put(DETECT_SC_12,SC_12_TAGS);
174 NIST_POLICY_STRING_MAPPING.put(DETECT_SC_8,SC_8_TAGS);
175 NIST_POLICY_STRING_MAPPING.put(DETECT2_SC_8,SC_8_TAGS);
176 NIST_POLICY_STRING_MAPPING.put(DETECT3_SC_8,SC_8_TAGS);
177 NIST_POLICY_STRING_MAPPING.put(DETECT4_SC_8,SC_8_TAGS);
178 NIST_POLICY_STRING_MAPPING.put(DETECT_IA_5,IA_5_TAGS);
179 NIST_POLICY_STRING_MAPPING.put(DETECT_AC_6,AC_6_TAGS);
180 NIST_POLICY_STRING_MAPPING.put(DETECT_AC_4,AC_4_TAGS);
181 NIST_POLICY_STRING_MAPPING.put(DETECT_AC_4_GROUP,AC_4_TAGS_GROUP);
182 NIST_POLICY_STRING_MAPPING.put(DETECT_AU_12,AU_12_TAGS);
183 NIST_POLICY_STRING_MAPPING.put(DETECT_CP_9,CP_9_TAGS);
184 NIST_POLICY_STRING_MAPPING.put(DETECT_AU_11,AU_11_TAGS);
185 }
186
187
188
189
190
191
192
193 @Test
194 public void generateSonarqubeRuleDefinitionsForCheckovCloudformationTest() throws IOException {
195 final CSVParser parser = CSVParser.parse(new InputStreamReader(this.getClass().getResourceAsStream("/checkov/rules.txt"),StandardCharsets.UTF_8), CSVFormat.EXCEL.withHeader().withDelimiter('|').withTrim());
196 final List<CSVRecord> records = parser.getRecords();
197 assertFalse(records.isEmpty());
198 records.remove(0);
199 final Map<String,String> map = new HashMap<>();
200 for (final CSVRecord csvRecord : records) {
201 if ((csvRecord.isSet("Id") && "resource".equals(csvRecord.get("Type")) && !map.containsKey(csvRecord.get("IaC") +"-" + csvRecord.get("Id"))) && "cloudformation".equalsIgnoreCase(csvRecord.get("IaC")) ) {
202 String ruleEntryUntagged = XML_ENTRY.replace("{RULE_ID}",csvRecord.get("Id")).replace("{NAME}",csvRecord.get("Policy")).replace("{IaC}",csvRecord.get("IaC").toLowerCase()).replace("\"",""");
203
204 for (final String key : NIST_POLICY_STRING_MAPPING.keySet()) {
205 if (ruleEntryUntagged.toLowerCase().contains(key.toLowerCase())) {
206 ruleEntryUntagged = ruleEntryUntagged.replace("{EXTRA_TAGS}",NIST_POLICY_STRING_MAPPING.get(key));
207 }
208 }
209 ruleEntryUntagged = ruleEntryUntagged.replace("{EXTRA_TAGS}","");
210 System.out.println(ruleEntryUntagged);
211
212 map.put(csvRecord.get("IaC") +"-" + csvRecord.get("Id"),"");
213 }
214 }
215
216 }
217
218
219
220
221
222
223 @Test
224 public void generateSonarqubeRuleDefinitionsForCheckovTerraformTest() throws IOException {
225 final CSVParser parser = CSVParser.parse(new InputStreamReader(this.getClass().getResourceAsStream("/checkov/rules.txt"),StandardCharsets.UTF_8), CSVFormat.EXCEL.withHeader().withDelimiter('|').withTrim());
226 final List<CSVRecord> records = parser.getRecords();
227 assertFalse(records.isEmpty());
228 records.remove(0);
229 final Map<String,String> map = new HashMap<>();
230 for (final CSVRecord csvRecord : records) {
231 if ((csvRecord.isSet("Id") && "resource".equals(csvRecord.get("Type")) && !map.containsKey(csvRecord.get("IaC") +"-" + csvRecord.get("Id"))) && "terraform".equalsIgnoreCase(csvRecord.get("IaC"))) {
232 String ruleEntryUntagged = XML_ENTRY.replace("{RULE_ID}",csvRecord.get("Id")).replace("{NAME}",csvRecord.get("Policy")).replace("{IaC}",csvRecord.get("IaC").toLowerCase()).replace("\"",""");
233
234 for (final String key : NIST_POLICY_STRING_MAPPING.keySet()) {
235 if (ruleEntryUntagged.toLowerCase().contains(key.toLowerCase())) {
236 ruleEntryUntagged = ruleEntryUntagged.replace("{EXTRA_TAGS}",NIST_POLICY_STRING_MAPPING.get(key));
237 }
238 }
239 ruleEntryUntagged = ruleEntryUntagged.replace("{EXTRA_TAGS}","");
240 System.out.println(ruleEntryUntagged);
241
242 map.put(csvRecord.get("IaC") +"-" + csvRecord.get("Id"),"");
243 }
244 }
245
246 }
247
248 }