From 10370b6a78fb9488499cc5665776dacba3d7bab3 Mon Sep 17 00:00:00 2001 From: Omri Yoffe Date: Sun, 24 Nov 2024 13:30:38 +0200 Subject: [PATCH 1/5] add arm breadcrumbs --- checkov/arm/runner.py | 15 ++++++++++++--- checkov/arm/utils.py | 5 +++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index e95915fa456..cd3b36aa322 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -3,6 +3,7 @@ import logging import os from collections.abc import Iterable +from pathlib import Path from typing import TYPE_CHECKING, Any, cast from typing_extensions import TypeAlias # noqa[TC002] @@ -11,11 +12,12 @@ from checkov.arm.graph_builder.local_graph import ArmLocalGraph from checkov.arm.graph_manager import ArmGraphManager from checkov.arm.registry import arm_resource_registry, arm_parameter_registry -from checkov.arm.utils import get_scannable_file_paths, get_files_definitions, ARM_POSSIBLE_ENDINGS, ArmElements +from checkov.arm.utils import get_scannable_file_paths, get_files_definitions, ARM_POSSIBLE_ENDINGS, ArmElements, clean_file_path from checkov.common.checks_infra.registry import get_graph_checks_registry from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.graph.graph_builder.consts import GraphSource from checkov.common.output.extra_resource import ExtraResource +from checkov.common.output.graph_record import GraphRecord from checkov.common.output.record import Record from checkov.common.output.report import Report from checkov.common.bridgecrew.check_type import CheckType @@ -263,7 +265,7 @@ def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) - for check, check_results in graph_checks_results.items(): for check_result in check_results: entity = check_result["entity"] - entity_file_path: str = entity[CustomAttributes.FILE_PATH] + entity_file_path = entity[CustomAttributes.FILE_PATH] start_line = entity[START_LINE] - 1 end_line = entity[END_LINE] - 1 @@ -272,7 +274,7 @@ def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) - check=check, check_result=check_result, code_block=self.definitions_raw[entity_file_path][start_line:end_line], - file_path=entity_file_path, + file_path=self.extract_file_path_from_abs_path(clean_file_path(entity_file_path)), file_abs_path=os.path.abspath(entity_file_path), file_line_range=[start_line - 1, end_line - 1], resource_id=entity[CustomAttributes.ID], @@ -304,5 +306,12 @@ def build_record( file_abs_path=file_abs_path, severity=check.severity, ) + if self.breadcrumbs: + breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource) + if breadcrumb: + record = GraphRecord(record, breadcrumb) record.set_guideline(check.guideline) report.add_record(record=record) + + def extract_file_path_from_abs_path(self, path: Path) -> str: + return f"/{os.path.relpath(path, self.root_folder)}" diff --git a/checkov/arm/utils.py b/checkov/arm/utils.py index 2d3ac8f8388..46309a0b802 100644 --- a/checkov/arm/utils.py +++ b/checkov/arm/utils.py @@ -115,3 +115,8 @@ def extract_resource_name_from_reference_func(reference: str) -> str: def clean_string(input: str) -> str: return input.replace("'", '').replace(" ", "") + +def clean_file_path(file_path: Path) -> Path: + path_parts = [part for part in file_path.parts if part not in (".", "..")] + + return Path(*path_parts) From 8b012674e3d3f5d7766f35d54f7c1220a5976ea2 Mon Sep 17 00:00:00 2001 From: Omri Yoffe Date: Sun, 24 Nov 2024 13:58:03 +0200 Subject: [PATCH 2/5] fix file paths --- checkov/arm/runner.py | 9 +++++---- checkov/arm/utils.py | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index cd3b36aa322..983e317f9bb 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -140,6 +140,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, path_to_convert = (os.path.join(root_folder, arm_file)) if root_folder else arm_file file_abs_path = os.path.abspath(path_to_convert) + cleaned_path = clean_file_path(Path(arm_file)) if isinstance(self.definitions[arm_file], dict): arm_context_parser = ContextParser(arm_file, self.definitions[arm_file], self.definitions_raw[arm_file]) @@ -197,7 +198,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, check_name=check.name, check_result=check_result, code_block=entity_code_lines, - file_path=arm_file, + file_path=self.extract_file_path_from_abs_path(cleaned_path), file_line_range=entity_lines_range, resource=resource_id, evaluations=variable_evaluations, @@ -212,7 +213,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, report.extra_resources.add( ExtraResource( file_abs_path=file_abs_path, - file_path=arm_file, + file_path=self.extract_file_path_from_abs_path(cleaned_path), resource=resource_id, ) ) @@ -247,7 +248,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, check=check, check_result=check_result, code_block=censored_code_lines, - file_path=arm_file, + file_path=self.extract_file_path_from_abs_path(cleaned_path), file_abs_path=file_abs_path, file_line_range=entity_lines_range, resource_id=resource_id, @@ -314,4 +315,4 @@ def build_record( report.add_record(record=record) def extract_file_path_from_abs_path(self, path: Path) -> str: - return f"/{os.path.relpath(path, self.root_folder)}" + return f"${os.path.sep}{os.path.relpath(path, self.root_folder)}" diff --git a/checkov/arm/utils.py b/checkov/arm/utils.py index 46309a0b802..ec2dac1eb35 100644 --- a/checkov/arm/utils.py +++ b/checkov/arm/utils.py @@ -116,6 +116,7 @@ def extract_resource_name_from_reference_func(reference: str) -> str: def clean_string(input: str) -> str: return input.replace("'", '').replace(" ", "") + def clean_file_path(file_path: Path) -> Path: path_parts = [part for part in file_path.parts if part not in (".", "..")] From 16013f957fe2942460a6bb36af0b76f5874749ff Mon Sep 17 00:00:00 2001 From: Omri Yoffe Date: Sun, 24 Nov 2024 14:52:07 +0200 Subject: [PATCH 3/5] fix paths --- checkov/arm/runner.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index 983e317f9bb..7f7151ebc49 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -140,7 +140,6 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, path_to_convert = (os.path.join(root_folder, arm_file)) if root_folder else arm_file file_abs_path = os.path.abspath(path_to_convert) - cleaned_path = clean_file_path(Path(arm_file)) if isinstance(self.definitions[arm_file], dict): arm_context_parser = ContextParser(arm_file, self.definitions[arm_file], self.definitions_raw[arm_file]) @@ -198,7 +197,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, check_name=check.name, check_result=check_result, code_block=entity_code_lines, - file_path=self.extract_file_path_from_abs_path(cleaned_path), + file_path=arm_file, file_line_range=entity_lines_range, resource=resource_id, evaluations=variable_evaluations, @@ -213,7 +212,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, report.extra_resources.add( ExtraResource( file_abs_path=file_abs_path, - file_path=self.extract_file_path_from_abs_path(cleaned_path), + file_path=arm_file, resource=resource_id, ) ) @@ -315,4 +314,4 @@ def build_record( report.add_record(record=record) def extract_file_path_from_abs_path(self, path: Path) -> str: - return f"${os.path.sep}{os.path.relpath(path, self.root_folder)}" + return f"{os.path.sep}{os.path.relpath(path, self.root_folder)}" From 22d76ff83977c2aa20180057efd9235fbcdfaa24 Mon Sep 17 00:00:00 2001 From: Omri Yoffe Date: Sun, 24 Nov 2024 14:55:30 +0200 Subject: [PATCH 4/5] fix --- checkov/arm/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index 7f7151ebc49..430ff009e23 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -247,7 +247,7 @@ def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, check=check, check_result=check_result, code_block=censored_code_lines, - file_path=self.extract_file_path_from_abs_path(cleaned_path), + file_path=arm_file, file_abs_path=file_abs_path, file_line_range=entity_lines_range, resource_id=resource_id, From aaf474397809813bb99121b73c6408a24824237c Mon Sep 17 00:00:00 2001 From: Omri Yoffe Date: Sun, 24 Nov 2024 15:06:57 +0200 Subject: [PATCH 5/5] path --- checkov/arm/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index 430ff009e23..52b23c8492c 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -274,7 +274,7 @@ def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) - check=check, check_result=check_result, code_block=self.definitions_raw[entity_file_path][start_line:end_line], - file_path=self.extract_file_path_from_abs_path(clean_file_path(entity_file_path)), + file_path=self.extract_file_path_from_abs_path(clean_file_path(Path(entity_file_path))), file_abs_path=os.path.abspath(entity_file_path), file_line_range=[start_line - 1, end_line - 1], resource_id=entity[CustomAttributes.ID],