fix(iac): Fix Issue Path in human readable and json output [IAC-2935] (…

…#5159)

src/lib/formatters/iac-output/text/formatters.ts

@@ -214,11 +214,5 @@ function extractResolve(vulnerability: Vulnerability): string {
 }
 
 function formatCloudConfigPath(vulnerability: Vulnerability): string[] {
-  const cloudConfigPath = vulnerability.resource.id.split('.');
-
-  if (vulnerability.resource.path) {
-    cloudConfigPath.push(...vulnerability.resource.path);
-  }
-
-  return cloudConfigPath;
+  return vulnerability.resource.formattedPath.split('.');
 }

src/lib/iac/test/v2/json.ts

@@ -264,7 +264,7 @@ function vulnerabilitiesToIacIssues(
       lineNumber: v.resource.line || -1,
       documentation: v.rule.documentation, // only works for rules available on snyk.io
       isGeneratedByCustomRule: !!v.rule.isGeneratedByCustomRule,
-      path: v.resource.path || [], // needs to be fixed, currently doesn't show the full path
+      path: v?.resource?.formattedPath.split('.') || [],
       compliance: [],
       description: v.rule.description,
     };

test/jest/unit/iac/process-results/fixtures/integrated-json-output.json

@@ -63,7 +63,10 @@
         "lineNumber": -1,
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-00151",
         "isGeneratedByCustomRule": false,
-        "path": [],
+        "path": [
+          "resource",
+          "aws_vpc[mainvpc]"
+        ],
         "compliance": [],
         "description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n"
       },
@@ -94,10 +97,11 @@
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-TF-5",
         "isGeneratedByCustomRule": false,
         "path": [
-          "ingress",
-          0,
-          "cidr_blocks",
-          0
+          "input",
+          "resource",
+          "aws_default_security_group[default]",
+          "ingress[0]",
+          "cidr_blocks[0]"
         ],
         "compliance": [],
         "description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n"
@@ -162,7 +166,10 @@
         "lineNumber": 5,
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-00151",
         "isGeneratedByCustomRule": false,
-        "path": [],
+        "path": [
+          "resource",
+          "aws_vpc[mainvpc]"
+        ],
         "compliance": [],
         "description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n"
       },
@@ -193,10 +200,11 @@
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-TF-5",
         "isGeneratedByCustomRule": false,
         "path": [
-          "ingress",
-          0,
-          "cidr_blocks",
-          0
+          "input",
+          "resource",
+          "aws_default_security_group[default]",
+          "ingress[0]",
+          "cidr_blocks[0]"
         ],
         "compliance": [],
         "description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n"

test/jest/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data-with-suppressions.json

@@ -8,8 +8,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -29,12 +29,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
@@ -54,8 +53,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": 5,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -75,12 +74,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": 16,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",

test/jest/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data.json

@@ -8,8 +8,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -29,12 +29,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
@@ -54,8 +53,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": 5,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -75,12 +74,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": 16,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",