fix(iac): Fix Issue Path in human readable and json output [IAC-2935]

snyk · Apr 15, 2024 · f1350af · f1350af
1 parent b55fbc8
commit f1350af
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 50 deletions.
diff --git a/src/lib/formatters/iac-output/text/formatters.ts b/src/lib/formatters/iac-output/text/formatters.ts
@@ -214,11 +214,5 @@ function extractResolve(vulnerability: Vulnerability): string {
 }
 
 function formatCloudConfigPath(vulnerability: Vulnerability): string[] {
-  const cloudConfigPath = vulnerability.resource.id.split('.');
-
-  if (vulnerability.resource.path) {
-    cloudConfigPath.push(...vulnerability.resource.path);
-  }
-
-  return cloudConfigPath;
+  return vulnerability.resource.formattedPath.split('.');
 }
diff --git a/src/lib/iac/test/v2/json.ts b/src/lib/iac/test/v2/json.ts
@@ -264,7 +264,7 @@ function vulnerabilitiesToIacIssues(
       lineNumber: v.resource.line || -1,
       documentation: v.rule.documentation, // only works for rules available on snyk.io
       isGeneratedByCustomRule: !!v.rule.isGeneratedByCustomRule,
-      path: v.resource.path || [], // needs to be fixed, currently doesn't show the full path
+      path: v?.resource?.formattedPath.split('.') || [],
       compliance: [],
       description: v.rule.description,
     };

diff --git a/test/jest/unit/iac/process-results/fixtures/integrated-json-output.json b/test/jest/unit/iac/process-results/fixtures/integrated-json-output.json
@@ -63,7 +63,10 @@
         "lineNumber": -1,
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-00151",
         "isGeneratedByCustomRule": false,
-        "path": [],
+        "path": [
+          "resource",
+          "aws_vpc[mainvpc]"
+        ],
         "compliance": [],
         "description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n"
       },
@@ -94,10 +97,11 @@
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-TF-5",
         "isGeneratedByCustomRule": false,
         "path": [
-          "ingress",
-          0,
-          "cidr_blocks",
-          0
+          "input",
+          "resource",
+          "aws_default_security_group[default]",
+          "ingress[0]",
+          "cidr_blocks[0]"
         ],
         "compliance": [],
         "description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n"
@@ -162,7 +166,10 @@
         "lineNumber": 5,
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-00151",
         "isGeneratedByCustomRule": false,
-        "path": [],
+        "path": [
+          "resource",
+          "aws_vpc[mainvpc]"
+        ],
         "compliance": [],
         "description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n"
       },
@@ -193,10 +200,11 @@
         "documentation": "https://security.snyk.io/rules/cloud/SNYK-CC-TF-5",
         "isGeneratedByCustomRule": false,
         "path": [
-          "ingress",
-          0,
-          "cidr_blocks",
-          0
+          "input",
+          "resource",
+          "aws_default_security_group[default]",
+          "ingress[0]",
+          "cidr_blocks[0]"
         ],
         "compliance": [],
         "description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n"

diff --git a/...t/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data-with-suppressions.json b/...t/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data-with-suppressions.json
@@ -8,8 +8,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -29,12 +29,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
@@ -54,8 +53,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": 5,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -75,12 +74,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": 16,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",

diff --git a/test/jest/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data.json b/test/jest/unit/iac/process-results/fixtures/snyk-iac-test-text-output-data.json
@@ -8,8 +8,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -29,12 +29,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": -1,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
@@ -54,8 +53,8 @@
           "title": "VPC flow logging should be enabled",
           "lineNumber": 5,
           "cloudConfigPath": [
-            "aws_vpc",
-            "mainvpc"
+            "resource",
+            "aws_vpc[mainvpc]"
           ],
           "issue": "VPC flow logging should be enabled",
           "impact": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
@@ -75,12 +74,11 @@
           "title": "VPC default security group allows unrestricted ingress traffic",
           "lineNumber": 16,
           "cloudConfigPath": [
-            "aws_default_security_group",
-            "default",
-            "ingress",
-            0,
-            "cidr_blocks",
-            0
+            "input",
+            "resource",
+            "aws_default_security_group[default]",
+            "ingress[0]",
+            "cidr_blocks[0]"
           ],
           "issue": "VPC default security group allows unrestricted ingress traffic",
           "impact": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",