feat: Add Jfrog rule for preventing plain text passwords.

* add jfrog template * add content to rule * add jfrog template * add content to rule * add rule scema for github * add rule scema for github * add password in step level * move to examples dir * separate bugfix brunch * separate bugfix brunch * add jfrog pipeline example * add jfrog pipeline example * fix schema * add recursive jfrog rule * add recursive jfrog rule * add filter out errors * add filter out errors * cr fixes
allero-io · Oct 6, 2022 · e682684 · e682684
1 parent d6b8f57
commit e682684
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -10,6 +10,9 @@ run:
 validate:
 	go run -ldflags="-X github.com/allero-io/allero/cmd.CliVersion=test" main.go validate
 
+validate-local:
+	go run -ldflags="-X github.com/allero-io/allero/cmd.CliVersion=test" main.go validate . --ignore-token
+
 validate-ignore-token:
 	go run -ldflags="-X github.com/allero-io/allero/cmd.CliVersion=test" main.go validate --ignore-token
 

diff --git a/examples/rules/prevent-password-plain-text-jfrog.json b/examples/rules/prevent-password-plain-text-jfrog.json
@@ -0,0 +1,50 @@
+{
+    "description": "Prevent use of password as plain text",
+    "failureMessage": "a password key is used without obfuscation. We recommend using github secrets manager or gitlab-vault instead",
+    "uniqueId": 13,
+    "enabledByDefault": true,
+    "inCodeImplementation": false,
+    "schema": {
+      "definitions": {
+          "passwordPattern": {
+              "type": "string",
+              "pattern": "\\${{.*}}( *|$)|DYNAMIC_VALUE"
+          },
+          "lookup": {
+              "properties": {
+                  "configuration": {
+                      "type": "object",
+                      "patternProperties": {
+                          ".*password.*": {
+                              "$ref": "#/definitions/passwordPattern"
+                          },
+                          "inputResources": {
+                              "type": "array",
+                              "items": {
+                                  "type": "object",
+                                  "patternProperties": {
+                                      ".*password.*": {
+                                          "$ref": "#/definitions/passwordPattern"
+                                      }
+                                  }
+                              }
+                          }
+                      }
+                  }
+              }
+          }
+      },
+      "allOf": [
+          {
+              "$ref": "#/definitions/lookup"
+          }
+      ],
+      "additionalProperties": {
+          "$ref": "#"
+      },
+      "items": {
+          "$ref": "#"
+      }
+  }
+}
+
diff --git a/pkg/rulesConfig/validator.go b/pkg/rulesConfig/validator.go
@@ -54,8 +54,8 @@ func (rc *RulesConfig) JSONSchemaValidate(ruleName string, rule *defaultRules.Ru
 	errorByField := make(map[string]bool)
 	lowestErrorLevel := 999
 
-	for _, rawSchemaError := range schemaResult.Errors() {
-		errorFields := strings.Split(rawSchemaError.Field(), ".")
+	for _, schemaErrorField := range rc.createUniqueErrors(schemaResult) {
+		errorFields := strings.Split(schemaErrorField, ".")
 		var trimedErrorField string
 		if len(errorFields) > 4 {
 			trimedErrorField = strings.Join(errorFields[:5], ".")
@@ -69,9 +69,9 @@ func (rc *RulesConfig) JSONSchemaValidate(ruleName string, rule *defaultRules.Ru
 		var schemaError *defaultRules.SchemaError
 
 		if scmPlatform == "github" {
-			schemaError = rc.parseSchemaFieldGithub(rc.githubData, rawSchemaError.Field())
+			schemaError = rc.parseSchemaFieldGithub(rc.githubData, schemaErrorField)
 		} else if scmPlatform == "gitlab" {
-			schemaError = rc.parseSchemaFieldGitlab(rc.gitlabData, rawSchemaError.Field())
+			schemaError = rc.parseSchemaFieldGitlab(rc.gitlabData, schemaErrorField)
 		}
 
 		if schemaError.ErrorLevel < lowestErrorLevel {
@@ -85,6 +85,25 @@ func (rc *RulesConfig) JSONSchemaValidate(ruleName string, rule *defaultRules.Ru
 	return schemaErrors, nil
 }
 
+func (rc *RulesConfig) createUniqueErrors(schemaResult *gojsonschema.Result) []string {
+	uniqueMapping := make(map[string]bool)
+
+	for _, schemaError := range schemaResult.Errors() {
+		if schemaError.Type() == "number_all_of" {
+			continue
+		}
+		if ok := uniqueMapping[schemaError.Field()]; !ok {
+			uniqueMapping[schemaError.Field()] = true
+		}
+	}
+
+	uniqueErrorsField := make([]string, 0, len(uniqueMapping))
+	for k := range uniqueMapping {
+		uniqueErrorsField = append(uniqueErrorsField, k)
+	}
+	return uniqueErrorsField
+}
+
 func (rc *RulesConfig) InCodeValidate(rule *defaultRules.Rule, githubData map[string]*githubConnector.GithubOwner, gitlabData map[string]*gitlabConnector.GitlabGroup) ([]*defaultRules.SchemaError, error) {
 	return defaultRules.Validate(rule, githubData, gitlabData)
 }