xlab-si / iac-scan-runner Goto Github PK

Response I get is 400 with wrong check name in response message.

To keep our code clean and secure we should use SAST tools to do linting and check security.

I propose tools like pylint, flake8, mypy, pydocstyle, bandit and others.

For the development process I suggest creating a new shell script that would allow developers to run sanity, unit and integration tests before pushing anything.

I propose something similar to https://gitlab.com/gaia-x/data-infrastructure-federation-services/orc/ppr/-/blob/main/dev.sh#L20.

For each of the user scan runs, the results should be persisted in a database (at least for a limited time), so they can be later retrieved at some point in future. The following capabilities related of persistence are required:

• insertion of scan record
• querying for particular scan record by id
• deleting scan record
• showing/retrieving scan records
• periodic cleanup job deleting old scans (for instance, after 14 days)

Code related to output generation currently uses some of paths which are hard-coded as strings. They should be changed with parameters that could be set externally, such as environment variables.

• It is necessary to provide functionalities that would give the ability to group several scan tasks into project with unique ID that would be also persisted into database, together with other scan results.
• Include IaC archive name within scan results
• Persist configuration info for distinct projects

With the IaC Scan Runner CLI it is currently possible to retrieve the OpenAPI Specification or to run the REST API. The next feature would be mapping the API commands so that the CLI would call the specified API endpoint and this would enable new mode of interaction as the IaC Scan Runner could be used within consoles and CI/CD pipelines.

When check is disabled or enabled it is not seen on GET project/check response.

Change host port from 8080 to 80 in docker compose since app runs on port 80.

Yamllint results are present if they are displayed in JSON but not in HTML.

Terrascan static code analyzer returns not found error
"/bin/sh: 1: /iac-scan-runner/tools/terrascan: not found\n"

To replicate this error run:
curl -X 'POST' 'http://127.0.0.1:8080/scan' -H 'Content-Type: multipart/form-data' -F 'iac=@test_tf_hw.zip' -F 'checks=terrascan'

Used the same cmd and .zip file on tflint and tfsec and it works perfectly fine.

Originally posted by @jenkoj in #6 (comment)

We need to updated several API endpoints to improve readability and make them more user-friendly. These changes should make it easier for developers to use our API and understand how the different endpoints relate to each other.

During the TELFOR conference, some of the participants asked if distinct chain tools are executed in parallel within different threads. This way, the overall scanning time should be reduced, as multiple scans would be executed at the same time instead one by one.

Error message:
"'NoneType' object is not iterable"

When running POST /default/scan we get following error: "ScanModel" object has no attribute "checks"

An error occurs when no user preferences are provided in case that compatibility matrix is used

Project id should be a required field in POST /project/scan endpoint

After running docker build -t . inside project's directory, the following error is reported, as shown.

**inflating: /iac-scan-runner/tools/tmp/sonar-scanner-4.7.0.2747/lib/sonar-scanner-cli-4.7.0.2747.jar
ERROR: npm v9.2.0 is known not to run on Node.js v12.22.12. You'll need to
upgrade to a newer Node.js version in order to use this version of npm. This
version of npm supports the following node versions: `^14.17.0 || ^16.13.0 ||

=18.0.0`. You can find the latest version at https://nodejs.org/.
:
/usr/local/lib/node_modules/npm/lib/utils/exit-handler.js:22
const hasLoadedNpm = npm?.config.loaded
^

SyntaxError: Unexpected token '.'
at wrapSafe (internal/modules/cjs/loader.js:915:16)
at Module._compile (internal/modules/cjs/loader.js:963:27)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Module.require (internal/modules/cjs/loader.js:887:19)
at require (internal/modules/cjs/helpers.js:74:18)
at module.exports (/usr/local/lib/node_modules/npm/lib/cli.js:76:23)
at Object. (/usr/local/lib/node_modules/npm/bin/npm-cli.js:2:25)
at Module._compile (internal/modules/cjs/loader.js:999:30)
The command '/bin/sh -c cd /iac-scan-runner && apt-get update && apt-get -y install --no-install-recommends build-essential bash gcc git curl wget openjdk-17-jre ruby2.7 nodejs npm unzip python3 python3-pip python3-venv && apt-get update && mkdir -p /usr/share/man/man1 && npm i npm@latest -g && python3 -m venv .venv && . .venv/bin/activate && pip3 install --upgrade pip && pip install -r requirements.txt && ./install-checks.sh && npm uninstall npm && apt-get -y remove build-essential gcc npm curl wget && apt-get autoremove -y && apt-get autoclean -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && rm -rf /var/cache/* && rm -rf /root/.cache/' returned a non-zero code: 1
ERROR:
/usr/local/lib/node_modules/npm/lib/utils/exit-handler.js:22
const hasLoadedNpm = npm?.config.loaded
^

SyntaxError: Unexpected token '.'
at wrapSafe (internal/modules/cjs/loader.js:915:16)
at Module._compile (internal/modules/cjs/loader.js:963:27)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Module.require (internal/modules/cjs/loader.js:887:19)
at require (internal/modules/cjs/helpers.js:74:18)
at module.exports (/usr/local/lib/node_modules/npm/lib/cli.js:76:23)
at Object. (/usr/local/lib/node_modules/npm/bin/npm-cli.js:2:25)
at Module._compile (internal/modules/cjs/loader.js:999:30)
The command '/bin/sh -c cd /iac-scan-runner && apt-get update && apt-get -y install --no-install-recommends build-essential bash gcc git curl wget openjdk-17-jre ruby2.7 nodejs npm unzip python3 python3-pip python3-venv && apt-get update && mkdir -p /usr/share/man/man1 && npm i npm@latest -g && python3 -m venv .venv && . .venv/bin/activate && pip3 install --upgrade pip && pip install -r requirements.txt && ./install-checks.sh && npm uninstall npm && apt-get -y remove build-essential gcc npm curl wget && apt-get autoremove -y && apt-get autoclean -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && rm -rf /var/cache/* && rm -rf /root/.cache/' returned a non-zero code: 1**

Implement unit and integration tests for REST API and CLI.

Steampunk Scanner is long gone. We need to integrate with Steampunk Spotter CLI to enable Ansible scanning with Steampunk Spotter.

The check is disabled by default because it requires credentials. Steampunk Spotter is outdated and will not work anymore
We will need to integrate with Steampunk Spotter CLI https://gitlab.com/xlab-steampunk/steampunk-spotter-client/spotter-cli to bring it back to life

Usage and examples need to be updated because of the new API structure.

Add MongoDB deployment and setting the env variables.

In case that some of the parameters related to scan workflow tool configuration (such as secret) is changed, it would be necessary to update it for all the configs by the same user.

Currently we are experiencing the following problems with checks that are part of IaC Scan Runner:

• ShellCheck does not find schell scripts
• hadolint does not find Dockerfiles (but terrascan does?!)
• pylint complains about not finding __init__.py

Currently, some of the cases handling the individual scan tool output handling for purpose of summarization are not covered, causing incomplete summary to be generated when IaC archive contains some of these file types:

• es-lint, ts-lint for JavaScript
• checkstyle for Java
• htmlhint for HTML

xOpera TOSCA Parser does function properly when running it with the following command
curl -X 'POST' 'http://127.0.0.1:8080/scan' -H 'Content-Type: multipart/form-data' -F '[email protected]' -F 'checks=opera-tosca-parser'

These are contents of given .zip file

parser returns no files error, even though service.yaml is present.

Despite that tool configuration is currently able to be persisted within the database and later loaded, there are still several aspects that are missing, when it comes to usage of tool-specific configuration parameters.
Therefore, it should be explored which tool require such parameters (such as tokens or some preferences) and extend IaC Scan Runner with means that would enable exploiting them in appropriate way for each of the tools.

Result outcome of steampunk-scanner should be handled properly and included within HTML web page.

While evaluating the list of compatible checks, aggregation from compatibility matrix is done, but duplicates for the following check: git-leaks, git-secrets. However, each of the checks should be reported exactly once.

The documentation needs to be published a bit:

• Steampunk scanner -> Steampunk spotter
• IaC Scan Runner SaaS -> maybe we remove this for now?

In examples directory, self-contained, standalone examples should be added in order to check whether the tool is properly installed or no. After that, the existing ones might be removed or updated as well.

All the API calls should be modified, so each of them would return JSON objects which can be easily processed further.

Steampunk scanner does not work since it changed it's name to Spotter. Rename all variables to the new naming convention.

Empty list causes issue when loading projects: "name 'archive_name' is not defined"

All levels of search depth should be explored to determine the list of available check types.

Considering many TODOs related to extension for specific file types, it is still needed to properly handle all the situations when IaC archive contains file/script which is currently partially or not supported.

As it was mentioned on GA in Milano, it is desirable to provide the functionality that would enable intuitive method for adding new check tools to the scan workflow in future, even by end-users. Therefore, the means that would automate the tool encapsulation, integration and import steps should be provided.

Some of the currently integrated tools are not fully supported when it comes to advanced result visualization and compatibility matrix. Furthermore, apart from adding the tools into compatibility matrix, the output of all the checks which are not present should be parsed in order to determine the outcome: passed or problems detected.

Current progress can be summarized as follows:

Some of the scan check tools, such as tfsec, return logs containing irrelevant symbols (either scape or white symbols, such as spaces, return and new line characters) which reduce the overall visibility. Therefore, a mechanism should be implemented to filter the logs and remove such characters. An example of such situation within HTML result page is depicted below.

Apart from ansible-lint, we don't have any other scanner for scanning Ansible playbooks and there are not many available.

The Steampunk Scanner is a quality scanner for Ansible playbooks, where you can scan the playbook and get an instant quality score with tips on how to improve it. The steampunk-scanner CLI enables the use of Ansible scanner from the console with the ability to scan Ansible task files, playbooks, roles and collections.

As of xlab-steampunk/steampunk-scanner-cli#14 the CLI supports scanning IaC directories, so we are now able to add it to our IaC Scan Runner.

If running with docker compose POST project/scan does not work if at least 1 check is enabled. By default it should execute all scans.

It is required to include into README at least the manual procedure for adding new check tool within the scan workflow.

The current code seems to have some formatting issues. There are also places where the code can be simplified and/or cleaned.

Error message:
list.remove(x): x not in list

The tool should not break in case of non-working Mongo DB instance.
Apart from that, there would be possibility to turn on the persistence capabilities or off.

Right now we're using full xOpera orchestrator for TOSCA validation and since xOpera TOSCA parser now has its first package released as opera-tosca-parser Python package, we could use it in IaC Scan Runner.

Currently, it is not checked whether the provided name of check which is about to be added to the list is either an existing check (already in the list). Moreover, it is also possible to add strings that don't represent valid check names, which should be prevented as well.