feat: prepare for trivy aws docs (#61)

Signed-off-by: Owen Rumney <[email protected]>
aquasecurity · Aug 8, 2022 · eeed611 · eeed611
1 parent 7082114
commit eeed611
Show file tree

Hide file tree

Showing 14 changed files with 789 additions and 574 deletions.
diff --git a/docGen/crossover.go b/docGen/crossover.go
@@ -59,6 +59,114 @@ var crossOver = map[string]string{
 	"AVD-GCP-0024": "en/google/sql/db-automated-backups.md",
 }
 
+var cloudsploitIgnores = []string{
+	"apigatewayCloudwatchLogs",
+	"apigatewayPrivateEndpoints",
+	"apigatewayTracingEnabled",
+	"workgroupEncrypted",
+	"workgroupEnforceConfiguration",
+	"cloudfrontHttpsOnly",
+	"cloudfrontLoggingEnabled",
+	"cloudfrontWafEnabled",
+	"insecureProtocols",
+	"cloudtrailBucketAccessLogging",
+	"cloudtrailBucketPrivate",
+	"cloudtrailEnabled",
+	"cloudtrailEncryption",
+	"cloudtrailFileValidation",
+	"cloudtrailToCloudwatch",
+	"projectArtifactsEncrypted",
+	"configServiceEnabled",
+	"ebsEncryptionEnabled",
+	"ec2MetadataOptions",
+	"publicIpAddress",
+	"ecrRepositoryEncrypted",
+	"ecrRepositoryTagImmutability",
+	"efsEncryptionEnabled",
+	"eksLoggingEnabled",
+	"redisClusterEncryptionAtRest",
+	"redisClusterEncryptionInTransit",
+	"esEncryptedDomain",
+	"esHttpsOnly",
+	"esLoggingEnabled",
+	"esNodeToNodeEncryption",
+	"esTlsVersion",
+	"elbv2HttpsOnly",
+	"elbv2SslTermination",
+	"emrEncryptionAtRest",
+	"emrEncryptionInTransit",
+	"accessKeysLastUsed",
+	"accessKeysRotated",
+	"maxPasswordAge",
+	"minPasswordLength",
+	"noUserIamPolicies",
+	"passwordRequiresLowercase",
+	"passwordRequiresNumbers",
+	"passwordRequiresSymbols",
+	"passwordRequiresUppercase",
+	"passwordReusePrevention",
+	"rootAccessKeys",
+	"rootAccountInUse",
+	"rootMfaEnabled",
+	"usersMfaEnabled",
+	"kinesisDataStreamsEncrypted",
+	"kmsKeyRotation",
+	"mqLogExports",
+	"mskClusterEncryptionInTransit",
+	"neptuneDBInstanceEncrypted",
+	"rdsAutomatedBackups",
+	"rdsEncryptionEnabled",
+	"rdsPubliclyAccessible",
+	"redshiftClusterCmkEncrypted",
+	"redshiftClusterInVpc",
+	"bucketEncryption",
+	"bucketLogging",
+	"bucketVersioning",
+	"topicCmkEncrypted",
+	"topicEncrypted",
+	"sqsEncrypted",
+	"workspacesVolumeEncryption",
+}
+
+var defsecReplacements = map[string][]string{
+
+	"AVD-AWS-0004": {"cspm/aws/apigateway/api-gateway-private-endpoints", "cspm/aws/api-gateway/api-gateway-private-endpoints"},
+	"AVD-AWS-0003": {"cspm/aws/apigateway/api-gateway-tracing-enabled", "cspm/aws/api-gateway/api-gateway-tracing-enabled"},
+	"AVD-AWS-0163": {"cspm/aws/cloudtrail/cloudtrail-bucket-access-logging"},
+	"AVD-AWS-0161": {"cspm/aws/cloudtrail/cloudtrail-bucket-private"},
+	"AVD-AWS-0162": {"cspm/aws/cloudtrail/cloudtrail-to-cloudwatch"},
+	"AVD-AWS-0018": {"cspm/aws/codebuild/project-artifacts-encrypted", "cspm/aws/code-build/project-artifacts-encrypted"},
+	"AVD-AWS-0019": {"cspm/aws/configservice/config-service-enabled", "cspm/aws/config/config-service-enabled"},
+	"AVD-AWS-0131": {"cspm/aws/ec2/ebs-encryption-enabled"},
+	"AVD-AWS-0009": {"cspm/aws/ec2/public-ip-address-ec2-instances"},
+	"AVD-AWS-0033": {"cspm/aws/ecr/ecr-repository-encrypted"},
+	"AVD-AWS-0045": {"cspm/aws/elasticache/elasticache-redis-cluster-encryption-at-rest"},
+	"AVD-AWS-0054": {"cspm/aws/elbv2/elbv2-https-only", "cspm/aws/elb/elbv2-https-only"},
+	"AVD-AWS-0047": {"cspm/aws/elbv2/elb-ssl-termination", "cspm/aws/elb/elb-ssl-termination"},
+	"AVD-AWS-0137": {"cspm/aws/emr/emr-encryption-at-rest"},
+	"AVD-AWS-0138": {"cspm/aws/emr/emr-encryption-in-transit"},
+	"AVD-AWS-0048": {"cspm/aws/es/elasticsearch-encrypted-domain"},
+	"AVD-AWS-0046": {"cspm/aws/es/elasticsearch-https-only"},
+	"AVD-AWS-0042": {"cspm/aws/es/elasticsearch-logging-enabled"},
+	"AVD-AWS-0043": {"cspm/aws/es/elasticsearch-node-to-node-encryption"},
+	"AVD-AWS-0126": {"cspm/aws/es/elasticsearch-tls-version"},
+	"AVD-AWS-0144": {"cspm/aws/iam/access-keys-last-used"},
+	"AVD-AWS-0146": {"cspm/aws/iam/access-keys-rotated"},
+	"AVD-AWS-0143": {"cspm/aws/iam/no-user-iam-policies"},
+	"AVD-AWS-0141": {"cspm/aws/iam/root-access-keys"},
+	"AVD-AWS-0140": {"cspm/aws/iam/root-account-in-use"},
+	"AVD-AWS-0142": {"cspm/aws/iam/root-mfa-enabled"},
+	"AVD-AWS-0064": {"cspm/aws/kinesis/kinesis-data-streams-encrypted"},
+	"AVD-AWS-0071": {"cspm/aws/mq/mq-log-exports-enabled"},
+	"AVD-AWS-0073": {"cspm/aws/msk/msk-cluster-encryption-in-transit"},
+	"AVD-AWS-0076": {"cspm/aws/neptune/neptune-database-instance-encrypted"},
+	"AVD-AWS-0077": {"cspm/aws/rds/rds-automated-backups"},
+	"AVD-AWS-0127": {"cspm/aws/redshift/redshift-cluster-in-vpc"},
+	"AVD-AWS-0088": {"cspm/aws/s3/s3-bucket-encryption"},
+	"AVD-AWS-0136": {"cspm/aws/sns/sns-topic-cmk-encryption"},
+	"AVD-AWS-0109": {"cspm/aws/workspaces/workspaces-volume-encryption"},
+}
+
 var reverseCrossOver map[string]string
 
 func init() {
@@ -76,3 +184,10 @@ func getAVDIDByCSPMPath(path string) string {
 	}
 	return ""
 }
+
+func getCSPMAliasesForAVDID(avdID string) []string {
+	if aliases, ok := defsecReplacements[avdID]; ok {
+		return aliases
+	}
+	return []string{}
+}
diff --git a/docGen/cspm.go b/docGen/cspm.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"text/template"
 
+	"golang.org/x/exp/slices"
+
 	"github.com/aquasecurity/avd-generator/menu"
 	"github.com/aquasecurity/avd-generator/util"
 )
@@ -53,6 +55,13 @@ func generateCloudSploitPages(inputPagesDir, outputPagesDir, remediationsDir str
 			continue
 		}
 
+		id := strings.TrimSuffix(filepath.Base(file), filepath.Ext(file))
+		if slices.Contains(cloudsploitIgnores, id) {
+			fmt.Printf("Skipping '%s' because it is in the cloudsploit ignore list: \n", id)
+
+			continue
+		}
+
 		content := string(b)
 
 		var title, originalCategory, category, description, moreInfo, link, recommendedActions, remediationString string
@@ -117,7 +126,7 @@ func generateCloudSploitPages(inputPagesDir, outputPagesDir, remediationsDir str
 		}
 
 		aliases := []string{
-			fmt.Sprintf("misconfig/%s/%s/%s", providerID, categoryID, strings.ToLower(remediationString)),
+			// fmt.Sprintf("misconfig/%s/%s/%s", providerID, categoryID, strings.ToLower(remediationString)),
 			fmt.Sprintf("cspm/%s/%s/%s", providerID, categoryID, strings.ToLower(remediationString)),
 		}
 		if categoryID != aliasCategoryID {
@@ -158,7 +167,7 @@ func generateCloudSploitPages(inputPagesDir, outputPagesDir, remediationsDir str
 
 func hasDefsecOverride(remediationFile string) bool {
 	if avdID := getAVDIDByCSPMPath(remediationFile); avdID != "" {
-		log.Printf("Override detected: '%s' has been overridden by '%s'\n", remediationFile, avdID)
+		// log.Printf("Override detected: '%s' has been overridden by '%s'\n", remediationFile, avdID)
 		return true
 	}
 	return false

diff --git a/docGen/defsec.go b/docGen/defsec.go
@@ -14,13 +14,14 @@ import (
 	"github.com/aquasecurity/avd-generator/menu"
 	"github.com/aquasecurity/avd-generator/util"
 
+	"github.com/aquasecurity/defsec/pkg/framework"
 	_ "github.com/aquasecurity/defsec/pkg/rego"
 	"github.com/aquasecurity/defsec/pkg/rules"
 	"github.com/aquasecurity/defsec/pkg/scan"
 )
 
 func generateDefsecPages(remediationDir, contentDir string) {
-	for _, r := range rules.GetRegistered() {
+	for _, r := range rules.GetRegistered(framework.ALL) {
 
 		avdId := r.Rule().AVDID
 		topLevelID := strings.ToLower(r.Rule().Provider.ConstName())
@@ -125,6 +126,17 @@ func generateDefsecCheckPage(rule scan.Rule, remediations map[string]string, con
 		legacy = rule.Aliases[0]
 	}
 
+	var frameworks []string
+
+	if rule.Frameworks != nil && len(rule.Frameworks) > 0 {
+		for framework, _ := range rule.Frameworks {
+			if framework == "default" {
+				continue
+			}
+			frameworks = append(frameworks, strings.ToUpper(strings.ReplaceAll(string(framework), "-", " ")))
+		}
+	}
+
 	post := map[string]interface{}{
 		"AVDID":            rule.AVDID,
 		"AVDID_Lowered":    strings.ToLower(rule.AVDID),
@@ -140,9 +152,14 @@ func generateDefsecCheckPage(rule scan.Rule, remediations map[string]string, con
 		"Severity":         strings.ToLower(string(rule.Severity)),
 		"ParentID":         strings.ReplaceAll(strings.ToLower(menuParent), " ", "-"),
 		"Remediations":     remediationKeys,
+		"Frameworks":       frameworks,
 		"Source":           "Trivy",
 	}
 
+	if aliases := getCSPMAliasesForAVDID(rule.AVDID); len(aliases) > 0 {
+		post["AdditionalAliases"] = aliases
+	}
+
 	if remediationPath, ok := crossOver[rule.AVDID]; ok {
 		id := strings.ToLower(strings.ReplaceAll(strings.ReplaceAll(remediationPath, "en/", ""), ".md", ""))
 		post["AliasID"] = id
@@ -185,12 +202,19 @@ title: {{.ShortName}}
 id: {{ .AVDID }}
 
 aliases: [
-{{ if .AliasID}}  "/cspm/{{ .AliasID}}",
+{{ if .AliasID}}	"/cspm/{{ .AliasID}}",
 {{ end }}{{ if .LegacyID }}  "/misconfig/{{ .Provider }}/{{ .LegacyID_Lowered }}",
 {{ end }}{{ if .LegacyID }}  "/misconfig/{{ .LegacyID_Lowered }}",
-{{ end }}	"/misconfig/{{ .AVDID_Lowered }}",
+{{ end }}  "/misconfig/{{ .AVDID_Lowered }}",
   "/misconfig/{{ .Provider }}/{{ .Service }}/{{ .AVDID_Lowered }}",
+{{ if .AdditionalAliases }}{{ range $alias := .AdditionalAliases }}  "{{ $alias }}",
+{{end}}{{end}}
 ]
+{{ if .Frameworks }}
+frameworks: [
+{{ range .Frameworks }}  "{{ . }}",
+{{ end }}]
+{{ end }}
 
 source: {{ .Source }}
 {{ if .CSPMID}}

diff --git a/docGen/go.mod b/docGen/go.mod
@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/Masterminds/semver v1.5.0
-	github.com/aquasecurity/defsec v0.69.2
+	github.com/aquasecurity/defsec v0.70.0
 	github.com/aquasecurity/tracee v0.7.0
 	github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2
 	github.com/leekchan/gtf v0.0.0-20190214083521-5fba33c5b00b
@@ -34,7 +34,7 @@ require (
 	github.com/go-git/go-git/v5 v5.4.2 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
@@ -52,16 +52,17 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/vektah/gqlparser/v2 v2.4.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
+	golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 // indirect
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect
-	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect