feat(query): add --input-data option (Checkmarx#3808)

Signed-off-by: Felipe Avelar <[email protected]>
Co-authored-by: Rogério Peixoto <[email protected]>

assets/libraries/common/library.rego

@@ -81,163 +81,6 @@ containsOrInArrayContains(field, value) {
 	contains(lower(field[i]), value)
 }
 
-isDefaultPassword(p) {
-	ar = {
-		"!@",
-		"root",
-		"wubao",
-		"password",
-		"123456",
-		"admin",
-		"12345",
-		"1234",
-		"p@ssw0rd",
-		"123",
-		"1",
-		"jiamima",
-		"test",
-		"root123",
-		"!",
-		"!q@w",
-		"!qaz@wsx",
-		"idc!@",
-		"admin!@",
-		"",
-		"alpine",
-		"qwerty",
-		"12345678",
-		"111111",
-		"123456789",
-		"1q2w3e4r",
-		"123123",
-		"default",
-		"1234567",
-		"qwe123",
-		"1qaz2wsx",
-		"1234567890",
-		"abcd1234",
-		"000000",
-		"user",
-		"toor",
-		"qwer1234",
-		"1q2w3e",
-		"asdf1234",
-		"redhat",
-		"1234qwer",
-		"cisco",
-		"12qwaszx",
-		"test123",
-		"1q2w3e4r5t",
-		"admin123",
-		"changeme",
-		"1qazxsw2",
-		"123qweasd",
-		"q1w2e3r4",
-		"letmein",
-		"server",
-		"root1234",
-		"master",
-		"abc123",
-		"rootroot",
-		"a",
-		"system",
-		"pass",
-		"1qaz2wsx3edc",
-		"p@$$w0rd",
-		"112233",
-		"welcome",
-		"!QAZ2wsx",
-		"linux",
-		"123321",
-		"manager",
-		"1qazXSW@",
-		"q1w2e3r4t5",
-		"oracle",
-		"asd123",
-		"admin123456",
-		"ubnt",
-		"123qwe",
-		"qazwsxedc",
-		"administrator",
-		"superuser",
-		"zaq12wsx",
-		"121212",
-		"654321",
-		"ubuntu",
-		"0000",
-		"zxcvbnm",
-		"root@123",
-		"1111",
-		"vmware",
-		"q1w2e3",
-		"qwerty123",
-		"cisco123",
-		"11111111",
-		"pa55w0rd",
-		"asdfgh",
-		"11111",
-		"123abc",
-		"asdf",
-		"centos",
-		"888888",
-		"54321",
-		"password123",
-		"pa$$",
-	}
-
-	ar[p]
-}
-
-isCommonValue(p) {
-	bl = {
-		"RESOURCE",
-		"GROUP",
-		"SUBNET",
-		"S3",
-		"SERVICE",
-		"AZURE",
-		"BUCKET",
-		"VIRTUAL",
-		"NETWORK",
-		"POLICY",
-		"AWS",
-		"PROTOCOL",
-		"CLOUD",
-		"MINUTE",
-		"TLS",
-		"EC2",
-		"VPC",
-		"INTERNET",
-		"ROUTE",
-		"EFS",
-		"INSTANCE",
-		"VPN",
-		"MOUNT",
-		"MYSQL",
-		"APACHE",
-		"ETHERNET",
-		"TERRAFORM",
-		"TARGET",
-		"ENVIRONMENT",
-		"MEMORY",
-		"PACKAGE",
-		"STATEMENT",
-		"REGION",
-		"INGRESS",
-		"CHECKPOINT",
-		"MODULE",
-		"BASIC",
-		"NUMBER",
-		"MASLEN",
-		"VERSION",
-		"MAKE",
-		"ARCH",
-	}
-
-	black := bl[_]
-	contains(upper(p), black)
-}
-
 isCommonKey(p) {
 	bl = {
 		"namespace",

assets/queries/common/passwords_and_secrets_in_infrastructure_code/data.json

@@ -0,0 +1,148 @@
+{
+  "defaultPasswords": [
+    "!@",
+    "root",
+    "wubao",
+    "password",
+    "123456",
+    "admin",
+    "12345",
+    "1234",
+    "p@ssw0rd",
+    "123",
+    "1",
+    "jiamima",
+    "test",
+    "root123",
+    "!",
+    "!q@w",
+    "!qaz@wsx",
+    "idc!@",
+    "admin!@",
+    "",
+    "alpine",
+    "qwerty",
+    "12345678",
+    "111111",
+    "123456789",
+    "1q2w3e4r",
+    "123123",
+    "default",
+    "1234567",
+    "qwe123",
+    "1qaz2wsx",
+    "1234567890",
+    "abcd1234",
+    "000000",
+    "user",
+    "toor",
+    "qwer1234",
+    "1q2w3e",
+    "asdf1234",
+    "redhat",
+    "1234qwer",
+    "cisco",
+    "12qwaszx",
+    "test123",
+    "1q2w3e4r5t",
+    "admin123",
+    "changeme",
+    "1qazxsw2",
+    "123qweasd",
+    "q1w2e3r4",
+    "letmein",
+    "server",
+    "root1234",
+    "master",
+    "abc123",
+    "rootroot",
+    "a",
+    "system",
+    "pass",
+    "1qaz2wsx3edc",
+    "p@$$w0rd",
+    "112233",
+    "welcome",
+    "!QAZ2wsx",
+    "linux",
+    "123321",
+    "manager",
+    "1qazXSW@",
+    "q1w2e3r4t5",
+    "oracle",
+    "asd123",
+    "admin123456",
+    "ubnt",
+    "123qwe",
+    "qazwsxedc",
+    "administrator",
+    "superuser",
+    "zaq12wsx",
+    "121212",
+    "654321",
+    "ubuntu",
+    "0000",
+    "zxcvbnm",
+    "root@123",
+    "1111",
+    "vmware",
+    "q1w2e3",
+    "qwerty123",
+    "cisco123",
+    "11111111",
+    "pa55w0rd",
+    "asdfgh",
+    "11111",
+    "123abc",
+    "asdf",
+    "centos",
+    "888888",
+    "54321",
+    "password123",
+    "pa$$"
+  ],
+  "blackList": [
+    "RESOURCE",
+    "GROUP",
+    "SUBNET",
+    "S3",
+    "SERVICE",
+    "AZURE",
+    "BUCKET",
+    "VIRTUAL",
+    "NETWORK",
+    "POLICY",
+    "AWS",
+    "PROTOCOL",
+    "CLOUD",
+    "MINUTE",
+    "TLS",
+    "EC2",
+    "VPC",
+    "INTERNET",
+    "ROUTE",
+    "EFS",
+    "INSTANCE",
+    "VPN",
+    "MOUNT",
+    "MYSQL",
+    "APACHE",
+    "ETHERNET",
+    "TERRAFORM",
+    "TARGET",
+    "ENVIRONMENT",
+    "MEMORY",
+    "PACKAGE",
+    "STATEMENT",
+    "REGION",
+    "INGRESS",
+    "CHECKPOINT",
+    "MODULE",
+    "BASIC",
+    "NUMBER",
+    "MASLEN",
+    "VERSION",
+    "MAKE",
+    "ARCH"
+  ]
+}

assets/queries/common/passwords_and_secrets_in_infrastructure_code/query.rego

@@ -111,7 +111,7 @@ is_under_secret_key(p) = res {
 
 #search for default passwords
 check_vulnerability(correctStrings) {
-	commonLib.isDefaultPassword(correctStrings.value)
+	isDefaultPassword(correctStrings.value)
 	is_under_password_key(correctStrings.key)
 
 	#remove common key and values
@@ -190,7 +190,7 @@ check_vulnerability(correctStrings) {
 
 check_common(correctStrings) {
 	#remove common values
-	not commonLib.isCommonValue(correctStrings.value)
+	not isCommonValue(correctStrings.value)
 
 	#remove common keys
 	not commonLib.isCommonKey(correctStrings.key)
@@ -201,3 +201,11 @@ replace_unicode(allValues) = treatedValue {
 	treatedValue_first := replace(allValues, "\\u003c", "<")
 	treatedValue = replace(treatedValue_first, "\\u003e", ">")
 }
+
+isDefaultPassword(p) {
+	data.defaultPasswords[_] == p
+}
+
+isCommonValue(p) {
+	contains(upper(p), data.blackList[_])
+}

docs/commands.md

@@ -68,6 +68,7 @@ Flags:
                                      cannot be provided with query exclusion flags
                                      can be provided multiple times or as a comma separated string
                                      example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'
+      --input-data string            path to query input data files
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
       --output-name string           name used on report creations (default "results")

docs/dockerhub.md

@@ -96,6 +96,7 @@ Flags:
                                      cannot be provided with query exclusion flags
                                      can be provided multiple times or as a comma separated string
                                      example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'
+      --input-data string            path to query input data files
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
       --output-name string           name used on report creations (default "results")

e2e/fixtures/assets/scan_help

@@ -28,6 +28,7 @@ Flags:
                                      cannot be provided with query exclusion flags
                                      can be provided multiple times or as a comma separated string
                                      example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'
+      --input-data string            path to query input data files
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
       --output-name string           name used on report creations (default "results")