feat(query): Added Request Timeout Not Properly Set for Kubernetes (C…

…heckmarx#5106)

* + Request Timeout Not Properly Set

* support for not valid value

* delete paylaod

* add support for hours and seconds

* add support for not defined number of digits

* correct positive_expected_result

assets/queries/k8s/request_timeout_not_properly_set/metadata.json

@@ -0,0 +1,10 @@
+{
+  "id": "d89a15bb-8dba-4c71-9529-bef6729b9c09",
+  "queryName": "Request Timeout Not Properly Set",
+  "severity": "MEDIUM",
+  "category": "Availability",
+  "descriptionText": "When using kube-apiserver command, the '--request-timeout' flag value should not be too long",
+  "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "platform": "Kubernetes",
+  "descriptionID": "592c7cba"
+}

assets/queries/k8s/request_timeout_not_properly_set/query.rego

@@ -0,0 +1,72 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.k8s as k8sLib
+
+CxPolicy[result] {
+	resource := input.document[i]
+	metadata := resource.metadata
+	specInfo := k8sLib.getSpecInfo(resource)
+	types := {"initContainers", "containers"}
+	container := specInfo.spec[types[x]][j]
+	common_lib.inArray(container.command, "kube-apiserver")
+	k8sLib.startWithFlag(container, "--request-timeout")
+	hasTimeGreaterThanValue(container, "--request-timeout", 300)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "--request-timeout flag should not be set to more than 300 seconds",
+		"keyActualValue": "--request-timeout flag is set to more than 300 seconds",
+		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]),
+	}
+}
+
+hasTimeGreaterThanValue(container, flag, value) {
+	command := container.command
+	startswith(command[a], flag)
+	flag_value := split(command[a], "=")[1]
+	getSeconds(flag_value)> value
+} else {
+	args := container.args
+	startswith(args[a], flag)
+	flag_value := split(args[a], "=")[1]
+	getSeconds(flag_value)> value
+}
+
+getSeconds(time)=seconds{
+	regex.match("^(\\d+[h])$", time)
+    seconds := to_number(trim_suffix(time, "h") )*3600    
+}else = seconds {
+	regex.match("^(\\d+[h])(\\d+[m])$", time)
+    hours := replace(time, "h", ",")
+    minutes := replace(hours, "m", ",")
+    time_array := split(minutes, ",")
+    seconds := to_number(time_array[0])*3600 + to_number(time_array[1])*60
+}else = seconds {
+	regex.match("^(\\d+[h])(\\d+[s])$", time)
+    hours := replace(time, "h", ",")
+    secs := replace(hours, "s", ",")
+    time_array := split(secs, ",")
+    seconds := to_number(time_array[0])*3600 + to_number(time_array[1])
+}else = seconds {
+	regex.match("^(\\d+[h])(\\d+[m])(\\d+[s])$", time)
+    hours := replace(time, "h", ",")
+    minutes :=replace(hours, "m", ",")
+    secs :=replace(minutes, "s", ",")
+    time_array := split(secs, ",")
+    seconds := to_number(time_array[0])*3600 + to_number(time_array[1])*60 + to_number(time_array[2]) 
+}else = seconds {
+	regex.match("^(\\d+[m])$", time)
+    seconds := to_number(trim_suffix(time, "m") )*60  
+}else = seconds {
+	regex.match("^(\\d+[m])(\\d+[s])$", time)
+    minutes := replace(time, "m", ",")
+    secs := replace(minutes, "s", ",")
+    time_array := split(secs, ",")
+    seconds := to_number(time_array[0])*60 + to_number(time_array[1]) 
+}else = seconds {
+	regex.match("^(\\d+[s])$", time)
+    seconds := to_number(trim_suffix(time, "s"))   
+}

assets/queries/k8s/request_timeout_not_properly_set/test/negative1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=300s"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/negative2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: []
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=6m"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=1h0s"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive3.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=6m10s"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive4.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=400s"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive5.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=1h1m"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive6.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--request-timeout=1h1m1s"]
+  restartPolicy: OnFailure

assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json

@@ -0,0 +1,38 @@
+[
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive2.yaml"
+	},
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive3.yaml"
+	},
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive4.yaml"
+	},
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive5.yaml"
+	},
+	{
+		"queryName": "Request Timeout Not Properly Set",
+		"severity": "MEDIUM",
+		"line": 11,
+        "fileName": "positive6.yaml"
+	}
+]