Merge pull request #7208 from Checkmarx/add-pattern-validation-workflow

update(workflow): add pattern validation for query name and description
Checkmarx · Aug 5, 2024 · c9d374d · c9d374d
2 parents f0cf78d + d17d03e
commit c9d374d
Show file tree

Hide file tree

Showing 108 changed files with 170 additions and 194 deletions.
diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json
@@ -7,6 +7,16 @@
             "minLength": 1,
             "pattern": "^[a-f0-9]{8}-[a-f0-9]{4}-4{1}[a-f0-9]{3}-[89ab]{1}[a-f0-9]{3}-[a-f0-9]{12}$"
         },
+        "description_text_pattern": {
+            "type": "string",
+            "minLength": 1,
+            "pattern": "^.{1,500}$"
+        },
+        "query_name_pattern": {
+            "type": "string",
+            "minLength": 1,
+            "pattern": "^[a-zA-Z][a-zA-Z0-9_ \\-\"',:$.()]{0,119}$"
+        },
         "description_id_pattern": {
             "type": "string",
             "minLength": 1,
@@ -29,8 +39,9 @@
             "$ref": "#/definitions/query_id_pattern"
         },
         "queryName": {
+            "$ref": "#/definitions/query_name_pattern",
             "type": "string",
-            "minLength": 8,
+            "minLength": 1,
             "maxLength": 120
         },
         "severity": {
@@ -75,8 +86,9 @@
             ]
         },
         "descriptionText": {
+            "$ref": "#/definitions/description_text_pattern",
             "type": "string",
-            "minLength": 16,
+            "minLength": 1,
             "maxLength" : 500
         },
         "descriptionUrl": {

diff --git a/.github/workflows/cxone.yaml b/.github/workflows/cxone.yaml
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM cgr.dev/chainguard/go@sha256:54b74a40acfc93d62bd32c72e3afe19bc55e4b2db7baa09d5950f3e5878baf28 as build_env
+FROM cgr.dev/chainguard/go@sha256:74bc9af1d45fd1c8d432a89148c5e413711204636b54ca05197b511bea7a18fb as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -31,7 +31,7 @@ USER nonroot
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM cgr.dev/chainguard/git@sha256:f3ed07723172f93a50715cf6189be7c7526232ff88035e3eb24046bfffeb8f5c
+FROM cgr.dev/chainguard/git@sha256:8aca2e237da593d9326eb47aef652b3f4721b533b3b0f19cf62c3bbe1e8ec45d
 
 ENV TERM xterm-256color
 
@@ -49,4 +49,4 @@ WORKDIR /app/bin
 ENV PATH $PATH:/app/bin
 
 # Command to run the executable
-ENTRYPOINT ["/app/bin/kics"]
+ENTRYPOINT ["/app/bin/kics"]
diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json b/assets/queries/terraform/databricks/autoscale_badly_setup/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "953c0cc6-5f30-44cb-a803-bf4ef2571be8",
-  "queryName": "(Beta) Databricks Autoscale Badly Setup",
+  "queryName": "Beta - Databricks Autoscale Badly Setup",
   "severity": "MEDIUM",
   "category": "Resource Management",
   "descriptionText": "Databricks should have min and max worker setup for autoscale",

diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
 	{
-		"queryName": "(Beta) Databricks Autoscale Badly Setup",
+		"queryName": "Beta - Databricks Autoscale Badly Setup",
 		"severity": "MEDIUM",
 		"line": 6,
 		"fileName": "positive1.tf"
 	},
 	{
-		"queryName": "(Beta) Databricks Autoscale Badly Setup",
+		"queryName": "Beta - Databricks Autoscale Badly Setup",
 		"severity": "MEDIUM",
 		"line": 6,
 		"fileName": "positive2.tf"

diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_aws_attributes/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "b0749c53-e3ff-4d09-bbe4-dca94e2e7a38",
-  "queryName": "(Beta) Check Databricks Cluster AWS Attribute Best Practices",
+  "queryName": "Beta - Check Databricks Cluster AWS Attribute Best Practices",
   "severity": "LOW",
   "category": "Best Practices",
   "descriptionText": "One or some Databricks Cluster AWS Attribute Best Practices are not respected",

diff --git a/...ts/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/...ts/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json
@@ -1,24 +1,24 @@
 [
   {
-    "queryName": "(Beta) Check Databricks Cluster AWS Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster AWS Attribute Best Practices",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive1.tf"
   },
   {
-    "queryName": "(Beta) Check Databricks Cluster AWS Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster AWS Attribute Best Practices",
     "severity": "LOW",
     "line": 13,
     "fileName": "positive2.tf"
   },
   {
-    "queryName": "(Beta) Check Databricks Cluster AWS Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster AWS Attribute Best Practices",
     "severity": "LOW",
     "line": 10,
     "fileName": "positive3.tf"
   },
   {
-    "queryName": "(Beta) Check Databricks Cluster AWS Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster AWS Attribute Best Practices",
     "severity": "LOW",
     "line": 12,
     "fileName": "positive4.tf"

diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_azure_attributes/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "38028698-e663-4ef7-aa92-773fef0ca86f",
-  "queryName": "(Beta) Check Databricks Cluster Azure Attribute Best Practices",
+  "queryName": "Beta - Check Databricks Cluster Azure Attribute Best Practices",
   "severity": "LOW",
   "category": "Best Practices",
   "descriptionText": "One or some Databricks Cluster Azure Attribute Best Practices are not respected",

diff --git a/.../queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/.../queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json
@@ -1,18 +1,18 @@
 [
   {
-    "queryName": "(Beta) Check Databricks Cluster Azure Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster Azure Attribute Best Practices",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive1.tf"
   },
   {
-    "queryName": "(Beta) Check Databricks Cluster Azure Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster Azure Attribute Best Practices",
     "severity": "LOW",
     "line": 12,
     "fileName": "positive2.tf"
   },
   {
-    "queryName": "(Beta) Check Databricks Cluster Azure Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster Azure Attribute Best Practices",
     "severity": "LOW",
     "line": 10,
     "fileName": "positive3.tf"

diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d",
-  "queryName": "(Beta) Check Databricks Cluster GCP Attribute Best Practices",
+  "queryName": "Beta - Check Databricks Cluster GCP Attribute Best Practices",
   "severity": "LOW",
   "category": "Best Practices",
   "descriptionText": "One or some Databricks Cluster GCP Attribute Best Practices are not respected",

diff --git a/...ts/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/...ts/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json
@@ -1,6 +1,6 @@
 [
   {
-    "queryName": "(Beta) Check Databricks Cluster GCP Attribute Best Practices",
+    "queryName": "Beta - Check Databricks Cluster GCP Attribute Best Practices",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive1.tf"

diff --git a/assets/queries/terraform/databricks/databricks_permissions/metadata.json b/assets/queries/terraform/databricks/databricks_permissions/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5",
-  "queryName": "(Beta) Databricks Cluster or Job With None Or Insecure Permission(s)",
+  "queryName": "Beta - Databricks Cluster or Job With None Or Insecure Permission(s)",
   "severity": "HIGH",
   "category": "Insecure Configurations",
   "descriptionText": "Databricks Cluster and Job must have restricted permissions",

diff --git a/...ts/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/...ts/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json
@@ -1,24 +1,24 @@
 [
   {
-    "queryName": "(Beta) Databricks Cluster or Job With None Or Insecure Permission(s)",
+    "queryName": "Beta - Databricks Cluster or Job With None Or Insecure Permission(s)",
     "severity": "HIGH",
     "line": 16,
     "fileName": "positive1.tf"
   },
   {
-    "queryName": "(Beta) Databricks Cluster or Job With None Or Insecure Permission(s)",
+    "queryName": "Beta - Databricks Cluster or Job With None Or Insecure Permission(s)",
     "severity": "HIGH",
     "line": 12,
     "fileName": "positive2.tf"
   },
   {
-    "queryName": "(Beta) Databricks Cluster or Job With None Or Insecure Permission(s)",
+    "queryName": "Beta - Databricks Cluster or Job With None Or Insecure Permission(s)",
     "severity": "HIGH",
     "line": 16,
     "fileName": "positive3.tf"
   },
   {
-    "queryName": "(Beta) Databricks Cluster or Job With None Or Insecure Permission(s)",
+    "queryName": "Beta - Databricks Cluster or Job With None Or Insecure Permission(s)",
     "severity": "HIGH",
     "line": 16,
     "fileName": "positive4.tf"

diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "23c3067a-8cc9-480c-b645-7c1e0ad4bf60",
-  "queryName": "(Beta) Databricks Group Without User Or Instance Profile",
+  "queryName": "Beta - Databricks Group Without User Or Instance Profile",
   "severity": "LOW",
   "category": "Access Control",
   "descriptionText": "Databricks Group should have at least one user or one instance profile associated",

diff --git a/...form/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/...form/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
 	{
-		"queryName": "(Beta) Databricks Group Without User Or Instance Profile",
+		"queryName": "Beta - Databricks Group Without User Or Instance Profile",
 		"severity": "LOW",
 		"line": 16,
 		"fileName": "positive1.tf"
 	},
 	{
-		"queryName": "(Beta) Databricks Group Without User Or Instance Profile",
+		"queryName": "Beta - Databricks Group Without User Or Instance Profile",
 		"severity": "LOW",
 		"line": 14,
 		"fileName": "positive2.tf"

diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_obo_token/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "23e1f5f0-12b7-4d7e-9087-f60f42ccd514",
-  "queryName": "(Beta) Indefinitely Databricks OBO Token Lifetime",
+  "queryName": "Beta - Indefinitely Databricks OBO Token Lifetime",
   "severity": "MEDIUM",
   "category": "Insecure Defaults",
   "descriptionText": "OBO Token has an indefinitely lifetime",

diff --git a/...ts/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/...ts/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json
@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "(Beta) Indefinitely Databricks OBO Token Lifetime",
+		"queryName": "Beta - Indefinitely Databricks OBO Token Lifetime",
 		"severity": "MEDIUM",
 		"line": 1,
 		"fileName": "positive.tf"

diff --git a/assets/queries/terraform/databricks/indefinitely_token/metadata.json b/assets/queries/terraform/databricks/indefinitely_token/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "7d05ca25-91b4-42ee-b6f6-b06611a87ce8",
-  "queryName": "(Beta) Indefinitely Databricks Token Lifetime",
+  "queryName": "Beta - Indefinitely Databricks Token Lifetime",
   "severity": "MEDIUM",
   "category": "Insecure Defaults",
   "descriptionText": "Token has an indefinitely lifetime",

diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json
@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "(Beta) Indefinitely Databricks Token Lifetime",
+		"queryName": "Beta - Indefinitely Databricks Token Lifetime",
 		"severity": "MEDIUM",
 		"line": 1,
 		"fileName": "positive.tf"

diff --git a/assets/queries/terraform/databricks/unrestricted_acl/metadata.json b/assets/queries/terraform/databricks/unrestricted_acl/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "2c4fe4a9-f44b-4c70-b09b-5b75cd251805",
-  "queryName": "(Beta) Unrestricted Databricks ACL",
+  "queryName": "Beta - Unrestricted Databricks ACL",
   "severity": "HIGH",
   "category": "Networking and Firewall",
   "descriptionText": "ACL allow ingress from 0.0.0.0/0 and/or ::/0",

diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
 	{
-		"queryName": "(Beta) Unrestricted Databricks ACL",
+		"queryName": "Beta - Unrestricted Databricks ACL",
 		"severity": "HIGH",
 		"line": 10,
 		"fileName": "positive1.tf"
 	},
 	{
-		"queryName": "(Beta) Unrestricted Databricks ACL",
+		"queryName": "Beta - Unrestricted Databricks ACL",
 		"severity": "HIGH",
 		"line": 10,
 		"fileName": "positive2.tf"

diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json b/assets/queries/terraform/databricks/use_lts_spark_version/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6",
-  "queryName": "(Beta) Check use no LTS Spark Version",
+  "queryName": "Beta - Check use no LTS Spark Version",
   "severity": "LOW",
   "category": "Best Practices",
   "descriptionText": "Spark Version is not a Long-term Support",

diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json
@@ -1,18 +1,18 @@
 [
   {
-    "queryName": "(Beta) Check use no LTS Spark Version",
+    "queryName": "Beta - Check use no LTS Spark Version",
     "severity": "LOW",
     "line": 8,
     "fileName": "positive1.tf"
   },
   {
-    "queryName": "(Beta) Check use no LTS Spark Version",
+    "queryName": "Beta - Check use no LTS Spark Version",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive2.tf"
   },
   {
-    "queryName": "(Beta) Check use no LTS Spark Version",
+    "queryName": "Beta - Check use no LTS Spark Version",
     "severity": "LOW",
     "line": 10,
     "fileName": "positive3.tf"

diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json b/assets/queries/terraform/databricks/use_spark_submit_task/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7",
-  "queryName": "(Beta) Job's Task is Legacy (spark_submit_task)",
+  "queryName": "Beta - Job's Task is Legacy (spark_submit_task)",
   "severity": "MEDIUM",
   "category": "Best Practices",
   "descriptionText": "Job's Task Is spark_submit_task",

diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
 	{
-		"queryName": "(Beta) Job's Task is Legacy (spark_submit_task)",
+		"queryName": "Beta - Job's Task is Legacy (spark_submit_task)",
 		"severity": "MEDIUM",
 		"line": 36,
 		"fileName": "positive1.tf"
 	},
 	{
-		"queryName": "(Beta) Job's Task is Legacy (spark_submit_task)",
+		"queryName": "Beta - Job's Task is Legacy (spark_submit_task)",
 		"severity": "MEDIUM",
 		"line": 18,
 		"fileName": "positive2.tf"

diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9",
-  "queryName": "(Beta) Nifcloud Computing Has Common Private Network",
+  "queryName": "Beta - Nifcloud Computing Has Common Private Network",
   "severity": "LOW",
   "category": "Networking and Firewall",
   "descriptionText": "The instance has common private network",

diff --git a/...rraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/...rraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
 	{
-		"queryName": "(Beta) Nifcloud Computing Has Common Private Network",
+		"queryName": "Beta - Nifcloud Computing Has Common Private Network",
 		"severity": "LOW",
 		"line": 1,
 		"fileName": "positive1.tf"
 	},
 	{
-		"queryName": "(Beta) Nifcloud Computing Has Common Private Network",
+		"queryName": "Beta - Nifcloud Computing Has Common Private Network",
 		"severity": "LOW",
 		"line": 1,
 		"fileName": "positive2.tf"

diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/metadata.json b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "b2ea2367-8dc9-4231-a035-d0b28bfa3dde",
-  "queryName": "(Beta) Nifcloud Computing Has Public Ingress Security Group Rule",
+  "queryName": "Beta - Nifcloud Computing Has Public Ingress Security Group Rule",
   "severity": "HIGH",
   "category": "Networking and Firewall",
   "descriptionText": "An ingress security group rule allows traffic from /0",