Merge pull request #6889 from Checkmarx/joaom/kics-1218

fix(query): improve queries Container Memory Requests Not Equal To It's Limits and Container CPU Requests Not Equal To It's Limits
Checkmarx · Mar 20, 2024 · df49c58 · df49c58
2 parents a69d801 + a072de6
commit df49c58
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 15 deletions.
diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/metadata.json
@@ -1,11 +1,11 @@
 {
   "id": "9d43040e-e703-4e16-8bfe-8d4da10fa7e6",
-  "queryName": "Container CPU Requests Not Equal To It's Limits",
+  "queryName": "Container CPU Requests Not Equal To Its Limits",
   "severity": "LOW",
-  "category": "Resource Management",
+  "category": "Best Practices",
   "descriptionText": "A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.",
   "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
   "platform": "Kubernetes",
   "descriptionID": "3e1c6d16",
   "cwe": ""
-}
+}
diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/query.rego
@@ -4,14 +4,15 @@ import data.generic.common as common_lib
 import data.generic.k8s as k8sLib
 
 types := {"initContainers", "containers"}
+rec := {"requests", "limits"}
 
 CxPolicy[result] {
 	document := input.document[i]
 	document.kind == k8sLib.valid_pod_spec_kind_list[_]
 	specInfo := k8sLib.getSpecInfo(document)
 	container := specInfo.spec[types[x]][c]
-	rec := {"requests", "limits"}
 
+	has_request_or_limits(container)
 	not common_lib.valid_key(container.resources[rec[t]], "cpu")
 
 	result := {
@@ -45,3 +46,9 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"]),
 	}
 }
+
+has_request_or_limits(x){
+	common_lib.valid_key(x.resources[rec["requests"]],"cpu")
+}else{
+	common_lib.valid_key(x.resources[rec["limits"]],"cpu")
+}
diff --git a/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits/test/negative1.yaml
@@ -0,0 +1,21 @@
+#this code is a correct code for which the query should not find any result
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    resources:
+      requests:
+        memory: "128Mi"
+      limits:
+        memory: "128Mi"
+  - name: log-aggregator
+    image: images.my-company.example/log-aggregator:v6
+    resources:
+      requests:
+        memory: "128Mi"
+      limits:
+        memory: "128Mi"
diff --git a/...ies/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json b/...ies/k8s/container_cpu_requests_not_equal_to_its_limits/test/positive_expected_result.json
@@ -1,24 +1,24 @@
 [
   {
-    "queryName": "Container CPU Requests Not Equal To It's Limits",
+    "queryName": "Container CPU Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container CPU Requests Not Equal To It's Limits",
+    "queryName": "Container CPU Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 22,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container CPU Requests Not Equal To It's Limits",
+    "queryName": "Container CPU Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 26,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container CPU Requests Not Equal To It's Limits",
+    "queryName": "Container CPU Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 10,
     "fileName": "positive2.yaml"

diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/metadata.json
@@ -1,11 +1,11 @@
 {
   "id": "aafa7d94-62de-4fbf-8838-b69ee217b0e6",
-  "queryName": "Container Memory Requests Not Equal To It's Limits",
+  "queryName": "Container Memory Requests Not Equal To Its Limits",
   "severity": "LOW",
   "category": "Resource Management",
   "descriptionText": "A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.",
   "descriptionUrl": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
   "platform": "Kubernetes",
   "descriptionID": "0c15063c",
   "cwe": ""
-}
+}
diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/query.rego
@@ -4,14 +4,15 @@ import data.generic.common as common_lib
 import data.generic.k8s as k8sLib
 
 types := {"initContainers", "containers"}
+rec := {"requests", "limits"}
 
 CxPolicy[result] {
 	document := input.document[i]
 	document.kind == k8sLib.valid_pod_spec_kind_list[_]
 	specInfo := k8sLib.getSpecInfo(document)
 	container := specInfo.spec[types[x]][c]
-	rec := {"requests", "limits"}
 
+    has_request_or_limits(container)
 	not common_lib.valid_key(container.resources[rec[t]], "memory")
 
 	result := {
@@ -48,3 +49,9 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "resources"])
 	}
 }
+
+has_request_or_limits(x){
+	common_lib.valid_key(x.resources[rec["requests"]],"memory")
+}else{
+	common_lib.valid_key(x.resources[rec["limits"]],"memory")
+}
diff --git a/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml b/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits/test/negative1.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    resources:
+      requests:
+        cpu: "500m"
+      limits:
+        cpu: "500m"
+  - name: log-aggregator
+    image: images.my-company.example/log-aggregator:v6
+    resources:
+      requests:
+        cpu: "500m"
+      limits:
+        cpu: "500m"
diff --git a/.../k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json b/.../k8s/container_memory_requests_not_equal_to_its_limits/test/positive_expected_result.json
@@ -1,24 +1,24 @@
 [
   {
-    "queryName": "Container Memory Requests Not Equal To It's Limits",
+    "queryName": "Container Memory Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container Memory Requests Not Equal To It's Limits",
+    "queryName": "Container Memory Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 22,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container Memory Requests Not Equal To It's Limits",
+    "queryName": "Container Memory Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 26,
     "fileName": "positive.yaml"
   },
   {
-    "queryName": "Container Memory Requests Not Equal To It's Limits",
+    "queryName": "Container Memory Requests Not Equal To Its Limits",
     "severity": "LOW",
     "line": 11,
     "fileName": "positive2.yaml"