fix fmt and unit tests

Checkmarx · Nov 9, 2024 · 9b52592 · 9b52592
1 parent 22a3272
commit 9b52592
Show file tree

Hide file tree

Showing 27 changed files with 22 additions and 52 deletions.
diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego
@@ -6,11 +6,9 @@ import future.keywords.in
 
 CxPolicy[result] {
 	some document in input.document
-	some name in document.Resources
 	resource := document.Resources[name]
 	resource.Type == "AWS::CloudTrail::Trail"
 	attributes := {"CloudWatchLogsLogGroupArn", "CloudWatchLogsRoleArn"}
-	some a in attributes
 	attr := attributes[a]
 
 	not common_lib.valid_key(resource.Properties, attr)

diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego
@@ -6,7 +6,6 @@ import future.keywords.in
 
 CxPolicy[result] {
 	some document in input.document
-	some key in document.Resources
 	resource := document.Resources[key]
 	resource.Type == "AWS::EC2::Volume"
 

diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/query.rego b/assets/queries/cloudFormation/aws/efs_not_encrypted/query.rego
@@ -5,15 +5,14 @@ import future.keywords.in
 
 CxPolicy[result] {
 	some document in input.document
-	some key in document.Resources
 
 	resource = document.Resources[key]
 	resource.Type == "AWS::EFS::FileSystem"
 	properties := resource.Properties
 	properties.Encrypted == false
 
 	result := {
-		"documentId": doc.id,
+		"documentId": document.id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, key),
 		"searchKey": sprintf("Resources.%s.Properties.Encrypted", [key]),

diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego b/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego
@@ -11,7 +11,6 @@ CxPolicy[result] {
 	properties := resource.Properties
 
 	engines := {"memcached": 11211, "redis": 6379}
-	some e in engines
 	enginePort := engines[e]
 
 	lower(properties.Engine) == e

diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/query.rego b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/query.rego
@@ -6,8 +6,6 @@ import future.keywords.in
 CxPolicy[result] {
 	some docs in input.document
 	[path, Resources] := walk(docs)
-	some name in Resources
-
 	resource := Resources[name]
 	resource.Type == "AWS::RDS::DBInstance"
 	to_number(resource.Properties.BackupRetentionPeriod) == 0

diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/query.rego b/assets/queries/cloudFormation/aws/routertable_with_default_routing/query.rego
@@ -7,7 +7,6 @@ import future.keywords.in
 CxPolicy[result] {
 	some doc in input.document
 	[path, Resources] := walk(docs)
-	some key in Resources
 
 	resource := Resources[key]
 	resource.Type == "AWS::EC2::Route"
@@ -29,7 +28,6 @@ CxPolicy[result] {
 CxPolicy[result] {
 	some doc in input.document
 	[path, Resources] := walk(docs)
-	some key in Resources
 
 	resource := Resources[key]
 	resource.Type == "AWS::EC2::Route"
@@ -51,7 +49,6 @@ CxPolicy[result] {
 CxPolicy[result] {
 	some doc in input.document
 	[path, Resources] := walk(docs)
-	some key in Resources
 
 	resource := Resources[key]
 	resource.Type == "AWS::EC2::Route"

diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego
@@ -4,17 +4,17 @@ import data.generic.cloudformation as cf_lib
 import future.keywords.in
 
 CxPolicy[result] {
-	some doc in input.document
+	some docs in input.document
 	[path, Resources] := walk(docs)
-	some name in Resources
-	
+	some name
+
 	resource := Resources[name]
 	properties := resource.Properties
 	resource.Type == "AWS::S3::Bucket"
 	properties.AccessControl == "PublicReadWrite"
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s%s.AccessControl", [cf_lib.getPath(path), name]),

diff --git a/...queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/query.rego b/...queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/query.rego
@@ -5,9 +5,9 @@ import data.generic.common as common_lib
 import future.keywords.in
 
 CxPolicy[result] {
-	some doc in input.document
+	some docs in input.document
+	some name
 	[path, Resources] := walk(docs)
-	some name in Resources
 
 	resource := Resources[name]
 	resource.Type == "AWS::S3::BucketPolicy"
@@ -20,7 +20,7 @@ CxPolicy[result] {
 	cf_lib.checkAction(statement.Action, "delete")
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s%s.Properties.PolicyDocument", [cf_lib.getPath(path), name]),

diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/query.rego
@@ -5,15 +5,15 @@ import data.generic.common as common_lib
 import future.keywords.in
 
 CxPolicy[result] {
-	some doc in input.document
+	some docs in input.document
 	[path, Resources] := walk(docs)
 	resource := Resources[name]
 	resource.Type == "AWS::S3::Bucket"
 	prop := resource.Properties
 	not common_lib.valid_key(prop, "LoggingConfiguration")
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),

diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/query.rego b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/query.rego
@@ -6,7 +6,6 @@ import future.keywords.in
 CxPolicy[result] {
 	some docs in input.document
 	[path, Resources] := walk(docs)
-	some name in Resources
 
 	resource := Resources[name]
 	resource.Type == "AWS::EC2::VPC"

diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego
@@ -15,7 +15,7 @@ CxPolicy[result] {
 	destribution_config.logging.enabled == false
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.kind,
 		"resourceName": cp_lib.getResourceName(resource),
 		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging.enabled", [cp_lib.getPath(path), resource.metadata.name]),
@@ -37,7 +37,7 @@ CxPolicy[result] {
 	not common_lib.valid_key(destribution_config.logging, "enabled")
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.kind,
 		"resourceName": cp_lib.getResourceName(resource),
 		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging", [cp_lib.getPath(path), resource.metadata.name]),
@@ -49,7 +49,7 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
-	some doc in input.document
+	some docs in input.document
 	[path, resource] := walk(docs)
 	startswith(resource.apiVersion, "cloudfront.aws.crossplane.io")
 	resource.kind == "Distribution"
@@ -59,7 +59,7 @@ CxPolicy[result] {
 	not common_lib.valid_key(destribution_config, "logging")
 
 	result := {
-		"documentId": doc.id,
+		"documentId": docs.id,
 		"resourceType": resource.kind,
 		"resourceName": cp_lib.getResourceName(resource),
 		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path), resource.metadata.name]),

diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego
@@ -4,7 +4,7 @@ import data.generic.dockerfile as dockerLib
 import future.keywords.in
 
 CxPolicy[result] {
-	document in input.document
+	some document in input.document
 	commands = document.command
 
 	commands[img][c].Cmd == "run"
@@ -25,7 +25,7 @@ CxPolicy[result] {
 }
 
 commandHasNonInteractiveSwitch(command) {
-	regex.match(`zypper \\w+ (-y|--no-confirm)`, command)
+	regex.match(`zypper \w+ (-y|--no-confirm)`, command)
 }
 
 commandHasZypperUsage(command) {

diff --git a/assets/queries/k8s/audit_policy_file_not_defined/query.rego b/assets/queries/k8s/audit_policy_file_not_defined/query.rego
@@ -14,7 +14,7 @@ CxPolicy[result] {
 	not k8sLib.startWithFlag(container, "--audit-policy-file")
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": resource.id,
 		"resourceType": resource.kind,
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
@@ -37,7 +37,7 @@ CxPolicy[result] {
 	not hasPolicyFile(input, file)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": resource.id,
 		"resourceType": resource.kind,
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),

diff --git a/assets/queries/k8s/metadata_label_is_invalid/query.rego b/assets/queries/k8s/metadata_label_is_invalid/query.rego
@@ -7,7 +7,6 @@ CxPolicy[result] {
 	metadata := document.metadata
 	labels := metadata.labels
 
-	some key in labels
 	value := labels[key]
 	regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", value) == false
 

diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/query.rego b/assets/queries/k8s/pod_misconfigured_network_policy/query.rego
@@ -5,7 +5,7 @@ import future.keywords.in
 
 # same namespace but has no ingress rules
 CxPolicy[result] {
-	some doc in input.document
+	some pod in input.document
 	pod.kind == "Pod"
 
 	policyList := [policy | policy := input.document[j]; policy.kind == "NetworkPolicy"]

diff --git a/assets/queries/k8s/service_with_external_load_balancer/query.rego b/assets/queries/k8s/service_with_external_load_balancer/query.rego
@@ -13,7 +13,7 @@ CxPolicy[result] {
 	not common_lib.valid_key(metadata, "annotations")
 
 	result := {
-		"documentId": doc.id,
+		"documentId": document.id,
 		"resourceType": document.kind,
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
@@ -36,7 +36,7 @@ CxPolicy[result] {
 	not checkLoadBalancer(annotations)
 
 	result := {
-		"documentId": doc.id,
+		"documentId": document.id,
 		"resourceType": document.kind,
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.annotations", [metadata.name]),

diff --git a/assets/queries/k8s/statefulset_without_service_name/query.rego b/assets/queries/k8s/statefulset_without_service_name/query.rego
@@ -7,7 +7,7 @@ CxPolicy[result] {
 	some statefulset in input.document
 	statefulset.kind == "StatefulSet"
 
-	count({ resource |
+	count({resource |
 		some resource in input.document
 		resource.kind == "Service"
 		resource.spec.clusterIP == "None"

diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego
@@ -9,8 +9,6 @@ CxPolicy[result] {
 	openapi_lib.check_openapi(doc) == "2.0"
 
 	[path, value] := walk(doc)
-	some n in value.parameters
-
 	param := value.parameters[n]
 	param_method := param["in"]
 	param_method != "body"

diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/query.rego b/assets/queries/openAPI/3.0/components_request_body_definition_unused/query.rego
@@ -7,7 +7,6 @@ CxPolicy[result] {
 	some doc in input.document
 	openapi_lib.check_openapi(doc) == "3.0"
 
-	some requestBody in doc.components.requestBodies
 	doc.components.requestBodies[requestBody]
 	openapi_lib.check_unused_reference(doc, requestBody, "requestBodies")
 

diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego b/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego
@@ -8,7 +8,6 @@ CxPolicy[result] {
 	openapi_lib.check_openapi(doc) == "3.0"
 
 	[path, value] := walk(doc)
-	some mime in value.content
 	content = value.content[mime]
 
 	not openapi_lib.is_valid_mime(mime)

diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/query.rego b/assets/queries/openAPI/3.0/media_type_object_without_schema/query.rego
@@ -12,7 +12,6 @@ CxPolicy[result] {
 	content = value.content
 	info := openapi_lib.is_operation(path)
 	openapi_lib.content_allowed(info.operation, info.code)
-	some x in content
 	contentElement := content[x]
 	not common_lib.valid_key(contentElement, "schema")
 
@@ -32,7 +31,6 @@ CxPolicy[result] {
 	[path, value] := walk(doc)
 	content = value.content
 	openapi_lib.is_operation(path) == {}
-	some x in content
 	contentElement := content[x]
 	not common_lib.valid_key(contentElement, "schema")
 

diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/query.rego b/assets/queries/openAPI/3.0/security_schemes_using_oauth/query.rego
@@ -7,7 +7,6 @@ CxPolicy[result] {
 	some doc in input.document
 	openapi_lib.check_openapi(doc) == "3.0"
 
-	some name in doc.components.securitySchemes
 	security_scheme := doc.components.securitySchemes[name]
 	security_scheme.type == "http"
 	security_scheme.scheme == "oauth"

diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/query.rego b/assets/queries/openAPI/general/header_parameter_named_as_content_type/query.rego
@@ -9,8 +9,6 @@ CxPolicy[result] {
 	version != "undefined"
 
 	[path, value] := walk(doc)
-	some n in value.parameters
-
 	params := value.parameters[n]
 	openapi_lib.improperly_defined(params, "Content-Type")
 

diff --git a/assets/queries/openAPI/general/path_parameter_not_required/query.rego b/assets/queries/openAPI/general/path_parameter_not_required/query.rego
@@ -10,8 +10,6 @@ CxPolicy[result] {
 	version != "undefined"
 
 	[path, value] := walk(doc)
-	some n in value.parameters
-
 	param := value.parameters[n]
 	param_method := param["in"]
 	param_method == "path"

diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego
@@ -8,8 +8,6 @@ CxPolicy[result] {
 	some doc in input.document
 	version := openapi_lib.check_openapi(doc)
 	version != "undefined"
-	some n in doc.paths
-
 	response := doc.paths[n].post.responses
 
 	not common_lib.valid_key(response, "200")

diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego
@@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib
 import future.keywords.in
 
 CxPolicy[result] {
-	some i
 	some doc in input.document
 	resource := doc.resource.alicloud_kms_key[name]
 	seconds_in_a_year := 31536000
@@ -29,7 +28,6 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
-	some i
 	some doc in input.document
 	resource := doc.resource.alicloud_kms_key[name]
 	not common_lib.valid_key(resource, "automatic_rotation")
@@ -49,7 +47,6 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
-	some i
 	some doc in input.document
 	resource := doc.resource.alicloud_kms_key[name]
 	resource.automatic_rotation == "Disabled"

diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego
@@ -8,8 +8,6 @@ CxPolicy[result] {
 	resource := doc.resource[resourceType]
 
 	services := {"aws_api_gateway_domain_name", "aws_iam_server_certificate", "aws_acm_certificate"}
-
-	some resourceType in services
 	resourceType == services[_]
 
 	resource[name].certificate_body.rsa_key_bytes < 256