fix(secrets inspector): added mutex to lock addVulnerability (#5503)

* added mutex to lock addVulnerability * increased timeout for go lint and go test race * fixed tiller queries * fixed 94b76ea5-e074-4ca2-8a03-c5a606e30645
Checkmarx · Jun 21, 2022 · af2c63a · af2c63a
1 parent af958ea
commit af2c63a
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 18 deletions.
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -18,7 +18,7 @@ jobs:
         uses: golangci/[email protected]
         with:
           version: v1.46.1
-          args: -c .golangci.yml --timeout 15m
+          args: -c .golangci.yml --timeout 20m
   go-generate:
     name: go-generate
     runs-on: ubuntu-latest

diff --git a/.github/workflows/go-test-race.yml b/.github/workflows/go-test-race.yml
@@ -41,7 +41,7 @@ jobs:
           go mod vendor
       - name: Test and Generate Report
         run: |
-          go test -race -timeout 3600s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
+          go test -race -timeout 9999s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
           result_code=${PIPESTATUS[0]}
           exit $result_code
       - name: Archive test logs

diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego b/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego
@@ -44,7 +44,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("apiVersion={{%s}}", [document.apiVersion]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion should be {{%s}}", [metadata.name, recommendedVersions[document.apiVersion][document.kind]]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion is deprecated and is {{%s}}", [metadata.name, document.apiVersion]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion of %s should be {{%s}}", [metadata.name,  document.kind, recommendedVersions[document.apiVersion][document.kind]]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion of %s  is deprecated and is {{%s}}", [metadata.name, document.kind, document.apiVersion]),
 	}
 }
diff --git a/assets/queries/k8s/tiller_is_deployed/query.rego b/assets/queries/k8s/tiller_is_deployed/query.rego
@@ -12,8 +12,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'metadata' does not refer any to a Tiller resource",
-		"keyActualValue": "'metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'metadata' of %s does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'metadata' of %s refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.containers' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.containers' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 
@@ -51,8 +51,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.metadata", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'spec.template.metadata' does not refer to any Tiller resource",
-		"keyActualValue": "'spec.template.metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'spec.template.metadata' does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'spec.template.metadata' refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -70,8 +70,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.template.spec.%s' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.template.spec.%s' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.template.spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.template.spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 

diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/query.rego b/assets/queries/k8s/tiller_service_is_not_deleted/query.rego
@@ -13,8 +13,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.name does not contain 'tiller'",
-		"keyActualValue": "metadata.name contains 'tiller'",
+		"keyExpectedValue": sprintf("metadata.name of %s does not contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.name of %s contains 'tiller'", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.labels does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("metadata.labels.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("metadata.labels of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.labels.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }
 
@@ -54,7 +54,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.selector.%s", [metadata.name, j]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "spec.selector does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("spec.selector.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("spec.selector of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("spec.selector.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }
diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go
@@ -41,6 +41,7 @@ type Inspector struct {
 	vulnerabilities       []model.Vulnerability
 	queryExecutionTimeout time.Duration
 	foundLines            []int
+	mu                    sync.RWMutex
 }
 
 type Entropy struct {
@@ -480,6 +481,7 @@ func (c *Inspector) addVulnerability(basePaths []string, file *model.FileMetadat
 		log.Error().Msg("unable to compute similarity ID")
 	}
 
+	c.mu.Lock()
 	if _, ok := c.excludeResults[engine.PtrStringToString(simID)]; !ok {
 		linesVuln := c.detector.GetAdjecent(file, lineNumber+1)
 		if !ignoreLine(linesVuln.Line, file.LinesIgnore) {
@@ -505,6 +507,7 @@ func (c *Inspector) addVulnerability(basePaths []string, file *model.FileMetadat
 			c.vulnerabilities = append(c.vulnerabilities, vuln)
 		}
 	}
+	c.mu.Unlock()
 }
 
 // CheckEntropyInterval - verifies if a given token's entropy is within expected bounds