refactor(misconf): propagate metadata through cloudformation Property chain

Author: nikpivkin

pkg/iac/adapters/cloudformation/aws/athena/athena_test.go

@@ -25,7 +25,8 @@ Resources:
       WorkGroupConfiguration:
         EnforceWorkGroupConfiguration: true
         ResultConfiguration:
-          EncryptionOption: SSE_KMS
+          EncryptionConfiguration:
+            EncryptionOption: SSE_KMS
 `,
 			expected: athena.Athena{
 				Workgroups: []athena.Workgroup{

pkg/iac/scanners/cloudformation/parser/property.go

@@ -226,64 +226,33 @@ func (p *Property) resolveValue() (*Property, bool) {
 }
 
 func (p *Property) GetStringProperty(path string, defaultValue ...string) iacTypes.StringValue {
-	defVal := ""
-	if len(defaultValue) > 0 {
-		defVal = defaultValue[0]
-	}
-
 	if p.IsUnresolved() {
 		return iacTypes.StringUnresolvable(p.Metadata())
 	}
-
-	prop := p.GetProperty(path)
-	if prop.IsNotString() {
-		return p.StringDefault(defVal)
-	}
-	return prop.AsStringValue()
+	return p.GetProperty(path).AsStringValue(firstOrZero(defaultValue))
 }
 
 func (p *Property) StringDefault(defaultValue string) iacTypes.StringValue {
 	return iacTypes.StringDefault(defaultValue, p.Metadata())
 }
 
 func (p *Property) GetBoolProperty(path string, defaultValue ...bool) iacTypes.BoolValue {
-	defVal := false
-	if len(defaultValue) > 0 {
-		defVal = defaultValue[0]
-	}
-
 	if p.IsUnresolved() {
 		return iacTypes.BoolUnresolvable(p.Metadata())
 	}
 
 	prop := p.GetProperty(path)
-
 	if prop.isFunction() {
 		prop, _ = prop.resolveValue()
 	}
-
-	if prop.IsNotBool() {
-		return p.inferBool(prop, defVal)
-	}
-	return prop.AsBoolValue()
+	return prop.AsBoolValue(firstOrZero(defaultValue))
 }
 
 func (p *Property) GetIntProperty(path string, defaultValue ...int) iacTypes.IntValue {
-	defVal := 0
-	if len(defaultValue) > 0 {
-		defVal = defaultValue[0]
-	}
-
 	if p.IsUnresolved() {
 		return iacTypes.IntUnresolvable(p.Metadata())
 	}
-
-	prop := p.GetProperty(path)
-
-	if prop.IsNotInt() {
-		return p.IntDefault(defVal)
-	}
-	return prop.AsIntValue()
+	return p.GetProperty(path).AsIntValue(firstOrZero(defaultValue))
 }
 
 func (p *Property) BoolDefault(defaultValue bool) iacTypes.BoolValue {
@@ -294,6 +263,10 @@ func (p *Property) IntDefault(defaultValue int) iacTypes.IntValue {
 	return iacTypes.IntDefault(defaultValue, p.Metadata())
 }
 
+func (p *Property) nullProperty() *Property {
+	return &Property{rng: p.rng, parentRange: p.parentRange, logicalId: p.logicalId}
+}
+
 func (p *Property) GetProperty(path string) *Property {
 	pathParts := strings.Split(path, ".")
 
@@ -305,29 +278,23 @@ func (p *Property) GetProperty(path string) *Property {
 	}
 
 	if property.IsNotMap() {
-		return nil
+		return property.nullProperty()
 	}
 
-	for n, p := range property.AsMap() {
-		if n == first {
-			property = p
-			break
-		}
+	child, ok := property.AsMap()[first]
+	if !ok {
+		return property.nullProperty()
 	}
 
-	if len(pathParts) == 1 || property == nil {
-		return property
-	}
-
-	if nestedProperty := property.GetProperty(strings.Join(pathParts[1:], ".")); nestedProperty != nil {
-		if nestedProperty.isFunction() {
-			resolved, _ := nestedProperty.resolveValue()
+	if len(pathParts) == 1 {
+		if child.isFunction() {
+			resolved, _ := child.resolveValue()
 			return resolved
 		}
-		return nestedProperty
+		return child
 	}
 
-	return &Property{}
+	return child.GetProperty(strings.Join(pathParts[1:], "."))
 }
 
 func (p *Property) deriveResolved(propType cftypes.CfType, propValue any) *Property {
@@ -341,39 +308,6 @@ func (p *Property) ParentRange() iacTypes.Range {
 	return p.parentRange
 }
 
-func (p *Property) inferBool(prop *Property, defaultValue bool) iacTypes.BoolValue {
-	if prop.IsString() {
-		if prop.EqualTo("true", IgnoreCase) {
-			return iacTypes.Bool(true, prop.Metadata())
-		}
-		if prop.EqualTo("yes", IgnoreCase) {
-			return iacTypes.Bool(true, prop.Metadata())
-		}
-		if prop.EqualTo("1", IgnoreCase) {
-			return iacTypes.Bool(true, prop.Metadata())
-		}
-		if prop.EqualTo("false", IgnoreCase) {
-			return iacTypes.Bool(false, prop.Metadata())
-		}
-		if prop.EqualTo("no", IgnoreCase) {
-			return iacTypes.Bool(false, prop.Metadata())
-		}
-		if prop.EqualTo("0", IgnoreCase) {
-			return iacTypes.Bool(false, prop.Metadata())
-		}
-	}
-
-	if prop.IsInt() {
-		if prop.EqualTo(0) {
-			return iacTypes.Bool(false, prop.Metadata())
-		}
-		if prop.EqualTo(1) {
-			return iacTypes.Bool(true, prop.Metadata())
-		}
-	}
-
-	return p.BoolDefault(defaultValue)
-}
 
 func (p *Property) String() string {
 	r := ""

pkg/iac/scanners/cloudformation/parser/property_helpers.go

@@ -8,6 +8,14 @@ import (
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
+func firstOrZero[T any](values []T) T {
+	if len(values) > 0 {
+		return values[0]
+	}
+	var zero T
+	return zero
+}
+
 func (p *Property) IsNil() bool {
 	return p == nil || p.Value == nil
 }
@@ -92,10 +100,16 @@ func (p *Property) AsString() string {
 	return p.Value.(string)
 }
 
-func (p *Property) AsStringValue() iacTypes.StringValue {
-	if p.unresolved {
+func (p *Property) AsStringValue(defaultValue ...string) iacTypes.StringValue {
+	if p.IsNil() {
+		return p.StringDefault(firstOrZero(defaultValue))
+	}
+	if p.IsUnresolved() {
 		return iacTypes.StringUnresolvable(p.Metadata())
 	}
+	if !p.IsString() {
+		return p.StringDefault(firstOrZero(defaultValue))
+	}
 	return iacTypes.StringExplicit(p.AsString(), p.Metadata())
 }
 
@@ -116,28 +130,47 @@ func (p *Property) AsInt() int {
 	return p.Value.(int)
 }
 
-func (p *Property) AsIntValue() iacTypes.IntValue {
-	if p.unresolved {
+func (p *Property) AsIntValue(defaultValue ...int) iacTypes.IntValue {
+	if p.IsNil() {
+		return p.IntDefault(firstOrZero(defaultValue))
+	}
+	if p.IsUnresolved() {
 		return iacTypes.IntUnresolvable(p.Metadata())
 	}
+	if !p.IsInt() {
+		return p.IntDefault(firstOrZero(defaultValue))
+	}
 	return iacTypes.IntExplicit(p.AsInt(), p.Metadata())
 }
 
+var boolTrueStrings = map[string]struct{}{
+	"true": {}, "yes": {}, "1": {},
+}
+
 func (p *Property) AsBool() bool {
 	if p.isFunction() {
 		if prop, success := p.resolveValue(); success && prop != p {
 			return prop.AsBool()
 		}
 		return false
 	}
-	if !p.IsBool() {
-		return false
+	switch p.Type {
+	case cftypes.Bool:
+		return p.Value.(bool)
+	case cftypes.String:
+		_, ok := boolTrueStrings[strings.ToLower(p.AsString())]
+		return ok
+	case cftypes.Int:
+		return p.AsInt() != 0
 	}
-	return p.Value.(bool)
+	return false
 }
 
-func (p *Property) AsBoolValue() iacTypes.BoolValue {
-	if p.unresolved {
+func (p *Property) AsBoolValue(defaultValue ...bool) iacTypes.BoolValue {
+	if p.IsNil() {
+		return p.BoolDefault(firstOrZero(defaultValue))
+	}
+	if p.IsUnresolved() {
 		return iacTypes.BoolUnresolvable(p.Metadata())
 	}
 	return iacTypes.Bool(p.AsBool(), p.Metadata())

pkg/iac/scanners/cloudformation/parser/property_test.go

@@ -0,0 +1,95 @@
+package parser
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+
+func mustParseYAML(t *testing.T, source string) FileContexts {
+	t.Helper()
+	files, err := parseFile(t, source, "cf.yaml")
+	require.NoError(t, err)
+	return files
+}
+
+func Test_Property_AsBoolValue_StringAndIntInference(t *testing.T) {
+	tests := []struct {
+		name     string
+		value    string
+		expected bool
+	}{
+		{name: "bool true", value: "true", expected: true},
+		{name: "bool false", value: "false", expected: false},
+		{name: "string true", value: `"true"`, expected: true},
+		{name: "string yes", value: `"yes"`, expected: true},
+		{name: "string 1", value: `"1"`, expected: true},
+		{name: "string TRUE uppercase", value: `"TRUE"`, expected: true},
+		{name: "string false", value: `"false"`, expected: false},
+		{name: "string no", value: `"no"`, expected: false},
+		{name: "string 0", value: `"0"`, expected: false},
+		{name: "int 1", value: "1", expected: true},
+		{name: "int 0", value: "0", expected: false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			source := `---
+Resources:
+  MyResource:
+    Type: AWS::S3::Bucket
+    Properties:
+      Flag: ` + tt.value
+
+			prop := mustParseYAML(t, source)[0].Resources["MyResource"].GetProperty("Flag")
+			assert.Equal(t, tt.expected, prop.AsBoolValue().IsTrue())
+		})
+	}
+}
+
+func Test_Resource_GetBoolProperty_MissingKeyUsesDefault(t *testing.T) {
+	source := `---
+Resources:
+  MyResource:
+    Type: AWS::S3::Bucket
+    Properties:
+      Other: value`
+
+	resource := mustParseYAML(t, source)[0].Resources["MyResource"]
+
+	assert.False(t, resource.GetBoolProperty("Missing").IsTrue())
+	assert.True(t, resource.GetBoolProperty("Missing", true).IsTrue())
+}
+
+
+
+func Test_Resource_GetProperty_MetadataPropagation(t *testing.T) {
+	source := `---
+Resources:
+  MyResource:
+    Type: AWS::S3::Bucket
+    Properties:
+      Name: myvalue
+      Nested:
+        DeepKey: deepvalue`
+
+	resource := mustParseYAML(t, source)[0].Resources["MyResource"]
+
+	existing := resource.GetStringProperty("Name")
+	assert.Equal(t, "myvalue", existing.Value())
+	assert.Equal(t, resource.GetProperty("Name").Metadata().Range(), existing.GetMetadata().Range())
+
+	deep := resource.GetStringProperty("Nested.DeepKey")
+	assert.Equal(t, "deepvalue", deep.Value())
+	assert.Equal(t, resource.GetProperty("Nested.DeepKey").Metadata().Range(), deep.GetMetadata().Range())
+
+	missing := resource.GetStringProperty("Missing")
+	assert.Equal(t, "", missing.Value())
+	assert.Equal(t, resource.Range(), missing.GetMetadata().Range())
+
+	nestedMissing := resource.GetStringProperty("Nested.Missing")
+	assert.Equal(t, "", nestedMissing.Value())
+	assert.Equal(t, resource.GetProperty("Nested").Metadata().Range(), nestedMissing.GetMetadata().Range())
+}