Update to the latest defsec

[MartinPetkov]

This is primarily to get aquasecurity/defsec#1338. The related changes are under ./docs/checks/google/iam/no-conditions-workload-identity-pool-provider/

I'm following https://github.com/aquasecurity/tfsec/blob/master/CONTRIBUTING.md but I had to do several extra things.

I'm using Go 1.21.

Running go mod vendor came back with multiple commands to run:

go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/spf13/cobra: missing go.sum entry for module providing package github.com/spf13/cobra (imported by github.com/aquasecurity/tfsec/cmd/tfsec-checkgen); to add:
	go get github.com/aquasecurity/tfsec/cmd/tfsec-checkgen
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/AlecAivazis/survey/v2 imports
	golang.org/x/term: missing go.sum entry for module providing package golang.org/x/term (imported by github.com/AlecAivazis/survey/v2); to add:
	go get github.com/AlecAivazis/survey/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scan imports
	golang.org/x/text/cases: missing go.sum entry for module providing package golang.org/x/text/cases (imported by github.com/aquasecurity/defsec/pkg/scan); to add:
	go get github.com/aquasecurity/defsec/pkg/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scan imports
	golang.org/x/text/language: missing go.sum entry for module providing package golang.org/x/text/language (imported by github.com/aquasecurity/defsec/pkg/scan); to add:
	go get github.com/aquasecurity/defsec/pkg/[email protected]
go: github.com/aquasecurity/tfsec/internal/pkg/custom imports
	github.com/zclconf/go-cty/cty imports
	golang.org/x/text/unicode/norm: missing go.sum entry for module providing package golang.org/x/text/unicode/norm (imported by github.com/zclconf/go-cty/cty); to add:
	go get github.com/zclconf/go-cty/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/AlecAivazis/survey/v2 imports
	github.com/AlecAivazis/survey/v2/terminal imports
	golang.org/x/text/width: missing go.sum entry for module providing package golang.org/x/text/width (imported by github.com/AlecAivazis/survey/v2/terminal); to add:
	go get github.com/AlecAivazis/survey/v2/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/resolvers imports
	github.com/hashicorp/go-getter: missing go.sum entry for module providing package github.com/hashicorp/go-getter (imported by github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/resolvers); to add:
	go get github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/[email protected]
go: github.com/aquasecurity/tfsec/internal/app/tfsec/cmd imports
	github.com/spf13/viper imports
	github.com/fsnotify/fsnotify imports
	golang.org/x/sys/unix: missing go.sum entry for module providing package golang.org/x/sys/unix (imported by github.com/fsnotify/fsnotify); to add:
	go get github.com/fsnotify/[email protected]
go: github.com/aquasecurity/tfsec/internal/app/tfsec/cmd imports
	github.com/spf13/viper imports
	github.com/fsnotify/fsnotify imports
	golang.org/x/sys/windows: missing go.sum entry for module providing package golang.org/x/sys/windows (imported by github.com/fsnotify/fsnotify); to add:
	go get github.com/fsnotify/[email protected]
go: github.com/aquasecurity/tfsec/internal/app/tfsec/cmd imports
	github.com/spf13/viper imports
	github.com/spf13/afero imports
	golang.org/x/text/runes: missing go.sum entry for module providing package golang.org/x/text/runes (imported by github.com/spf13/afero); to add:
	go get github.com/spf13/[email protected]
go: github.com/aquasecurity/tfsec/internal/app/tfsec/cmd imports
	github.com/spf13/viper imports
	github.com/spf13/afero imports
	golang.org/x/text/transform: missing go.sum entry for module providing package golang.org/x/text/transform (imported by github.com/spf13/afero); to add:
	go get github.com/spf13/[email protected]
go: github.com/aquasecurity/tfsec/internal/pkg/formatter imports
	github.com/liamg/gifwrap/pkg/ascii imports
	github.com/gdamore/tcell/v2 imports
	golang.org/x/text/encoding: missing go.sum entry for module providing package golang.org/x/text/encoding (imported by github.com/gdamore/tcell/v2); to add:
	go get github.com/gdamore/tcell/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/AlecAivazis/survey/v2 imports
	github.com/AlecAivazis/survey/v2/core imports
	github.com/mgutz/ansi imports
	github.com/mattn/go-colorable: missing go.sum entry for module providing package github.com/mattn/go-colorable (imported by github.com/mgutz/ansi); to add:
	go get github.com/mgutz/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/funcs imports
	github.com/bmatcuk/doublestar/v4: missing go.sum entry for module providing package github.com/bmatcuk/doublestar/v4 (imported by github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/funcs); to add:
	go get github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/funcs imports
	golang.org/x/text/encoding/ianaindex: missing go.sum entry for module providing package golang.org/x/text/encoding/ianaindex (imported by github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/funcs); to add:
	go get github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-checkgen imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser imports
	github.com/aquasecurity/defsec/pkg/scanners/terraform/parser/funcs imports
	golang.org/x/crypto/ssh imports
	golang.org/x/crypto/chacha20 imports
	golang.org/x/sys/cpu: missing go.sum entry for module providing package golang.org/x/sys/cpu (imported by golang.org/x/crypto/chacha20); to add:
	go get golang.org/x/crypto/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-docs imports
	github.com/aquasecurity/defsec/pkg/rules imports
	github.com/aquasecurity/defsec/rules/cloud/policies/aws/ec2 imports
	github.com/owenrumney/squealer/pkg/squealer imports
	github.com/owenrumney/squealer/internal/pkg/match imports
	github.com/go-git/go-git/v5/plumbing/object imports
	github.com/go-git/go-git/v5/utils/ioutil imports
	github.com/jbenet/go-context/io imports
	golang.org/x/net/context: missing go.sum entry for module providing package golang.org/x/net/context (imported by github.com/jbenet/go-context/io); to add:
	go get github.com/jbenet/go-context/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-docs imports
	github.com/aquasecurity/defsec/pkg/rules imports
	github.com/aquasecurity/defsec/rules/cloud/policies/aws/ec2 imports
	github.com/owenrumney/squealer/pkg/squealer imports
	github.com/owenrumney/squealer/internal/pkg/scan imports
	github.com/go-git/go-git/v5 imports
	github.com/go-git/go-git/v5/plumbing/transport/client imports
	github.com/go-git/go-git/v5/plumbing/transport/file imports
	golang.org/x/sys/execabs: missing go.sum entry for module providing package golang.org/x/sys/execabs (imported by github.com/go-git/go-git/v5/plumbing/transport/file); to add:
	go get github.com/go-git/go-git/v5/plumbing/transport/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-docs imports
	github.com/aquasecurity/defsec/pkg/rules imports
	github.com/aquasecurity/defsec/rules/cloud/policies/aws/ec2 imports
	github.com/owenrumney/squealer/pkg/squealer imports
	github.com/owenrumney/squealer/internal/pkg/scan imports
	github.com/go-git/go-git/v5 imports
	github.com/go-git/go-git/v5/plumbing/transport/client imports
	github.com/go-git/go-git/v5/plumbing/transport/ssh imports
	golang.org/x/net/proxy: missing go.sum entry for module providing package golang.org/x/net/proxy (imported by github.com/go-git/go-git/v5/plumbing/transport/ssh); to add:
	go get github.com/go-git/go-git/v5/plumbing/transport/[email protected]
go: github.com/aquasecurity/tfsec/cmd/tfsec-docs imports
	github.com/aquasecurity/defsec/pkg/rules imports
	github.com/aquasecurity/defsec/rules/cloud/policies/aws/ec2 imports
	github.com/owenrumney/squealer/pkg/squealer imports
	github.com/owenrumney/squealer/internal/pkg/scan imports
	github.com/go-git/go-git/v5 imports
	github.com/go-git/go-git/v5/plumbing/transport/client imports
	github.com/go-git/go-git/v5/plumbing/transport/ssh imports
	github.com/xanzy/ssh-agent imports
	github.com/Microsoft/go-winio imports
	golang.org/x/tools/cmd/stringer: missing go.sum entry for module providing package golang.org/x/tools/cmd/stringer (imported by github.com/Microsoft/go-winio); to add:
	go get github.com/Microsoft/[email protected]

I had to update /usr/local/google/home/mpetkov/development/github/MartinPetkov/tfsec/cmd/tfsec-docs/main.go so that make publish-docs doesn't break when there are no bad or good examples (arguably the rule itself should be fixed to have good and bad examples, but it wasn't my rule that was broken):

diff --git a/cmd/tfsec-docs/main.go b/cmd/tfsec-docs/main.go
index a1c5d9ba..c3618dd3 100644
--- a/cmd/tfsec-docs/main.go
+++ b/cmd/tfsec-docs/main.go
@@ -57,6 +57,14 @@ func getSortedFileContents() []*FileContent {
                        continue
                }
                provider := string(r.Rule().Provider)
+               var badExample string
+               if len(r.Rule().Terraform.BadExamples) > 0 {
+                       badExample = r.Rule().Terraform.BadExamples[0]
+               }
+               var goodExample string
+               if len(r.Rule().Terraform.GoodExamples) > 0 {
+                       goodExample = r.Rule().Terraform.GoodExamples[0]
+               }
                checkMap[provider] = append(checkMap[provider], templateObject{
                        ID:          r.Rule().LongID(),
                        ShortCode:   r.Rule().ShortCode,
@@ -67,8 +75,8 @@ func getSortedFileContents() []*FileContent {
                        Explanation: r.Rule().Explanation,
                        Impact:      r.Rule().Impact,
                        Resolution:  r.Rule().Resolution,
-                       BadExample:  r.Rule().Terraform.BadExamples[0],
-                       GoodExample: r.Rule().Terraform.GoodExamples[0],
+                       BadExample:  badExample,
+                       GoodExample: goodExample,
                        Links:       append(r.Rule().Terraform.Links, r.Rule().Links...),
                })
        }

Running make pr-ready reports a ton of typo errors, but it also seems to do that against the current master and it reported only 3 errors not under /vendor/, also not for my rule:

./docs/checks/azure/database/index.md:32: subcription ==> subscription
./docs/checks/azure/database/threat-alert-email-to-owner/index.md:2: subcription ==> subscription
./docs/checks/azure/database/threat-alert-email-to-owner/index.md:5: subcription ==> subscription

Running make test passes.

The instructions in CONTRIBUTING.md don't say what to do to just bring in one rule, so this has ended up updating a bunch of unrelated things. I don't mind, but let me know if you'd like me to do something different.

[bryanrcampbell]

Nice this looks good to me. Would be really great to get this in soon - in addition to the original issue you mentioned, this will also unlock https://github.com/aquasecurity/defsec/pull/1339/files which is not allowing the use of imports blocks.

[MartinPetkov]

Acknowledged. Let me know if there's anything more I need to do.

[jedrivisser]

Also needed for the new "check" blocks

[MartinPetkov]

Pinging again, is there anything more needed in order to merge this CL? It's probably stale by now but still.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 365 days.

[HarjulinLuke]

Any chance of this being updated, reviewed, and merged? The TFSec sarif tool that we are using in github actions is failing because the import block isn't recognised. The changes have been added to the defsec tool, but the dependency version needs updating here.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 365 days.