fix(policies): ignore PHI data category group for policies unless hea…

…lth context flag is set (#230)

* feat: consider health context for policy category grouping

* feat: add test cases for health context

integration/flags/.snapshots/TestReportFlags-report-policies

@@ -4,7 +4,6 @@ high:
       line_number: 1
       filename: testdata/policies/users.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 1
       parent_content: logger.info(user.address)

integration/policies/.snapshots/TestPolicesWithHealthContext-logger_leaking

@@ -0,0 +1,15 @@
+high:
+    - policy_name: Logger leaking
+      policy_description: Logger leaks detected. Avoid passing sensitive data to loggers.
+      line_number: 1
+      filename: testdata/ruby/logger_leaking.rb
+      category_groups:
+        - PHI
+        - PII
+      parent_line_number: 1
+      parent_content: logger.info(user.address)
+      omit_parent: false
+
+
+--
+

integration/policies/.snapshots/TestPolicesWithHealthContext-sending_data_in_category_to_third_party

@@ -0,0 +1,46 @@
+high:
+    - policy_name: Third-party data category exposure
+      policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured.
+      line_number: 12
+      filename: testdata/ruby/sending_data_in_category_to_third_party.rb
+      category_groups:
+        - PHI
+        - PII
+      parent_line_number: 10
+      parent_content: |-
+        Sentry::Breadcrumb.new(
+          category: "auth",
+          message: "Authenticated user #{user.email}",
+          level: "info"
+        )
+      omit_parent: false
+    - policy_name: Third-party data category exposure
+      policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured.
+      line_number: 18
+      filename: testdata/ruby/sending_data_in_category_to_third_party.rb
+      category_groups:
+        - PHI
+        - PII
+      parent_line_number: 16
+      parent_content: |-
+        Sentry.init do |config|
+          config.before_breadcrumb = lambda do |breadcrumb, hint|
+            breadcrumb.message = "Authenticated user #{current_user.email}"
+            breadcrumb
+          end
+        end
+      omit_parent: false
+    - policy_name: Third-party data category exposure
+      policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured.
+      line_number: 24
+      filename: testdata/ruby/sending_data_in_category_to_third_party.rb
+      category_groups:
+        - PHI
+        - PII
+      parent_line_number: 24
+      parent_content: 'Sentry.set_user(email: user.email)'
+      omit_parent: false
+
+
+--
+

integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_schema_rb

@@ -4,7 +4,6 @@ high:
       line_number: 3
       filename: testdata/ruby/application_level_encryption_missing/schema_rb/db/schema.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 2
       parent_content: |-
@@ -21,7 +20,6 @@ high:
       line_number: 4
       filename: testdata/ruby/application_level_encryption_missing/schema_rb/db/schema.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 2
       parent_content: |-

integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_structure_sql

@@ -4,7 +4,6 @@ high:
       line_number: 3
       filename: testdata/ruby/application_level_encryption_missing/structure_sql/db/structure.sql
       category_groups:
-        - PHI
         - PII
       parent_line_number: 1
       parent_content: |-

integration/policies/.snapshots/TestPolicies-insecure_communication

@@ -4,7 +4,6 @@ medium:
       line_number: 8
       filename: testdata/ruby/insecure_communication.rb
       category_groups:
-        - PHI
         - PII
       omit_parent: true
 

integration/policies/.snapshots/TestPolicies-insecure_ftp

@@ -26,7 +26,6 @@ medium:
       line_number: 10
       filename: testdata/ruby/insecure_ftp.rb
       category_groups:
-        - PHI
         - PII
         - Sensitive personal data
       parent_line_number: 10
@@ -37,7 +36,6 @@ medium:
       line_number: 17
       filename: testdata/ruby/insecure_ftp.rb
       category_groups:
-        - PHI
         - PII
         - Sensitive personal data
       parent_line_number: 17
@@ -54,7 +52,6 @@ medium:
       line_number: 24
       filename: testdata/ruby/insecure_ftp.rb
       category_groups:
-        - PHI
         - PII
         - Sensitive personal data
       parent_line_number: 24

integration/policies/.snapshots/TestPolicies-insecure_smtp

@@ -4,15 +4,13 @@ medium:
       line_number: 8
       filename: testdata/ruby/insecure_smtp.rb
       category_groups:
-        - PHI
         - PII
       omit_parent: true
     - policy_name: Insecure SMTP
       policy_description: Communication using insecure SMTP in an application processing sensitive data. Verify that SMTP settings use OpenSSL or equivalent.
       line_number: 14
       filename: testdata/ruby/insecure_smtp.rb
       category_groups:
-        - PHI
         - PII
       omit_parent: true
 

integration/policies/.snapshots/TestPolicies-logger_leaking

@@ -4,7 +4,6 @@ high:
       line_number: 1
       filename: testdata/ruby/logger_leaking.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 1
       parent_content: logger.info(user.address)

integration/policies/.snapshots/TestPolicies-sending_data_in_category_to_third_party

@@ -4,7 +4,6 @@ high:
       line_number: 12
       filename: testdata/ruby/sending_data_in_category_to_third_party.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 10
       parent_content: |-
@@ -19,7 +18,6 @@ high:
       line_number: 18
       filename: testdata/ruby/sending_data_in_category_to_third_party.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 16
       parent_content: |-
@@ -35,7 +33,6 @@ high:
       line_number: 24
       filename: testdata/ruby/sending_data_in_category_to_third_party.rb
       category_groups:
-        - PHI
         - PII
       parent_line_number: 24
       parent_content: 'Sentry.set_user(email: user.email)'

integration/policies/policies_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/bearer/curio/integration/internal/testhelper"
 )
 
-func newPolicyTest(name string, testFiles []string) testhelper.TestCase {
+func newPolicyTest(name string, testFiles []string, healthContext bool) testhelper.TestCase {
 	filenames := []string{}
 	for _, testFile := range testFiles {
 		filenames = append(filenames, filepath.Join("testdata", testFile))
@@ -22,21 +22,34 @@ func newPolicyTest(name string, testFiles []string) testhelper.TestCase {
 		"--format=yaml",
 	)
 
+	if healthContext {
+		arguments = append(arguments, "--context=health")
+	}
+
 	options := testhelper.TestCaseOptions{StartWorker: true}
 
 	return testhelper.NewTestCase(name, arguments, options)
 }
 
 func TestPolicies(t *testing.T) {
 	tests := []testhelper.TestCase{
-		newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}),
-		newPolicyTest("http", []string{"ruby/http.rb"}),
-		newPolicyTest("insecure_smtp", []string{"ruby/insecure_smtp.rb"}),
-		newPolicyTest("insecure_communication", []string{"ruby/insecure_communication.rb"}),
-		newPolicyTest("insecure_ftp", []string{"ruby/insecure_ftp.rb"}),
-		newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}),
-		newPolicyTest("application_level_encryption_missing_structure_sql", []string{"ruby/application_level_encryption_missing/structure_sql"}),
-		newPolicyTest("application_level_encryption_missing_schema_rb", []string{"ruby/application_level_encryption_missing/schema_rb"}),
+		newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}, false),
+		newPolicyTest("http", []string{"ruby/http.rb"}, false),
+		newPolicyTest("insecure_smtp", []string{"ruby/insecure_smtp.rb"}, false),
+		newPolicyTest("insecure_communication", []string{"ruby/insecure_communication.rb"}, false),
+		newPolicyTest("insecure_ftp", []string{"ruby/insecure_ftp.rb"}, false),
+		newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}, false),
+		newPolicyTest("application_level_encryption_missing_structure_sql", []string{"ruby/application_level_encryption_missing/structure_sql"}, false),
+		newPolicyTest("application_level_encryption_missing_schema_rb", []string{"ruby/application_level_encryption_missing/schema_rb"}, false),
+	}
+
+	testhelper.RunTests(t, tests)
+}
+
+func TestPolicesWithHealthContext(t *testing.T) {
+	tests := []testhelper.TestCase{
+		newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}, true),
+		newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}, true),
 	}
 
 	testhelper.RunTests(t, tests)

pkg/classification/db/db.go

@@ -7,9 +7,12 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/bearer/curio/pkg/flag"
 	"github.com/tangzero/inflector"
 )
 
+var PHIDataCategoryGroupUUID = "247fa503-115b-490a-96e5-bcd357bd5686"
+
 //go:embed recipes
 var recipesDir embed.FS
 
@@ -123,11 +126,19 @@ type KnownPersonObjectPattern struct {
 }
 
 func Default() DefaultDB {
+	return defaultDB("")
+}
+
+func DefaultWithContext(context flag.Context) DefaultDB {
+	return defaultDB(context)
+}
+
+func defaultDB(context flag.Context) DefaultDB {
 	dataTypes := defaultDataTypes()
 	return DefaultDB{
 		Recipes:                        defaultRecipes(),
 		DataTypes:                      dataTypes,
-		DataCategories:                 defaultDataCategories(),
+		DataCategories:                 defaultDataCategories(context),
 		DataTypeClassificationPatterns: defaultDataTypeClassificationPatterns(dataTypes),
 		KnownPersonObjectPatterns:      defaultKnownPersonObjectPatterns(dataTypes),
 	}
@@ -160,7 +171,12 @@ func defaultRecipes() []Recipe {
 	return recipes
 }
 
-func defaultDataCategories() []DataCategory {
+func defaultDataCategories(context flag.Context) []DataCategory {
+	skipHealthContext := true
+	if context == flag.Health {
+		skipHealthContext = false
+	}
+
 	dataCategories := []DataCategory{}
 
 	categoryGroupingJson, err := categoryGroupingFile.ReadFile("category_grouping.json")
@@ -197,6 +213,9 @@ func defaultDataCategories() []DataCategory {
 		dataCategory.Groups = make(map[string]DataCategoryGroup)
 		categoryFromMapping := dataCategoryGrouping.CategoryMapping[dataCategory.UUID]
 		for _, groupUUID := range categoryFromMapping.GroupUUIDs {
+			if skipHealthContext && groupUUID == PHIDataCategoryGroupUUID {
+				continue // skip health context
+			}
 			group := dataCategoryGrouping.Groups[groupUUID]
 			dataCategory.Groups[groupUUID] = DataCategoryGroup{
 				Name: group.Name,

pkg/report/output/policies/policies.go

@@ -59,7 +59,7 @@ func GetOutput(dataflow *dataflow.DataFlow, config settings.Config) (map[string]
 			PolicyInput{
 				PolicyId:       policy.Id,
 				Dataflow:       dataflow,
-				DataCategories: db.Default().DataCategories,
+				DataCategories: db.DefaultWithContext(config.Scan.Context).DataCategories,
 			},
 			policy.Modules.ToRegoModules())
 		if err != nil {