diff --git a/integration/flags/.snapshots/TestReportFlags-report-policies b/integration/flags/.snapshots/TestReportFlags-report-policies index 56f952991..4fba2d5c0 100644 --- a/integration/flags/.snapshots/TestReportFlags-report-policies +++ b/integration/flags/.snapshots/TestReportFlags-report-policies @@ -4,7 +4,6 @@ high: line_number: 1 filename: testdata/policies/users.rb category_groups: - - PHI - PII parent_line_number: 1 parent_content: logger.info(user.address) diff --git a/integration/policies/.snapshots/TestPolicesWithHealthContext-logger_leaking b/integration/policies/.snapshots/TestPolicesWithHealthContext-logger_leaking new file mode 100644 index 000000000..b688b862a --- /dev/null +++ b/integration/policies/.snapshots/TestPolicesWithHealthContext-logger_leaking @@ -0,0 +1,15 @@ +high: + - policy_name: Logger leaking + policy_description: Logger leaks detected. Avoid passing sensitive data to loggers. + line_number: 1 + filename: testdata/ruby/logger_leaking.rb + category_groups: + - PHI + - PII + parent_line_number: 1 + parent_content: logger.info(user.address) + omit_parent: false + + +-- + diff --git a/integration/policies/.snapshots/TestPolicesWithHealthContext-sending_data_in_category_to_third_party b/integration/policies/.snapshots/TestPolicesWithHealthContext-sending_data_in_category_to_third_party new file mode 100644 index 000000000..c2b242a9f --- /dev/null +++ b/integration/policies/.snapshots/TestPolicesWithHealthContext-sending_data_in_category_to_third_party @@ -0,0 +1,46 @@ +high: + - policy_name: Third-party data category exposure + policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured. + line_number: 12 + filename: testdata/ruby/sending_data_in_category_to_third_party.rb + category_groups: + - PHI + - PII + parent_line_number: 10 + parent_content: |- + Sentry::Breadcrumb.new( + category: "auth", + message: "Authenticated user #{user.email}", + level: "info" + ) + omit_parent: false + - policy_name: Third-party data category exposure + policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured. + line_number: 18 + filename: testdata/ruby/sending_data_in_category_to_third_party.rb + category_groups: + - PHI + - PII + parent_line_number: 16 + parent_content: |- + Sentry.init do |config| + config.before_breadcrumb = lambda do |breadcrumb, hint| + breadcrumb.message = "Authenticated user #{current_user.email}" + breadcrumb + end + end + omit_parent: false + - policy_name: Third-party data category exposure + policy_description: Sending data in category to third party. Ensure data sent to third party is intended and secured. + line_number: 24 + filename: testdata/ruby/sending_data_in_category_to_third_party.rb + category_groups: + - PHI + - PII + parent_line_number: 24 + parent_content: 'Sentry.set_user(email: user.email)' + omit_parent: false + + +-- + diff --git a/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_schema_rb b/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_schema_rb index 24aa5373c..613a04b6f 100644 --- a/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_schema_rb +++ b/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_schema_rb @@ -4,7 +4,6 @@ high: line_number: 3 filename: testdata/ruby/application_level_encryption_missing/schema_rb/db/schema.rb category_groups: - - PHI - PII parent_line_number: 2 parent_content: |- @@ -21,7 +20,6 @@ high: line_number: 4 filename: testdata/ruby/application_level_encryption_missing/schema_rb/db/schema.rb category_groups: - - PHI - PII parent_line_number: 2 parent_content: |- diff --git a/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_structure_sql b/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_structure_sql index 66e649928..332d319f4 100644 --- a/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_structure_sql +++ b/integration/policies/.snapshots/TestPolicies-application_level_encryption_missing_structure_sql @@ -4,7 +4,6 @@ high: line_number: 3 filename: testdata/ruby/application_level_encryption_missing/structure_sql/db/structure.sql category_groups: - - PHI - PII parent_line_number: 1 parent_content: |- diff --git a/integration/policies/.snapshots/TestPolicies-insecure_communication b/integration/policies/.snapshots/TestPolicies-insecure_communication index 70dfcbc1e..85fa0664c 100644 --- a/integration/policies/.snapshots/TestPolicies-insecure_communication +++ b/integration/policies/.snapshots/TestPolicies-insecure_communication @@ -4,7 +4,6 @@ medium: line_number: 8 filename: testdata/ruby/insecure_communication.rb category_groups: - - PHI - PII omit_parent: true diff --git a/integration/policies/.snapshots/TestPolicies-insecure_ftp b/integration/policies/.snapshots/TestPolicies-insecure_ftp index 2f1a22a72..ee952bb79 100644 --- a/integration/policies/.snapshots/TestPolicies-insecure_ftp +++ b/integration/policies/.snapshots/TestPolicies-insecure_ftp @@ -26,7 +26,6 @@ medium: line_number: 10 filename: testdata/ruby/insecure_ftp.rb category_groups: - - PHI - PII - Sensitive personal data parent_line_number: 10 @@ -37,7 +36,6 @@ medium: line_number: 17 filename: testdata/ruby/insecure_ftp.rb category_groups: - - PHI - PII - Sensitive personal data parent_line_number: 17 @@ -54,7 +52,6 @@ medium: line_number: 24 filename: testdata/ruby/insecure_ftp.rb category_groups: - - PHI - PII - Sensitive personal data parent_line_number: 24 diff --git a/integration/policies/.snapshots/TestPolicies-insecure_smtp b/integration/policies/.snapshots/TestPolicies-insecure_smtp index bfdc2c01f..77c3f303d 100644 --- a/integration/policies/.snapshots/TestPolicies-insecure_smtp +++ b/integration/policies/.snapshots/TestPolicies-insecure_smtp @@ -4,7 +4,6 @@ medium: line_number: 8 filename: testdata/ruby/insecure_smtp.rb category_groups: - - PHI - PII omit_parent: true - policy_name: Insecure SMTP @@ -12,7 +11,6 @@ medium: line_number: 14 filename: testdata/ruby/insecure_smtp.rb category_groups: - - PHI - PII omit_parent: true diff --git a/integration/policies/.snapshots/TestPolicies-logger_leaking b/integration/policies/.snapshots/TestPolicies-logger_leaking index b688b862a..c7b11b4be 100644 --- a/integration/policies/.snapshots/TestPolicies-logger_leaking +++ b/integration/policies/.snapshots/TestPolicies-logger_leaking @@ -4,7 +4,6 @@ high: line_number: 1 filename: testdata/ruby/logger_leaking.rb category_groups: - - PHI - PII parent_line_number: 1 parent_content: logger.info(user.address) diff --git a/integration/policies/.snapshots/TestPolicies-sending_data_in_category_to_third_party b/integration/policies/.snapshots/TestPolicies-sending_data_in_category_to_third_party index c2b242a9f..0307262be 100644 --- a/integration/policies/.snapshots/TestPolicies-sending_data_in_category_to_third_party +++ b/integration/policies/.snapshots/TestPolicies-sending_data_in_category_to_third_party @@ -4,7 +4,6 @@ high: line_number: 12 filename: testdata/ruby/sending_data_in_category_to_third_party.rb category_groups: - - PHI - PII parent_line_number: 10 parent_content: |- @@ -19,7 +18,6 @@ high: line_number: 18 filename: testdata/ruby/sending_data_in_category_to_third_party.rb category_groups: - - PHI - PII parent_line_number: 16 parent_content: |- @@ -35,7 +33,6 @@ high: line_number: 24 filename: testdata/ruby/sending_data_in_category_to_third_party.rb category_groups: - - PHI - PII parent_line_number: 24 parent_content: 'Sentry.set_user(email: user.email)' diff --git a/integration/policies/policies_test.go b/integration/policies/policies_test.go index 3c9361144..5425f1aca 100644 --- a/integration/policies/policies_test.go +++ b/integration/policies/policies_test.go @@ -7,7 +7,7 @@ import ( "github.com/bearer/curio/integration/internal/testhelper" ) -func newPolicyTest(name string, testFiles []string) testhelper.TestCase { +func newPolicyTest(name string, testFiles []string, healthContext bool) testhelper.TestCase { filenames := []string{} for _, testFile := range testFiles { filenames = append(filenames, filepath.Join("testdata", testFile)) @@ -22,6 +22,10 @@ func newPolicyTest(name string, testFiles []string) testhelper.TestCase { "--format=yaml", ) + if healthContext { + arguments = append(arguments, "--context=health") + } + options := testhelper.TestCaseOptions{StartWorker: true} return testhelper.NewTestCase(name, arguments, options) @@ -29,14 +33,23 @@ func newPolicyTest(name string, testFiles []string) testhelper.TestCase { func TestPolicies(t *testing.T) { tests := []testhelper.TestCase{ - newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}), - newPolicyTest("http", []string{"ruby/http.rb"}), - newPolicyTest("insecure_smtp", []string{"ruby/insecure_smtp.rb"}), - newPolicyTest("insecure_communication", []string{"ruby/insecure_communication.rb"}), - newPolicyTest("insecure_ftp", []string{"ruby/insecure_ftp.rb"}), - newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}), - newPolicyTest("application_level_encryption_missing_structure_sql", []string{"ruby/application_level_encryption_missing/structure_sql"}), - newPolicyTest("application_level_encryption_missing_schema_rb", []string{"ruby/application_level_encryption_missing/schema_rb"}), + newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}, false), + newPolicyTest("http", []string{"ruby/http.rb"}, false), + newPolicyTest("insecure_smtp", []string{"ruby/insecure_smtp.rb"}, false), + newPolicyTest("insecure_communication", []string{"ruby/insecure_communication.rb"}, false), + newPolicyTest("insecure_ftp", []string{"ruby/insecure_ftp.rb"}, false), + newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}, false), + newPolicyTest("application_level_encryption_missing_structure_sql", []string{"ruby/application_level_encryption_missing/structure_sql"}, false), + newPolicyTest("application_level_encryption_missing_schema_rb", []string{"ruby/application_level_encryption_missing/schema_rb"}, false), + } + + testhelper.RunTests(t, tests) +} + +func TestPolicesWithHealthContext(t *testing.T) { + tests := []testhelper.TestCase{ + newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}, true), + newPolicyTest("sending_data_in_category_to_third_party", []string{"ruby/sending_data_in_category_to_third_party.rb"}, true), } testhelper.RunTests(t, tests) diff --git a/pkg/classification/db/db.go b/pkg/classification/db/db.go index e02c21546..5446deb9d 100644 --- a/pkg/classification/db/db.go +++ b/pkg/classification/db/db.go @@ -7,9 +7,12 @@ import ( "regexp" "strings" + "github.com/bearer/curio/pkg/flag" "github.com/tangzero/inflector" ) +var PHIDataCategoryGroupUUID = "247fa503-115b-490a-96e5-bcd357bd5686" + //go:embed recipes var recipesDir embed.FS @@ -123,11 +126,19 @@ type KnownPersonObjectPattern struct { } func Default() DefaultDB { + return defaultDB("") +} + +func DefaultWithContext(context flag.Context) DefaultDB { + return defaultDB(context) +} + +func defaultDB(context flag.Context) DefaultDB { dataTypes := defaultDataTypes() return DefaultDB{ Recipes: defaultRecipes(), DataTypes: dataTypes, - DataCategories: defaultDataCategories(), + DataCategories: defaultDataCategories(context), DataTypeClassificationPatterns: defaultDataTypeClassificationPatterns(dataTypes), KnownPersonObjectPatterns: defaultKnownPersonObjectPatterns(dataTypes), } @@ -160,7 +171,12 @@ func defaultRecipes() []Recipe { return recipes } -func defaultDataCategories() []DataCategory { +func defaultDataCategories(context flag.Context) []DataCategory { + skipHealthContext := true + if context == flag.Health { + skipHealthContext = false + } + dataCategories := []DataCategory{} categoryGroupingJson, err := categoryGroupingFile.ReadFile("category_grouping.json") @@ -197,6 +213,9 @@ func defaultDataCategories() []DataCategory { dataCategory.Groups = make(map[string]DataCategoryGroup) categoryFromMapping := dataCategoryGrouping.CategoryMapping[dataCategory.UUID] for _, groupUUID := range categoryFromMapping.GroupUUIDs { + if skipHealthContext && groupUUID == PHIDataCategoryGroupUUID { + continue // skip health context + } group := dataCategoryGrouping.Groups[groupUUID] dataCategory.Groups[groupUUID] = DataCategoryGroup{ Name: group.Name, diff --git a/pkg/report/output/policies/policies.go b/pkg/report/output/policies/policies.go index f8fa6246e..b78bd0db7 100644 --- a/pkg/report/output/policies/policies.go +++ b/pkg/report/output/policies/policies.go @@ -59,7 +59,7 @@ func GetOutput(dataflow *dataflow.DataFlow, config settings.Config) (map[string] PolicyInput{ PolicyId: policy.Id, Dataflow: dataflow, - DataCategories: db.Default().DataCategories, + DataCategories: db.DefaultWithContext(config.Scan.Context).DataCategories, }, policy.Modules.ToRegoModules()) if err != nil {