Skip to content

Commit

Permalink
Merge pull request #122 from jfrog/GH-120-pilicy-crash
Browse files Browse the repository at this point in the history 
GH-120, GH-121 Actions block is required
  • Loading branch information
@danielmkn
danielmkn authored May 31, 2023
2 parents efa3f9a + f287479 commit 7dc193d
Show file tree
Hide file tree
Showing 8 changed files with 272 additions and 164 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
## 1.14.0 (June 1, 2023). Tested on Artifactory 7.59.9 and Xray 3.74.8

IMPROVEMENTS:

* resource/xray_*_policy: `actions` is a required block now. Also, changed default behavior for `actions` nested boolean attributes to match the Xray UI behavior.
* resource/xray_license_policy: removed license name verification from `banned_licenses` and `allowed_licenses` lists to allow users enter custom licenses, created in their Xray instance. Please note, Xray API doesn't verify if the license (custom or not) exists, so if the user enters a non-existing license name, this policy will be created but won't trigger a violation.

PR: [#122](https://github.com/jfrog/terraform-provider-xray/pull/122)
Issues: [#120](https://github.com/jfrog/terraform-provider-xray/issues/120), [#121](https://github.com/jfrog/terraform-provider-xray/issues/121)


## 1.13.0 (April 19, 2023). Tested on Artifactory 7.55.10 and Xray 3.71.6

IMPROVEMENTS:
Expand Down
44 changes: 21 additions & 23 deletions docs/resources/license_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,25 +115,11 @@ resource "xray_license_policy" "banned_licenses" {

Required:

- `actions` (Block Set, Min: 1, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set, Min: 1, Max: 1) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))
- `name` (String) Name of the rule
- `priority` (Number) Integer describing the rule priority. Must be at least 1

Optional:

- `actions` (Block Set, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))

<a id="nestedblock--rule--criteria"></a>
### Nested Schema for `rule.criteria`

Optional:

- `allow_unknown` (Boolean) A violation will be generated for artifacts with unknown licenses (`true` or `false`).
- `allowed_licenses` (Set of String) A list of OSS license names that may be attached to a component.
- `banned_licenses` (Set of String) A list of OSS license names that may not be attached to a component.
- `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component


<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Expand All @@ -143,23 +129,35 @@ Required:

Optional:

- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found.
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `custom_severity` (String) The severity of violation to be triggered if the `criteria` are met.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations. Default value is `false`.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations. Default value is `false`.
- `webhooks` (Set of String) A list of Xray-configured webhook URLs to be invoked if a violation is triggered.

<a id="nestedblock--rule--actions--block_download"></a>
### Nested Schema for `rule.actions.block_download`

Required:
Optional:

- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource. Default value is `false`.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet. Can not be set to `true` if attribute `active` is `false`. Default value is `false`.



<a id="nestedblock--rule--criteria"></a>
### Nested Schema for `rule.criteria`

Optional:

- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet.
- `allow_unknown` (Boolean) A violation will be generated for artifacts with unknown licenses (`true` or `false`).
- `allowed_licenses` (Set of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `banned_licenses` (Set of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component

## Import

Expand Down
55 changes: 26 additions & 29 deletions docs/resources/operational_risk_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,38 @@ resource "xray_operational_risk_policy" "custom_criteria" {

Required:

- `actions` (Block Set, Min: 1, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set, Min: 1, Max: 1) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))
- `name` (String) Name of the rule
- `priority` (Number) Integer describing the rule priority. Must be at least 1

<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Required:

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))

Optional:

- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations. Default value is `false`.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations. Default value is `false`.
- `webhooks` (Set of String) A list of Xray-configured webhook URLs to be invoked if a violation is triggered.

<a id="nestedblock--rule--actions--block_download"></a>
### Nested Schema for `rule.actions.block_download`

Optional:

- `actions` (Block Set, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource. Default value is `false`.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet. Can not be set to `true` if attribute `active` is `false`. Default value is `false`.



<a id="nestedblock--rule--criteria"></a>
### Nested Schema for `rule.criteria`
Expand All @@ -144,34 +169,6 @@ Optional:
- `release_date_greater_than_months` (Number) Release age greater than (in months): 6, 12, 18, 24, 30, or 36
- `risk` (String) Risk severity: low, medium, high



<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Required:

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))

Optional:

- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations.
- `webhooks` (Set of String) A list of Xray-configured webhook URLs to be invoked if a violation is triggered.

<a id="nestedblock--rule--actions--block_download"></a>
### Nested Schema for `rule.actions.block_download`

Required:

- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet.

## Import

Import is supported using the following syntax:
Expand Down
61 changes: 29 additions & 32 deletions docs/resources/security_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,24 +145,49 @@ resource "xray_security_policy" "malicious_package" {

Required:

- `actions` (Block Set, Min: 1, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set, Min: 1, Max: 1) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))
- `name` (String) Name of the rule
- `priority` (Number) Integer describing the rule priority. Must be at least 1

<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Required:

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))

Optional:

- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations. Default value is `false`.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations. Default value is `false`.
- `webhooks` (Set of String) A list of Xray-configured webhook URLs to be invoked if a violation is triggered.

<a id="nestedblock--rule--actions--block_download"></a>
### Nested Schema for `rule.actions.block_download`

Optional:

- `actions` (Block Set, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource. Default value is `false`.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet. Can not be set to `true` if attribute `active` is `false`. Default value is `false`.



<a id="nestedblock--rule--criteria"></a>
### Nested Schema for `rule.criteria`

Optional:

- `cvss_range` (Block List, Max: 1) The CVSS score range to apply to the rule. This is used for a fine-grained control, rather than using the predefined severities. The score range is based on CVSS v3 scoring, and CVSS v2 score is CVSS v3 score is not available. (see [below for nested schema](#nestedblock--rule--criteria--cvss_range))
- `exposures` (Block List, Max: 1) Works only with [JFrog Advanced Security](https://jfrog.com/advanced-security/) license. Creates policy rules for specific exposures. (see [below for nested schema](#nestedblock--rule--criteria--exposures))
- `exposures` (Block List, Max: 1) Works only with JFrog Advanced Security license. Creates policy rules for specific exposures. (see [below for nested schema](#nestedblock--rule--criteria--exposures))
- `fix_version_dependant` (Boolean) Default value is `false`. Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled.
- `malicious_package` (Boolean) Default value is `false`. Generating a violation on a malicious package.
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy.
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low`
- `vulnerability_ids` (Set of String) Creates policy rules for specific vulnerability IDs that you input. You can add multiple vulnerabilities IDs up to 100. CVEs and Xray IDs are supported. Example - CVE-2015-20107, XRAY-2344

<a id="nestedblock--rule--criteria--cvss_range"></a>
Expand All @@ -181,38 +206,10 @@ Optional:

- `applications` (Boolean) Applications exposures.
- `iac` (Boolean) Iac exposures.
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy.
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low`
- `secrets` (Boolean) Secrets exposures.
- `services` (Boolean) Services exposures.



<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Required:

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))

Optional:

- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
- `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration.
- `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`.
- `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
- `notify_deployer` (Boolean) Sends an email message to component deployer with details about the generated Violations.
- `notify_watch_recipients` (Boolean) Sends an email message to all configured recipients inside a specific watch with details about the generated Violations.
- `webhooks` (Set of String) A list of Xray-configured webhook URLs to be invoked if a violation is triggered.

<a id="nestedblock--rule--actions--block_download"></a>
### Nested Schema for `rule.actions.block_download`

Required:

- `active` (Boolean) Whether or not to block download of artifacts that meet the artifact and severity `filters` for the associated `xray_watch` resource.
- `unscanned` (Boolean) Whether or not to block download of artifacts that meet the artifact `filters` for the associated `xray_watch` resource but have not been scanned yet.

## Import

Import is supported using the following syntax:
Expand Down
Loading

0 comments on commit 7dc193d

Please sign in to comment.