Refactoring to reduce nesting

Threagile · Jun 4, 2024 · c08414b · c08414b
1 parent 87b4108
commit c08414b
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 19 deletions.
diff --git a/pkg/security/risks/builtin/unguarded_direct_datastore_access_rule.go b/pkg/security/risks/builtin/unguarded_direct_datastore_access_rule.go
@@ -46,26 +46,29 @@ func (r *UnguardedDirectDatastoreAccessRule) GenerateRisks(input *types.Model) (
 	risks := make([]*types.Risk, 0)
 	for _, id := range input.SortedTechnicalAssetIDs() {
 		technicalAsset := input.TechnicalAssets[id]
-		if !technicalAsset.OutOfScope && technicalAsset.Type == types.Datastore {
-			for _, incomingAccess := range input.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id] {
-				sourceAsset := input.TechnicalAssets[incomingAccess.SourceId]
-				if technicalAsset.Technologies.GetAttribute(types.IsIdentityStore) && sourceAsset.Technologies.GetAttribute(types.IdentityProvider) {
-					continue
-				}
-
-				acrossTrustBoundaryNetworkOnly := incomingAccess.IsAcrossTrustBoundaryNetworkOnly(input)
-				sharingSameParentTrustBoundary := isSharingSameParentTrustBoundary(input, technicalAsset, sourceAsset)
-
-				if technicalAsset.Confidentiality >= types.Confidential || technicalAsset.Integrity >= types.Critical {
-					if acrossTrustBoundaryNetworkOnly && !fileServerAccessViaFTP(technicalAsset, incomingAccess) &&
-						incomingAccess.Usage != types.DevOps && !sharingSameParentTrustBoundary {
-						highRisk := technicalAsset.Confidentiality == types.StrictlyConfidential ||
-							technicalAsset.Integrity == types.MissionCritical
-						risks = append(risks, r.createRisk(technicalAsset, incomingAccess,
-							input.TechnicalAssets[incomingAccess.SourceId], highRisk))
-					}
-				}
+		if technicalAsset.OutOfScope || technicalAsset.Type != types.Datastore {
+			continue
+		}
+		for _, incomingAccess := range input.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id] {
+			sourceAsset := input.TechnicalAssets[incomingAccess.SourceId]
+			if technicalAsset.Technologies.GetAttribute(types.IsIdentityStore) && sourceAsset.Technologies.GetAttribute(types.IdentityProvider) {
+				continue
+			}
+			if technicalAsset.Confidentiality < types.Confidential && technicalAsset.Integrity < types.Critical {
+				continue
 			}
+			if incomingAccess.Usage == types.DevOps {
+				continue
+			}
+			if !incomingAccess.IsAcrossTrustBoundaryNetworkOnly(input) || fileServerAccessViaFTP(technicalAsset, incomingAccess) ||
+				isSharingSameParentTrustBoundary(input, technicalAsset, sourceAsset) {
+				continue
+			}
+
+			highRisk := technicalAsset.Confidentiality == types.StrictlyConfidential ||
+				technicalAsset.Integrity == types.MissionCritical
+			risks = append(risks, r.createRisk(technicalAsset, incomingAccess,
+				input.TechnicalAssets[incomingAccess.SourceId], highRisk))
 		}
 	}
 	return risks, nil

diff --git a/pkg/security/risks/builtin/unguarded_direct_datastore_access_rule_test.go b/pkg/security/risks/builtin/unguarded_direct_datastore_access_rule_test.go
@@ -409,3 +409,21 @@ func TestIsSharingSameParentTrustBoundaryInDifferentTrustBoundariesExpectFalse(t
 	}
 	assert.False(t, isSharingSameParentTrustBoundary(input, left, right))
 }
+
+func TestIsSharingSameParentTrustBoundarySameTrustBoundariesExpectTrue(t *testing.T) {
+	input := &types.Model{
+		TrustBoundaries: map[string]*types.TrustBoundary{
+			"tb1": {
+				Id:                    "tb1",
+				TechnicalAssetsInside: []string{"ta1", "ta2"},
+			},
+		},
+	}
+	left := &types.TechnicalAsset{
+		Id: "ta1",
+	}
+	right := &types.TechnicalAsset{
+		Id: "ta2",
+	}
+	assert.True(t, isSharingSameParentTrustBoundary(input, left, right))
+}