ADO Debug Variable (#168)

Author: SUSTAPLE117

docs/content/en/rules/debug_enabled.md

@@ -68,8 +68,24 @@ job_name:
     CI_DEBUG_TRACE: "true"
     CI_DEBUG_SERVICES: "true"
 ```
+### Azure DevOps
+
+In the pipeline file, remove the `system.debug` variable in the `variables` definition or set to false.
+
+#### Recommended
+```yaml
+variables:
+  system.debug: 'false' # Or, better, simply omit this variable as they default to `false` anyway.
+```
+
+#### Anti-Pattern
+```yaml
+variables:
+  system.debug: 'true'
+```
 
 ## See Also
  - https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
  - https://docs.gitlab.com/ee/ci/variables/index.html#enable-debug-logging
  - https://docs.gitlab.com/ee/ci/variables/index.html#mask-a-cicd-variable
+ - https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemdebug

models/azure_pipelines.go

@@ -9,8 +9,9 @@ import (
 type AzurePipeline struct {
 	Path string `json:"path" yaml:"-"`
 
-	Stages []AzureStage `json:"stages"`
-	Pr     AzurePr      `json:"pr"`
+	Stages    []AzureStage      `json:"stages"`
+	Pr        AzurePr           `json:"pr"`
+	Variables map[string]string `json:"variables"`
 }
 
 func (o AzurePipeline) IsValid() bool {

models/azure_pipelines_test.go

@@ -32,6 +32,24 @@ func TestAzurePipeline(t *testing.T) {
 				},
 			},
 		},
+		{
+			input: `variables: {system.debug: true}`,
+			expected: AzurePipeline{
+				Stages: []AzureStage{
+					{
+						Stage: "",
+						Jobs: []AzureJob{
+							{
+								Job: "",
+							},
+						},
+					},
+				},
+				Variables: map[string]string{
+					"system.debug": "true",
+				},
+			},
+		},
 		{
 			input: `stages: [{stage: build, jobs: [{job: test, steps: [bash: asdf]}]}]`,
 			expected: AzurePipeline{

opa/rego/rules/debug_enabled.rego

@@ -86,3 +86,17 @@ results contains poutine.finding(rule, pkg.purl, {
 	var := step.env[_]
 	is_debug_enabled(var)
 }
+
+results contains poutine.finding(rule, pkg.purl, {
+	"path": pipeline.path,
+	"job": "",
+	"step": "1",
+	"details": key,
+	"line": 0,
+}) if {
+	pkg := input.packages[_]
+	pipeline := pkg.azure_pipelines[_]
+	pipeline.variables[key]
+	key == "system.debug"
+	pipeline.variables[key] == "true"
+}

scanner/inventory_test.go

@@ -358,12 +358,23 @@ func TestFindings(t *testing.T) {
 			Purl:   purl,
 			Meta: opa.FindingMeta{
 				Path:    ".azure-pipelines.yml",
-				Line:    11,
+				Line:    14,
 				Job:     "build",
 				Step:    "1",
 				Details: "Sources: Build.SourceBranch",
 			},
 		},
+		{
+			RuleId: "debug_enabled",
+			Purl:   purl,
+			Meta: opa.FindingMeta{
+				Path:    ".azure-pipelines.yml",
+				Line:    0,
+				Job:     "",
+				Step:    "1",
+				Details: "system.debug",
+			},
+		},
 	}
 
 	assert.Equal(t, len(findings), len(results.Findings))

scanner/testdata/.azure-pipelines.yml

@@ -3,6 +3,9 @@ pr:
     include:
       - master
 
+variables:
+  system.debug: 'true'
+
 # implicit stage
 jobs:
 - job: build