feat: support multiple required detections (#1659)

pkg/commands/process/settings/policies/risk_policy.rego

@@ -51,22 +51,33 @@ presence_failures contains detector if {
 # # Build policy failures
 policy_failure contains item if {
 	input.rule.trigger.match_on == "absence"
+
+	count(input.rule.trigger.required_detections) == count({ required_detection |
+		required_detection := input.rule.trigger.required_detections[_]
+		some y in input.dataflow.risks
+		y.detector_id == required_detection
+	})
+
 	some detector in input.dataflow.risks
+	detector.detector_id == input.rule.trigger.required_detections[0]
 
-	detector.detector_id == input.rule.trigger.required_detection
 	some init_location in detector.locations
 
 	x := {other | other := input.dataflow.risks[_]; other.detector_id == input.rule.id}
 	count(x) == 0
-
 	item := data.bearer.common.build_item(init_location)
 }
 
 policy_failure contains item if {
 	input.rule.trigger.match_on == "absence"
-	some detector in input.dataflow.risks
+	count(input.rule.trigger.required_detections) == count({ required_detection |
+		required_detection := input.rule.trigger.required_detections[_]
+		some x in input.dataflow.risks
+		x.detector_id == required_detection
+	})
 
-	detector.detector_id == input.rule.trigger.required_detection
+	some detector in input.dataflow.risks
+	detector.detector_id == input.rule.trigger.required_detections[0]
 
 	some init_location in detector.locations
 	some other_detector in input.dataflow.risks

pkg/commands/process/settings/rules/rules.go

@@ -245,8 +245,11 @@ func BuildRules(
 			if definition.Trigger.DataTypesRequired != nil {
 				ruleTrigger.DataTypesRequired = *definition.Trigger.DataTypesRequired
 			}
+
+			// concat any required detections
+			ruleTrigger.RequiredDetections = definition.Trigger.RequiredDetections
 			if definition.Trigger.RequiredDetection != nil {
-				ruleTrigger.RequiredDetection = definition.Trigger.RequiredDetection
+				ruleTrigger.RequiredDetections = append(ruleTrigger.RequiredDetections, *definition.Trigger.RequiredDetection)
 			}
 		}
 

pkg/commands/process/settings/settings.go

@@ -111,15 +111,16 @@ const (
 )
 
 type RuleTrigger struct {
-	MatchOn           MatchOn `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
-	DataTypesRequired bool    `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
-	RequiredDetection *string `mapstructure:"required_detection" json:"required_detection" yaml:"required_detection"`
+	MatchOn            MatchOn  `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
+	DataTypesRequired  bool     `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
+	RequiredDetections []string `mapstructure:"required_detections" json:"required_detections" yaml:"required_detections"`
 }
 
 type RuleDefinitionTrigger struct {
-	MatchOn           *MatchOn `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
-	RequiredDetection *string  `mapstructure:"required_detection" json:"required_detection" yaml:"required_detection"`
-	DataTypesRequired *bool    `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
+	MatchOn            *MatchOn `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
+	RequiredDetection  *string  `mapstructure:"required_detection" json:"required_detection" yaml:"required_detection"`
+	RequiredDetections []string `mapstructure:"required_detections" json:"required_detections" yaml:"required_detections"`
+	DataTypesRequired  *bool    `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
 }
 
 type RuleMetadata struct {

pkg/scanner/ruleset/ruleset.go

@@ -109,9 +109,7 @@ func getTriggerRuleIDs(languageRules []*settings.Rule) set.Set[string] {
 	triggerRuleIDs := set.New[string]()
 
 	for _, settingsRule := range languageRules {
-		if settingsRule.Trigger.RequiredDetection != nil {
-			triggerRuleIDs.Add(*settingsRule.Trigger.RequiredDetection)
-		}
+		triggerRuleIDs.AddAll(settingsRule.Trigger.RequiredDetections)
 	}
 
 	return triggerRuleIDs