CCE Troubleshooting Guide
This guide documents common issues encountered when using the cce CLI and how to diagnose and resolve them.
Table of Contents
Understanding the Analysis Pipeline
The cce folder scan follows this pipeline:
Source Code → Tree-sitter Parser → AST Traversal → Method Call Extraction → Resource Mapping → Output
Key Components
- Tree-sitter Parser: Parses source code into an Abstract Syntax Tree (AST)
- Language Strategy (
python_strategy.go,go_strategy.go, etc.): Extracts method calls from AST - Resource Mapper (
mapping_definition.go): Maps method calls to cloud provider resources using definition files - Definition Files (
def.yaml, custom YAML files): Define rules for matching method calls to resources
Common Issues
Issue 1: Zero Resources Detected
Symptom: Running cce returns an empty array [] or "cloudProviderCount":0
Example Output:
$ cce -folder /path/to/code -mapper-file def.yaml -language AUTO -filter all -format json -output output.json
[]
Possible Causes:
A. Method Calls Not Being Detected by Tree-sitter
How to Diagnose:
# Run with debug logging to see what method calls are being detected
cce -folder /path/to/code \
-mapper-file def.yaml \
-language AUTO -filter all -format json -output output.json \
--log-level debug 2>&1 | grep "method call"
What to Look For:
- If you see "msg":"method call" entries with your expected function names, the parser IS detecting them
- If you don't see any method call logs, the tree-sitter parser is not finding the calls
Common Root Causes:
1. Language not supported: Check if the file extension is recognized (.py, .go, .js, etc.)
2. Syntax errors: Tree-sitter may skip malformed code
3. Wrong node types: The language strategy may be looking for the wrong AST node types
B. Method Calls Detected But Not Mapped
How to Diagnose:
# Look for mapping errors
cce -folder /path/to/code \
-mapper-file def.yaml \
-language AUTO -filter all -format json -output output.json \
--log-level debug 2>&1 | grep "could not map"
What to Look For:
{
"msg":"could not map the method call",
"methodCall":{"Name":"connect","Arguments":[...]},
"error":"no valid mapped resource found for method call: connect, tried: STS Connect"
}
This means: - ✅ The method call WAS detected - ❌ The resource mapper could NOT match it to a definition rule
Common Root Causes:
-
Rule name mismatch: The
rulefield in your definition doesn't match the method name# ❌ Wrong - rule doesn't match method name - name: "STS Connect" prefix: "connect" rule: "sts_connect" # Method is "connect", not "sts_connect" # ✅ Correct - name: "STS Connect" prefix: "connect" rule: "connect" -
Incorrect
extract_resource_fromlogic: The resource extraction is failing - Missing service name mapping: The extracted resource name doesn't exist in
servicenameMapping
C. Arguments Not Being Extracted Correctly
How to Diagnose:
# Check the Arguments field in method call logs
cce -folder /path/to/code \
-mapper-file def.yaml \
-language AUTO -filter all -format json -output output.json \
--log-level debug 2>&1 | grep -A5 "method call" | grep "Arguments"
What to Look For:
"Arguments":[
{"Name":"account","TypeFunction":"","FullPackage":""},
{"Name":"sns","TypeFunction":"","FullPackage":""},
{"Name":"region=region","TypeFunction":"","FullPackage":""}
]
Expected Behavior:
- For connect(account, 'boto3.ec2.client', region=region), the second argument should be normalized to "ec2"
- For connect(account, 'sns', region=region), the second argument should be "sns"
Common Issues:
1. Quotes not stripped: Argument shows as "'sns'" instead of "sns"
2. Boto3 pattern not normalized: Argument shows as "boto3.ec2.client" instead of "ec2"
3. Wrong argument index: Using first_argument when you need second_argument
Issue 2: Tree-sitter C Dependencies Missing
Symptom: Build fails with errors like:
fatal error: 'tree_sitter/api.h' file not found
fatal error: '../../src/parser.c' file not found
Solution: Build CCE from this repository with CGO enabled (tree-sitter requires a C toolchain), or install via Homebrew:
brew tap stackgenhq/homebrew-stackgen
brew install stackgenhq/homebrew-stackgen/cce
Build from source:
cd /path/to/cce # this repository (github.com/appcd-dev/cce)
CGO_ENABLED=1 go build -mod=mod -o /tmp/cce ./cmd/cce
Verification:
which cce
cce -version
Issue 3: Using an Outdated CCE Binary
Symptom: Analysis doesn't reflect recent code changes or definition updates
How to Diagnose:
ls -la $(which cce)
Solution: Rebuild or upgrade CCE
brew upgrade cce
# or from source:
CGO_ENABLED=1 go build -mod=mod -o $(go env GOPATH)/bin/cce ./cmd/cce
Debugging Workflow
Step 1: Verify CCE Installation
which cce
cce -version
cce -folder . -language AUTO -filter cloud -format json -output /tmp/smoke.json
Step 2: Create a Minimal Test Case
# test_connect.py
from security_monkey.common.sts_connect import connect
def test_function():
# Test simple service name
sns = connect(account, 'sns', region=region)
# Test boto3 format
ec2 = connect(account, 'boto3.ec2.client', region=region)
Step 3: Run Analysis with Debug Logging
cce -folder /path/to/test_connect.py -language AUTO \
-mapper-file /path/to/def.yaml -filter all \
-format json -output /tmp/test_output.json \
-log-level debug 2>&1 | tee /tmp/debug.log
Step 4: Analyze Debug Output
# Check if method calls are being detected
grep "method call" /tmp/debug.log
# Check for mapping errors
grep "could not map" /tmp/debug.log
# Check what rules were tried
grep "tried:" /tmp/debug.log
# Check argument extraction
grep "Arguments" /tmp/debug.log
Step 5: Verify Definition File
# Check your def.yaml structure
definition:
language:
python:
- name: "STS Connect"
prefix: "connect"
rule: "connect" # Must match the actual method name
extract_resource_from: "second_argument" # Extract from 2nd arg
provider: AWS
providers:
AWS:
servicenameMapping:
"sns": "sns"
"ec2": "ec2"
"iam": "iam"
# Add all services you expect to see
Step 6: Test Argument Normalization
The normalizePythonBoto3Argument function in python_strategy.go handles these transformations:
| Input | Output |
|---|---|
'boto3.ec2.client' |
ec2 |
"boto3.s3.resource" |
s3 |
'sns' |
sns |
"iam" |
iam |
Verification:
# Check if normalization is working
cce -folder test.py -mapper-file def.yaml --log-level debug 2>&1 \
| grep -E "Arguments.*Name" \
| jq '.Arguments[1].Name'
Expected: "ec2" (not "boto3.ec2.client")
Tool Chain Setup
Repository Structure
github.com/appcd-dev/cce/ # This repository
├── cmd/cce/ # CLI entrypoint
├── pkg/
│ ├── analyzer/treesitter/ # Method call extraction
│ └── resourcemapper/ # YAML / Grok mapping
└── docs/
├── site/ # User docs (MkDocs → GitHub Pages)
└── troubleshooting_guide.md
Build Process
-
Edit and test in this repo:
cd /path/to/cce CGO_ENABLED=1 go test -mod=mod ./pkg/analyzer/treesitter/... ./pkg/resourcemapper/... -
Rebuild the CLI:
CGO_ENABLED=1 go build -mod=mod -o /tmp/cce ./cmd/cce -
Verify:
/tmp/cce -version /tmp/cce -folder /path/to/code -mapper-file def.yaml -language AUTO -filter all -format json -output out.json
Definition File Locations
- Security Monkey:
/Users/sabithks/src/github.com/Netflix/security_monkey/def.yaml - Prowler:
/Users/sabithks/src/github.com/sks/permissions/docs/example/prowler.yaml - Custom definitions: Can be stored anywhere, referenced via
-mapper-fileflag
Advanced Debugging
Inspecting Tree-sitter AST
To understand what the tree-sitter parser is seeing:
# Install tree-sitter CLI
npm install -g tree-sitter-cli
# Parse a Python file
tree-sitter parse test.py
Look for call nodes in the output - these are what the analyzer detects as method calls.
Checking Resource Mapper Logic
The resource mapper (mapping_definition.go) extracts resources based on extract_resource_from:
// For extract_resource_from: "second_argument"
if langDef.ExtractResourceFrom == "second_argument" && len(args) > 1 {
secondArg := args[1].Name
secondArg = strings.Trim(secondArg, "'\"") // Remove quotes
result.Resource = secondArg
}
Key Points:
1. Argument index is 0-based: second_argument = args[1]
2. Quotes are stripped automatically
3. Boto3 normalization happens in python_strategy.go, NOT in the mapper
Testing Normalization Function
cd /Users/sabithks/src/github.com/sks/permissions
go test ./pkg/analyzer/treesitter -v -run "normalizePythonBoto3Argument"
Expected output:
=== RUN TestPythonTraversalStrategy
=== RUN TestPythonTraversalStrategy/normalizePythonBoto3Argument
✓ boto3.ec2.client with single quotes → ec2
✓ boto3.s3.client with double quotes → s3
✓ simple service name 'sns' → sns
PASS
Quick Reference
Common Commands
# Rebuild cce from source
cd /path/to/cce && CGO_ENABLED=1 go build -mod=mod -o /tmp/cce ./cmd/cce
# Run analysis with debug
cce -folder /path -mapper-file def.yaml -language AUTO -filter all -format json -output out.json --log-level debug
# Check method call detection
cce ... --log-level debug 2>&1 | grep "method call"
# Check mapping errors
cce ... --log-level debug 2>&1 | grep "could not map"
# Run CCE tests
cd /Users/sabithks/src/github.com/sks/permissions
go test ./pkg/analyzer/treesitter -v
go test ./pkg/resourcemapper -v
Definition File Template
definition:
language:
python:
- name: "Descriptive Name"
prefix: "method_prefix"
rule: "exact_method_name" # Must match actual method name
extract_resource_from: "second_argument" # or "first_argument"
provider: AWS
providers:
AWS:
servicenameMapping:
"service_name": "aws_service_name"
Case Study: Security Monkey Analysis
Problem
Running cce on Security Monkey returned zero resources despite many connect() calls in the codebase.
Investigation Steps
-
Verified method call detection:
Result:cce -folder security_monkey --log-level debug 2>&1 | grep "connect"connect()calls WERE being detected ✅ -
Checked mapping errors:
Result:cce --log-level debug 2>&1 | grep "could not map""error":"no valid mapped resource found for method call: connect, tried: STS Connect"❌ -
Examined arguments:
"Arguments":[ {"Name":"account"}, {"Name":"sns"}, // ✅ Correctly normalized from 'sns' {"Name":"region=region"} ] -
Verified definition file:
- ✅
rule: "connect"matches method name - ✅
extract_resource_from: "second_argument"is set - ✅
servicenameMappingincludes"sns": "sns"
Current Status
The investigation revealed that all components are working correctly:
- Tree-sitter is detecting connect() calls
- Arguments are being extracted and normalized
- The definition file is properly configured
Next Step: Investigate why the resource mapper validation is failing despite correct configuration.
Getting Help
If you encounter issues not covered in this guide:
- Check the logs: Always run with
--log-level debug - Create a minimal test case: Isolate the problematic pattern
- Verify the tool chain: Ensure
cceis up-to-date (cce -version) - Review definition files: Double-check YAML syntax and field names
- Run unit tests:
go test ./pkg/... -vto verify core functionality