From 58fdd454247223a59e037828ca2f65c2dd6a779a Mon Sep 17 00:00:00 2001
From: Martin Kemp <martinkemp@deloitte.co.uk>
Date: Wed, 10 Jul 2019 12:46:51 +0100
Subject: [PATCH] Ability to exclude check from group run

Fixes #351
---
 prowler | 62 ++++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 23 deletions(-)

diff --git a/prowler b/prowler
index c74f2db8..89c7d333 100755
--- a/prowler
+++ b/prowler
@@ -241,11 +241,26 @@ execute_check() {
 
 # Function to execute all checks in a group
 execute_group() {
-	show_group_title $1
-  # run the checks in the group
+    show_group_title $1
+    # run the checks in the group
 	IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$1]}
+
+	# Exclude any checks specified
+	if [[ -n ${2} ]]; then
+        EXCLUDED_CHECKS=()
+        NEW_CHECKS=()
+	    IFS=',' read -ra EXCLUDED_CHECKS <<< "${2},"
+        for exc in ${EXCLUDED_CHECKS[@]} ; do
+            for i in ${CHECKS[@]} ; do
+                [[ ${i} != ${exc} ]] && NEW_CHECKS+=(${i})
+            done
+        done
+        CHECKS=("${NEW_CHECKS[@]}")
+        unset NEW_CHECKS
+        unset EXCLUDED_CHECKS
+	fi
 	for i in ${CHECKS[@]}; do
-    execute_check $i
+        execute_check ${i}
 	done
 }
 
@@ -257,7 +272,7 @@ execute_group_by_id() {
   fi
 	for i in "${!GROUP_ID[@]}"; do
 		if [ "${GROUP_ID[$i]}" == "$1" ]; then
-			execute_group $i
+			execute_group ${i} $2
 		fi
 	done
 }
@@ -350,14 +365,31 @@ fi
 # Gather account data / test aws cli connectivity
 getWhoami
 
+# Execute group of checks if called with -g
+if [[ $GROUP_ID_READ ]];then
+  if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then
+    if [[ $MODE == "csv" ]]; then
+      BANNER=0
+    fi
+    execute_group_by_id ${GROUP_ID_READ} ${EXCLUDE_CHECK_ID}
+    cleanTemp
+    scoring
+    exit $EXITCODE
+  else
+    textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
+    show_all_group_titles
+    exit $EXITCODE
+  fi
+fi
+
 # Get a list of total checks excluding a list provided by the user and overwrite CHECK_ID with the result
 # if the list provided by the user contains an invalid check, this will be discarded.
 # if the list provided by the user contains  just one argument and is invalid, then it will be discarded and all tests will be executed
-if [[ $EXCLUDE_CHECK_ID ]];then
-  get_all_checks_without_exclusion $EXCLUDE_CHECK_ID
+if [[ ${EXCLUDE_CHECK_ID} ]];then
+  get_all_checks_without_exclusion ${EXCLUDE_CHECK_ID}
   function join { local IFS="$1"; shift; echo "$*"; }
   CHECKS_EXCLUDED=$(join , "${CHECKS_EXCLUDED[@]}")
-  CHECK_ID=$CHECKS_EXCLUDED
+  CHECK_ID=${CHECKS_EXCLUDED}
 fi
 
 # Execute single check if called with -c
@@ -370,22 +402,6 @@ if [[ $CHECK_ID ]];then
   exit $EXITCODE
 fi
 
-# Execute group of checks if called with -g
-if [[ $GROUP_ID_READ ]];then
-  if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then
-    if [[ $MODE == "csv" ]]; then
-      BANNER=0
-    fi
-    execute_group_by_id $GROUP_ID_READ
-    cleanTemp
-    scoring
-    exit $EXITCODE
-  else
-    textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
-    show_all_group_titles
-    exit $EXITCODE
-  fi
-fi
 
 execute_all
 scoring