docs(queries): update queries catalog

Checkmarx · Aug 10, 2023 · 0cbfd5d · 0cbfd5d
1 parent b645681
commit 0cbfd5d
Show file tree

Hide file tree

Showing 19 changed files with 2,985 additions and 2,416 deletions.
diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md
diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md
diff --git a/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md b/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md
@@ -1,5 +1,5 @@
 ---
-title: DB Instance Publicly Accessible
+title: RDS DB Instance Publicly Accessible
 hide:
   toc: true
   navigation: true
@@ -16,11 +16,11 @@ hide:
 </style>
 
 -   **Query id:** c09e3ca5-f08a-4717-9c87-3919c5e6d209
--   **Query name:** DB Instance Publicly Accessible
+-   **Query name:** RDS DB Instance Publicly Accessible
 -   **Platform:** Ansible
 -   **Severity:** <span style="color:#C00">High</span>
 -   **Category:** Insecure Configurations
--   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_instance_publicly_accessible)
+-   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/rds_db_instance_publicly_accessible)
 
 ### Description
 RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').<br>

diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md
diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md
diff --git a/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md b/docs/queries/cloudformation-queries/aws/1bf3b3d4-f373-4d7c-afbb-7d85948a67a5.md
@@ -0,0 +1,215 @@
+---
+title: DocDB Logging Is Disabled
+hide:
+  toc: true
+  navigation: true
+---
+
+<style>
+  .highlight .hll {
+    background-color: #ff171742;
+  }
+  .md-content {
+    max-width: 1100px;
+    margin: 0 auto;
+  }
+</style>
+
+-   **Query id:** 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5
+-   **Query name:** DocDB Logging Is Disabled
+-   **Platform:** CloudFormation
+-   **Severity:** <span style="color:#CC0">Low</span>
+-   **Category:** Observability
+-   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/docdb_logging_disabled)
+
+### Description
+DocDB logging should be enabled<br>
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports)
+
+### Code samples
+#### Code samples with security vulnerabilities
+```json title="Postitive test num. 1 - json file" hl_lines="6"
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
+        "AvailabilityZones": ["us-east-1a", "us-east-1b"],
+        "BackupRetentionPeriod": 30,
+        "CopyTagsToSnapshot": true,
+        "DBClusterIdentifier": "my-docdb-cluster",
+        "DBClusterParameterGroupName": "default.docdb3.6",
+        "DBSubnetGroupName": "my-docdb-subnet-group",
+        "DeletionProtection": false,
+        "EngineVersion": "3.6.0",
+        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+        "MasterUsername": "mydocdbuser",
+        "MasterUserPassword": "mysecretpassword123",
+        "Port": 27017,
+        "PreferredBackupWindow": "07:00-09:00",
+        "PreferredMaintenanceWindow": "sun:05:00-sun:06:00",
+        "StorageEncrypted": true,
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "MyDocDBCluster"
+          }
+        ],
+        "UseLatestRestorableTime": true,
+        "VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"]
+      }
+    }
+  }
+}
+
+```
+```yaml title="Postitive test num. 2 - yaml file" hl_lines="15"
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports: []
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
+
+```
+```yaml title="Postitive test num. 3 - yaml file" hl_lines="15"
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports:
+        - error
+        - general
+        - profiler
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
+
+```
+<details><summary>Postitive test num. 4 - json file</summary>
+
+```json hl_lines="14"
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
+        "AvailabilityZones": ["us-east-1a", "us-east-1b"],
+        "BackupRetentionPeriod": 30,
+        "CopyTagsToSnapshot": true,
+        "DBClusterIdentifier": "my-docdb-cluster",
+        "DBClusterParameterGroupName": "default.docdb3.6",
+        "DBSubnetGroupName": "my-docdb-subnet-group",
+        "DeletionProtection": false,
+        "EnableCloudwatchLogsExports": ["error", "general", "audit"],
+        "EngineVersion": "3.6.0",
+        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+        "MasterUsername": "mydocdbuser",
+        "MasterUserPassword": "mysecretpassword123",
+        "Port": 27017,
+        "PreferredBackupWindow": "07:00-09:00",
+        "PreferredMaintenanceWindow": "sun:05:00-sun:06:00",
+        "StorageEncrypted": true,
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "MyDocDBCluster"
+          }
+        ],
+        "UseLatestRestorableTime": true,
+        "VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"]
+      }
+    }
+  }
+}
+
+```
+</details>
+
+
+#### Code samples without security vulnerabilities
+```yaml title="Negative test num. 1 - yaml file"
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports:
+        - error
+        - general
+        - profiler
+        - audit
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
+
+```
diff --git a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md
@@ -167,3 +167,18 @@ Resources:
 }
 
 ```
+```yaml title="Negative test num. 3 - yaml file"
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  InstanceSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+        GroupDescription: Allow http to client host
+        VpcId:
+          Ref: myVPC
+        SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: 11.22.33.44/32
+```