Merge branch 'master' into kics-782-aws-pulumi

Checkmarx · Aug 10, 2023 · 35c3cee · 35c3cee
2 parents 6244d79 + b645681
commit 35c3cee
Show file tree

Hide file tree

Showing 49 changed files with 1,196 additions and 53 deletions.
diff --git a/.github/workflows/validate-cfn-samples.yml b/.github/workflows/validate-cfn-samples.yml
@@ -19,7 +19,7 @@ jobs:
           python-version: '3.x'
       - name: Get commit changed files
         if: github.event_name != 'workflow_dispatch'
-        uses: lots0logs/gh-action-get-changed-files@2.1.4
+        uses: lots0logs/gh-action-get-changed-files@2.2.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Get cfn-python-lint

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20.6-alpine as build_env
+FROM golang:1.20.7-alpine as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app

diff --git a/README.md b/README.md
@@ -3,7 +3,8 @@
 [![Queries](https://raw.githubusercontent.com/Checkmarx/kics/gh-pages/queries.svg)](https://docs.kics.io/develop/queries/all-queries/)
 [![Docker Pulls](https://img.shields.io/docker/pulls/checkmarx/kics)](https://hub.docker.com/r/checkmarx/kics)
 [![Documentation](https://img.shields.io/badge/docs-viewdocs-blue.svg?style=flat-square "Viewdocs")](https://docs.kics.io/)
-[![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?style=flat-square)](https://github.com/Checkmarx/kics/discussions)
+[![GitHub Discussions](https://img.shields.io/badge/chat-discussions-blue.svg?logo=github&style=flat-square)](https://github.com/Checkmarx/kics/discussions)
+[![Discord Server](https://img.shields.io/discord/1116626376674521169?logo=discord&style=flat-square)](https://discord.gg/nzryxFup6Z)
 
 [![checkmarx](https://img.shields.io/endpoint?url=https://pgp36n22ol.execute-api.eu-west-1.amazonaws.com/dev/cxflowcache-results?style=plastic&logoWidth=20&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAACXBIWXMAAA7EAAAOxAGVKw4bAAADbklEQVRYhc2XTWidRRSGn3MJl1AkZFFcFCkFIYKCYMEgIhZEMtNS2kHBvxYbl1kUIqELQXHhQigtCK266EIoSt0YplbsTJGqaFFahC6yiiJFUIJ2IUGClJLj4vvu/X7uTC7cJOoLH5eZM3Ped37OOXPhP4akOl20XeAQsB+YAsZH9H8HuAVcAxa9CStDBbhgDyKcAfaMSJoVo8pZEd7wJqwNCHDRdlSZF+H0FhO3cR3FeBv+BOjUDM8InEZhm79pFT5w0Xb6Aly0Eyjvb+OqGxBVBzwJMAaA8jLCTrQ3olRbHNBv5TcKxoCH6e10z6cKKMeAr8ZKwsN94r5MABaAd7wJ6yMKwEU7A8SG/+J3Gqo78GBi7tXNkpf4giIUG1CYBOiUl2FHYuLNLSAH1SnQXQnDbYBOlkTZNHmRU+QbkG7bJsi3UF3CQbRS1OFoxwSeRplEuOpN+D1LHO048DbKfNJ3gXPQzANZuGh3CHyNchm4gPKji/axzNgp4BrKfN6jnvU23KwJSMhsds2iPF5rT6jqJy7ae2vEHRftUVR/QNm7wXoCIid6jTIMhYEc0BRzf/9ISpuI7EK54KI1qoyrckZgdsBXfTHCe8Cr3oQ7PdfVEQjNOG3mhC8z454CzolwQ4TZDeavIjwPHK+TVzswHJ+jfIhwNGGbHTL3e+CIN+HnlDF/B2rwJqwjzAFLw5RW0HXgJLAvRw79HUi8S1qavAl/uWifBb0BMjGEfQXkmDfhSr2zLHr3ACveFvknH4YJTd6EZUVe2ZBauQI8UicvI+Qt4A+EXxH9zkV7XyUgVbczuGjCIsqpxJy7wAmE/Ymn1wzK6yjdYqxMA+9C/wiq2ltbSR7Cayi7FZ4rZulPKnLkognXM7uyL9H3BPR2QGSwFEv+eLwJdxFeFOEBhEcReShLXvjrtkoxSFEIe2G4BkzWRWjxGs6iLGLLG42p+5ImOcCaN2G9J2AJaJRMgQMu2peAj0cty2WpfwE4kDAvQZWILgEzrQEd4CNgwUXzS/OM2ncm294N2bpwqS7gvMKbAjsTA/eCtJy0Y3RYuwlVbotwHspL6E1YFWXuX3iSg4LAnDdhtS+gFL2oxSN0eyEsICxWzRZctAfL0rpnK3kVbolw3JvwWVNPAi7aLsohZNN/Tv8GllEuI3zaLsX/C/wDM7pjD59N2pkAAAAASUVORK5CYII=)](https://sast.checkmarx.net/cxwebclient/portal#/projectState/702/Summary)
 [![Codacy Badge](https://app.codacy.com/project/badge/Grade/ceddb5b1b37d4edfa56440842c6248a4)](https://www.codacy.com/gh/Checkmarx/kics/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=Checkmarx/kics&amp;utm_campaign=Badge_Grade)

diff --git a/...ts/queries/ansible/aws/db_instance_publicly_accessible/test/positive_expected_result.json b/...ts/queries/ansible/aws/db_instance_publicly_accessible/test/positive_expected_result.json
diff --git a/...nstance_publicly_accessible/metadata.json → ...nstance_publicly_accessible/metadata.json b/...nstance_publicly_accessible/metadata.json → ...nstance_publicly_accessible/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "c09e3ca5-f08a-4717-9c87-3919c5e6d209",
-  "queryName": "DB Instance Publicly Accessible",
+  "queryName": "RDS DB Instance Publicly Accessible",
   "severity": "HIGH",
   "category": "Insecure Configurations",
   "descriptionText": "RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').",

diff --git a/...b_instance_publicly_accessible/query.rego → ...b_instance_publicly_accessible/query.rego b/...b_instance_publicly_accessible/query.rego → ...b_instance_publicly_accessible/query.rego
diff --git a/...ce_publicly_accessible/test/negative.yaml → ...ce_publicly_accessible/test/negative.yaml b/...ce_publicly_accessible/test/negative.yaml → ...ce_publicly_accessible/test/negative.yaml
diff --git a/...ce_publicly_accessible/test/positive.yaml → ...ce_publicly_accessible/test/positive.yaml b/...ce_publicly_accessible/test/positive.yaml → ...ce_publicly_accessible/test/positive.yaml
diff --git a/...ueries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/...ueries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json
@@ -0,0 +1,12 @@
+[
+  {
+    "queryName": "RDS DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 12
+  },
+  {
+    "queryName": "RDS DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 22
+  }
+]
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "1bf3b3d4-f373-4d7c-afbb-7d85948a67a5",
+  "queryName": "DocDB Logging Is Disabled",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "DocDB logging should be enabled",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports",
+  "platform": "CloudFormation",
+  "descriptionID": "4818ceaf",
+  "cloudProvider": "aws"
+}
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego
@@ -0,0 +1,52 @@
+package Cx
+
+import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
+
+validTypes := {"profiler", "audit"}
+
+validTypeConcat := concat(", ", validTypes)
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DocDB::DBCluster"
+	properties := resource.Properties
+
+	not common_lib.valid_key(properties, "EnableCloudwatchLogsExports")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "AWS::DocDB::DBCluster",
+		"resourceName": key,
+		"searchKey": sprintf("Resources.%s.Properties", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties"], []),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined",
+		"keyActualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined",
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DocDB::DBCluster"
+	properties := resource.Properties
+	logs := properties.EnableCloudwatchLogsExports
+
+	logsSet := {log | log := logs[_]}
+	missingTypes := validTypes - logsSet
+
+	count(missingTypes) > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "AWS::DocDB::DBCluster",
+		"resourceName": key,
+		"searchKey": sprintf("Resources.%s.Properties.EnableCloudwatchLogsExports", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "EnableCloudwatchLogsExports"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]),
+		"keyActualValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: %s", [concat(", ", missingTypes)]),
+	}
+}
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/negative1.yaml b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/negative1.yaml
@@ -0,0 +1,34 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports:
+        - error
+        - general
+        - profiler
+        - audit
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive1.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive1.json
@@ -0,0 +1,33 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
+        "AvailabilityZones": ["us-east-1a", "us-east-1b"],
+        "BackupRetentionPeriod": 30,
+        "CopyTagsToSnapshot": true,
+        "DBClusterIdentifier": "my-docdb-cluster",
+        "DBClusterParameterGroupName": "default.docdb3.6",
+        "DBSubnetGroupName": "my-docdb-subnet-group",
+        "DeletionProtection": false,
+        "EngineVersion": "3.6.0",
+        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+        "MasterUsername": "mydocdbuser",
+        "MasterUserPassword": "mysecretpassword123",
+        "Port": 27017,
+        "PreferredBackupWindow": "07:00-09:00",
+        "PreferredMaintenanceWindow": "sun:05:00-sun:06:00",
+        "StorageEncrypted": true,
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "MyDocDBCluster"
+          }
+        ],
+        "UseLatestRestorableTime": true,
+        "VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"]
+      }
+    }
+  }
+}
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive2.yaml b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive2.yaml
@@ -0,0 +1,30 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports: []
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive3.yaml b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive3.yaml
@@ -0,0 +1,33 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      AvailabilityZones:
+        - us-east-1a
+        - us-east-1b
+      BackupRetentionPeriod: 30
+      CopyTagsToSnapshot: true
+      DBClusterIdentifier: my-docdb-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+      DBSubnetGroupName: my-docdb-subnet-group
+      DeletionProtection: false
+      EnableCloudwatchLogsExports:
+        - error
+        - general
+        - profiler
+      EngineVersion: "3.6.0"
+      KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+      MasterUsername: mydocdbuser
+      MasterUserPassword: mysecretpassword123
+      Port: 27017
+      PreferredBackupWindow: "07:00-09:00"
+      PreferredMaintenanceWindow: "sun:05:00-sun:06:00"
+      StorageEncrypted: true
+      Tags:
+        - Key: Name
+          Value: MyDocDBCluster
+      UseLatestRestorableTime: true
+      VpcSecurityGroupIds:
+        - sg-0123456789abcdef0
+        - sg-abcdef01234567890
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive4.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive4.json
@@ -0,0 +1,34 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
+        "AvailabilityZones": ["us-east-1a", "us-east-1b"],
+        "BackupRetentionPeriod": 30,
+        "CopyTagsToSnapshot": true,
+        "DBClusterIdentifier": "my-docdb-cluster",
+        "DBClusterParameterGroupName": "default.docdb3.6",
+        "DBSubnetGroupName": "my-docdb-subnet-group",
+        "DeletionProtection": false,
+        "EnableCloudwatchLogsExports": ["error", "general", "audit"],
+        "EngineVersion": "3.6.0",
+        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+        "MasterUsername": "mydocdbuser",
+        "MasterUserPassword": "mysecretpassword123",
+        "Port": 27017,
+        "PreferredBackupWindow": "07:00-09:00",
+        "PreferredMaintenanceWindow": "sun:05:00-sun:06:00",
+        "StorageEncrypted": true,
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "MyDocDBCluster"
+          }
+        ],
+        "UseLatestRestorableTime": true,
+        "VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"]
+      }
+    }
+  }
+}
diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json
@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 6,
+    "filename": "positive1.json"
+  },
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 15,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 15,
+    "filename": "positive3.yaml"
+  },
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 14,
+    "filename": "positive4.json"
+  }
+]
diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json b/assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "e6cd49ba-77ed-417f-9bca-4f5303554308",
+  "queryName": "DocDB Logging Is Disabled",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "DocDB logging should be enabled",
+  "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports",
+  "platform": "Crossplane",
+  "descriptionID": "60b6794e",
+  "cloudProvider": "aws"
+}
diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego b/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego
@@ -0,0 +1,55 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.crossplane as cp_lib
+
+validTypes := {"profiler", "audit"}
+
+validTypeConcat := concat(", ", validTypes)
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, resource] := walk(docs)
+	resource.kind == "DBCluster"
+	spec = resource.spec
+
+	not common_lib.valid_key(spec.forProvider, "enableCloudwatchLogsExports")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "DBCluster",
+		"resourceName": resource.metadata.name,
+		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]),
+		"searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "DBCluster.enableCloudwatchLogsExports should be defined",
+		"keyActualValue": "DBCluster.enableCloudwatchLogsExports is undefined",
+	}
+}
+
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, resource] := walk(docs)
+	resource.kind == "DBCluster"
+
+	spec := resource.spec
+	provider := spec.forProvider
+	logs := provider.enableCloudwatchLogsExports
+
+	logsSet := {log | log := logs[_]}
+	missingTypes := validTypes - logsSet
+
+	count(missingTypes) > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "DBCluster",
+		"resourceName": resource.metadata.name,
+		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.enableCloudwatchLogsExports", [cp_lib.getPath(path), resource.metadata.name]),
+		"searchLine": common_lib.build_search_line(path, ["spec", "forProvider","enableCloudwatchLogsExports"]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("DBCluster.enableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]),
+		"keyActualValue": sprintf("DBCluster.enableCloudwatchLogsExports has the following missing values: %s", [concat(", ", missingTypes)]),
+	}
+}