Skip to content

Commit

Permalink
Merge branch 'master' into AST-45283-Terraform
Browse files Browse the repository at this point in the history
  • Loading branch information
@ArturRibeiro-CX
ArturRibeiro-CX authored Aug 16, 2024
2 parents cea5b8c + d51ee51 commit 35e3112
Show file tree
Hide file tree
Showing 1,874 changed files with 2,728 additions and 1,015 deletions.
8 changes: 8 additions & 0 deletions .github/scripts/docs-generator/query-page-generator/query-page-generator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,12 +181,20 @@ def generate_md_docs(queries_database : str, output_path : str, template_file_pa
doc_template = f.read()

for key, query_data in queries_database.items():
cwe = query_data.get('cwe', '')
if cwe == '':
cwe = 'Ongoing'
else:
cwe_url = f'https://cwe.mitre.org/data/definitions/{cwe}.html'
cwe = f'<a href="{cwe_url}" onclick="newWindowOpenerSafe(event, \'{cwe_url}\')">{cwe}</a>'

query_doc = doc_template
query_doc = doc_template.replace('<QUERY_ID>', key).replace(
'<QUERY_NAME>', query_data.get('queryName')).replace(
'<PLATFORM>', query_data.get('platform')).replace(
'<SEVERITY>', format_severity(query_data.get('severity'))).replace(
'<CATEGORY>', query_data.get('category')).replace(
'<CWE>', cwe).replace(
'<GITHUB_URL>', query_data.get('githubUrl')).replace(
'<DESCRIPTION_TEXT>', query_data.get('descriptionText')).replace(
'<DESCRIPTION_URL>', query_data.get('descriptionUrl')).replace(
Expand Down
1 change: 1 addition & 0 deletions ...ub/scripts/docs-generator/query-page-generator/templates/query-page-template.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ hide:
- **Platform:** <PLATFORM>
- **Severity:** <SEVERITY>
- **Category:** <CATEGORY>
- **CWE:** <CWE>
- **URL:** [Github](<GITHUB_URL>)

### Description
Expand Down
16 changes: 14 additions & 2 deletions .github/scripts/queries-validator/metadata-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@
"minLength": 1,
"pattern": "^[a-f0-9]{8}-[a-f0-9]{4}-4{1}[a-f0-9]{3}-[89ab]{1}[a-f0-9]{3}-[a-f0-9]{12}$"
},
"description_text_pattern": {
"type": "string",
"minLength": 1,
"pattern": "^.{1,500}$"
},
"query_name_pattern": {
"type": "string",
"minLength": 1,
"pattern": "^[a-zA-Z][a-zA-Z0-9_ \\-\"',:$.()]{0,119}$"
},
"description_id_pattern": {
"type": "string",
"minLength": 1,
Expand All @@ -29,8 +39,9 @@
"$ref": "#/definitions/query_id_pattern"
},
"queryName": {
"$ref": "#/definitions/query_name_pattern",
"type": "string",
"minLength": 8,
"minLength": 1,
"maxLength": 120
},
"severity": {
Expand Down Expand Up @@ -75,8 +86,9 @@
]
},
"descriptionText": {
"$ref": "#/definitions/description_text_pattern",
"type": "string",
"minLength": 16,
"minLength": 1,
"maxLength" : 500
},
"descriptionUrl": {
Expand Down
29 changes: 0 additions & 29 deletions .github/workflows/cxone.yaml
View file

This file was deleted.

1 change: 0 additions & 1 deletion .grype.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
ignore:
- vulnerability: GHSA-4v7x-pqxf-cx7m # False Positive
- package:
name: anchore/scan-action
- package:
Expand Down
6 changes: 3 additions & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cgr.dev/chainguard/go@sha256:54b74a40acfc93d62bd32c72e3afe19bc55e4b2db7baa09d5950f3e5878baf28 as build_env
FROM cgr.dev/chainguard/go@sha256:4f11a0dfbd73832405bc3f611e53b4dbd61a1d1d23d205f2665cabfbd295a109 as build_env

# Copy the source from the current directory to the Working Directory inside the container
WORKDIR /app
Expand Down Expand Up @@ -31,7 +31,7 @@ USER nonroot
# Runtime image
# Ignore no User Cmd since KICS container is stopped afer scan
# kics-scan ignore-line
FROM cgr.dev/chainguard/git@sha256:f3ed07723172f93a50715cf6189be7c7526232ff88035e3eb24046bfffeb8f5c
FROM cgr.dev/chainguard/git@sha256:51620806588a4738b536e1f328206b17ae2a988b2a424a6a37c419041eb2b9a9

ENV TERM xterm-256color

Expand All @@ -49,4 +49,4 @@ WORKDIR /app/bin
ENV PATH $PATH:/app/bin

# Command to run the executable
ENTRYPOINT ["/app/bin/kics"]
ENTRYPOINT ["/app/bin/kics"]
0 .../passwords_and_secrets/test/negative18.tf → .../passwords_and_secrets/test/negative11.tf
View file
File renamed without changes.
0 .../passwords_and_secrets/test/negative19.tf → .../passwords_and_secrets/test/negative12.tf
View file
File renamed without changes.
0 .../passwords_and_secrets/test/negative20.tf → .../passwords_and_secrets/test/negative13.tf
View file
File renamed without changes.
85 changes: 85 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative14.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
resource "aws_ecs_task_definition" "webapp" {
family = "tomato-webapp"
task_role_arn = data.aws_iam_role.ecs_task_role.arn

container_definitions = <<EOF
[
{
"volumesFrom": [],
"extraHosts": null,
"dnsServers": null,
"disableNetworking": null,
"dnsSearchDomains": null,
"portMappings": [
{
"hostPort": 0,
"containerPort": 8000,
"protocol": "tcp"
}
],
"hostname": null,
"essential": true,
"entryPoint": null,
"mountPoints": [],
"name": "tomato",
"ulimits": null,
"dockerSecurityOptions": null,
"environment": [
{
"name": "RDS_HOST",
"value": "${aws_db_instance.tomato.address}"
},
{
"name": "RDS_NAME",
"value": "${aws_db_instance.tomato.name}"
},
{
"name": "RDS_USER",
"value": "${aws_db_instance.tomato.username}"
},
{
"name": "RDS_PASSWORD",
"value": "${aws_db_instance.tomato.password}"
},
{
"name": "RDS_PORT",
"value": "${aws_db_instance.tomato.port}"
},
{
"name": "GOOGLE_MAPS_API_KEY",
"value": "${var.google_maps_api_key}"
},
{
"name": "SECRET_KEY",
"value": "${var.secret_key}"
}
],
"workingDirectory": "/code",
"readonlyRootFilesystem": null,
"image": "${aws_ecr_repository.tomato.repository_url}:latest",
"command": [
"sh",
"-c",
"python3 manage.py initialize && uwsgi --ini /code/uwsgi.ini"
],
"user": null,
"dockerLabels": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${aws_cloudwatch_log_group.tomato_webapp.name}",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "webapp"
}
},
"cpu": 700,
"privileged": null,
"memoryReservation": 512,
"linuxParameters": {
"initProcessEnabled": true
}
}
]
EOF

}
4 changes: 4 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative15.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
provider "heroku" {
email = "ops@company.com"
api_key = var.heroku_api_key
}
0 .../passwords_and_secrets/test/negative23.tf → .../passwords_and_secrets/test/negative16.tf
View file
File renamed without changes.
0 .../passwords_and_secrets/test/negative24.tf → .../passwords_and_secrets/test/negative17.tf
View file
File renamed without changes.
12 changes: 12 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative18.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
Parameters:
PrivateKey1:
Type: String
Resources:
PinpointApp:
Type: AWS::Pinpoint::App
Properties:
Name: foobar
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
PrivateKey: !GetAtt PrivateKey1
0 ...asswords_and_secrets/test/negative27.yaml → ...asswords_and_secrets/test/negative19.yaml
View file
File renamed without changes.
0 ...asswords_and_secrets/test/negative28.yaml → ...asswords_and_secrets/test/negative20.yaml
View file
File renamed without changes.
86 changes: 2 additions & 84 deletions assets/queries/common/passwords_and_secrets/test/negative21.tf
View file
Original file line number Diff line number Diff line change
@@ -1,85 +1,3 @@
resource "aws_ecs_task_definition" "webapp" {
family = "tomato-webapp"
task_role_arn = data.aws_iam_role.ecs_task_role.arn

container_definitions = <<EOF
[
{
"volumesFrom": [],
"extraHosts": null,
"dnsServers": null,
"disableNetworking": null,
"dnsSearchDomains": null,
"portMappings": [
{
"hostPort": 0,
"containerPort": 8000,
"protocol": "tcp"
}
],
"hostname": null,
"essential": true,
"entryPoint": null,
"mountPoints": [],
"name": "tomato",
"ulimits": null,
"dockerSecurityOptions": null,
"environment": [
{
"name": "RDS_HOST",
"value": "${aws_db_instance.tomato.address}"
},
{
"name": "RDS_NAME",
"value": "${aws_db_instance.tomato.name}"
},
{
"name": "RDS_USER",
"value": "${aws_db_instance.tomato.username}"
},
{
"name": "RDS_PASSWORD",
"value": "${aws_db_instance.tomato.password}"
},
{
"name": "RDS_PORT",
"value": "${aws_db_instance.tomato.port}"
},
{
"name": "GOOGLE_MAPS_API_KEY",
"value": "${var.google_maps_api_key}"
},
{
"name": "SECRET_KEY",
"value": "${var.secret_key}"
}
],
"workingDirectory": "/code",
"readonlyRootFilesystem": null,
"image": "${aws_ecr_repository.tomato.repository_url}:latest",
"command": [
"sh",
"-c",
"python3 manage.py initialize && uwsgi --ini /code/uwsgi.ini"
],
"user": null,
"dockerLabels": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${aws_cloudwatch_log_group.tomato_webapp.name}",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "webapp"
}
},
"cpu": 700,
"privileged": null,
"memoryReservation": 512,
"linuxParameters": {
"initProcessEnabled": true
}
}
]
EOF

provider "mailgun" {
api_key = "var.mailgun_api_key"
}
5 changes: 2 additions & 3 deletions assets/queries/common/passwords_and_secrets/test/negative22.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
provider "heroku" {
email = "ops@company.com"
api_key = var.heroku_api_key
provider "stripe" {
api_key = var.strip_restricted_api_key
}
4 changes: 4 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative23.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
- hosts: all
remote_user: root
vars:
twilio_api_key: '{{ TWILIO_API_KEY }}'
5 changes: 5 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative24.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- hosts: all
remote_user: root
vars:
paypal_access_token: '{{ PAYPAL_ACCESS_TOKEN }}'

10 changes: 10 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative25.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: envar-demo
labels:
purpose: demonstrate-envars
spec:
containers:
- name: envar-demo-container
image: gcr.io/google-samples/node-hello:1.0
31 changes: 19 additions & 12 deletions assets/queries/common/passwords_and_secrets/test/negative26.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@
Parameters:
PrivateKey1:
Type: String
Resources:
PinpointApp:
Type: AWS::Pinpoint::App
Properties:
Name: foobar
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
PrivateKey: !GetAtt PrivateKey1
apiVersion: v1
kind: Config
users:
- name: cluster-admin
user:
auth-provider:
config: {}
name: gcp
- name: google-oauth-access-token
user:
auth-provider:
config:
access-token: '{.credential.oauth_access_token_}'
cmd-args: config config-helper --format=json
cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
expiry: 2021-10-28T15:12:03.000Z
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
0 .../passwords_and_secrets/test/negative37.tf → .../passwords_and_secrets/test/negative27.tf
View file
File renamed without changes.
0 .../passwords_and_secrets/test/negative38.tf → .../passwords_and_secrets/test/negative28.tf
View file
File renamed without changes.
3 changes: 0 additions & 3 deletions assets/queries/common/passwords_and_secrets/test/negative29.tf
View file

This file was deleted.

Loading

0 comments on commit 35e3112

Please sign in to comment.