Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/Checkmarx/kics into chang…
Browse files Browse the repository at this point in the history 
…e_cloud_provider
  • Loading branch information
@cx-henriqueAlvelos
cx-henriqueAlvelos committed Aug 11, 2023
2 parents ccb6ad2 + 9107466 commit bcad42e
Show file tree
Hide file tree
Showing 14 changed files with 269 additions and 3 deletions.
11 changes: 11 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "d9dc6429-5140-498a-8f55-a10daac5f000",
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it",
"descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0",
"platform": "Crossplane",
"descriptionID": "d7566b63",
"cloudProvider": "aws"
}
80 changes: 80 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package Cx

import data.generic.common as common_lib
import data.generic.crossplane as cp_lib

getForProvider(apiVersion, kind, name, docs) = forProvider {
doc := docs[_]
[_, resource] := walk(doc)
startswith(resource.apiVersion, apiVersion)
resource.kind == kind
resource.metadata.name == name
forProvider := resource.spec.forProvider
}

existsInternetGateway(dbSubnetGroupName) {
DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document)
subnetIds := DBSGforProvider.subnetIds

count(subnetIds) > 0
subnetId := subnetIds[s]

EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document)

vpcId := EC2SforProvider.vpcId

IGdocs := input.document[_]
[_, IGresource] := walk(IGdocs)
startswith(IGresource.apiVersion, "network.aws.crossplane.io")
IGresource.kind == "InternetGateway"

IGforProvider := IGresource.spec.forProvider

common_lib.valid_key(IGforProvider, "vpcId")
vpcId == IGforProvider.vpcId
}

CxPolicy[result] {
docs := input.document[i]
[path, resource] := walk(docs)
startswith(resource.apiVersion, "database.aws.crossplane.io")
resource.kind == "RDSInstance"

forProvider := resource.spec.forProvider

not common_lib.valid_key(forProvider, "publiclyAccessible")

dbSubnetGroupName := forProvider.dbSubnetGroupName

existsInternetGateway(dbSubnetGroupName) == true

result := {
"documentId": input.document[i].id,
"resourceType": resource.kind,
"resourceName": cp_lib.getResourceName(resource),
"searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]),
"issueType": "MissingAttribute",
"keyActualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it",
"keyExpectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it",
}
}

CxPolicy[result] {
docs := input.document[i]
[path, resource] := walk(docs)
startswith(resource.apiVersion, "database.aws.crossplane.io")
resource.kind == "RDSInstance"

forProvider := resource.spec.forProvider
forProvider.publiclyAccessible == true

result := {
"documentId": input.document[i].id,
"resourceType": resource.kind,
"resourceName": cp_lib.getResourceName(resource),
"searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "publiclyAccessible should be set to false",
"keyActualValue": "publiclyAccessible is set to true",
}
}
20 changes: 20 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: sample-cluster3
spec:
forProvider:
publiclyAccessible: false

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
60 changes: 60 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: my-rds-instance
spec:
forProvider:
engine: mysql
engineVersion: "8.0"
instanceClass: db.t2.micro
allocatedStorage: 20
dbSubnetGroupName: my-db-subnet-group
writeConnectionSecretToRef:
name: my-rds-instance-connection

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-12345678
spec:
forProvider:
cidrBlock: "10.0.0.0/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-87654321
spec:
forProvider:
cidrBlock: "10.0.0.1/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a

---

apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
name: my-internet-gateway
spec:
forProvider:
vpcId: vpc-abcdef12345
20 changes: 20 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: sample-cluster3
spec:
forProvider:
publiclyAccessible: true

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
60 changes: 60 additions & 0 deletions assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: my-rds-instance
spec:
forProvider:
engine: mysql
engineVersion: "8.0"
instanceClass: db.t2.micro
allocatedStorage: 20
dbSubnetGroupName: my-db-subnet-group
writeConnectionSecretToRef:
name: my-rds-instance-connection

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-12345678
spec:
forProvider:
cidrBlock: "10.0.0.0/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-87654321
spec:
forProvider:
cidrBlock: "10.0.0.1/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a

---

apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
name: my-internet-gateway
spec:
forProvider:
vpcId: vpc-abcdef12
15 changes: 15 additions & 0 deletions ...ies/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[
{
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"line": 7,
"fileName": "positive1.yaml"
},
{
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"line": 11,
"fileName": "positive2.yaml"
}
]

2 changes: 1 addition & 1 deletion ...nstance_publicly_accessible/metadata.json → ...nstance_publicly_accessible/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"id": "35113e6f-2c6b-414d-beec-7a9482d3b2d1",
"queryName": "DB Instance Publicly Accessible",
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').",
Expand Down
0 ...b_instance_publicly_accessible/query.rego → ...b_instance_publicly_accessible/query.rego
View file
File renamed without changes.
0 ...nce_publicly_accessible/test/negative1.tf → ...nce_publicly_accessible/test/negative1.tf
View file
File renamed without changes.
0 ...nce_publicly_accessible/test/negative2.tf → ...nce_publicly_accessible/test/negative2.tf
View file
File renamed without changes.
0 ...nce_publicly_accessible/test/positive1.tf → ...nce_publicly_accessible/test/positive1.tf
View file
File renamed without changes.
0 ...nce_publicly_accessible/test/positive2.tf → ...nce_publicly_accessible/test/positive2.tf
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions ...ssible/test/positive_expected_result.json → ...ssible/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
[
{
"queryName": "DB Instance Publicly Accessible",
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"line": 10,
"fileName": "positive1.tf"
},
{
"queryName": "DB Instance Publicly Accessible",
"queryName": "RDS DB Instance Publicly Accessible",
"severity": "HIGH",
"line": 11,
"fileName": "positive2.tf"
Expand Down

0 comments on commit bcad42e

Please sign in to comment.