From fe6ce8403dea66bbf6ba67be04e5e54204975404 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 12 Feb 2024 08:02:48 -0800 Subject: [PATCH 1/7] [Sanity Tests] [Telemetry] Enable package policy id check (#1885) (#1891) [Sanity Tests] [Telemetry] Re-enable package policy id check (#1885) re enable package policy id check Co-authored-by: Oren Zohar <85433724+oren-zohar@users.noreply.github.com> --- tests/integration/tests/test_sanity_telemetry.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/tests/test_sanity_telemetry.py b/tests/integration/tests/test_sanity_telemetry.py index 994280b6a1..9323ce26ae 100644 --- a/tests/integration/tests/test_sanity_telemetry.py +++ b/tests/integration/tests/test_sanity_telemetry.py @@ -56,9 +56,9 @@ def test_telemetry_cloud_account_stats(cloud_security_telemetry_data): for account in cloud_account_stats: assert len(account.account_id) > 0, f"Telemetry data missing account_id for cloud_account_stats {account}" assert len(account.product) > 0, f"Telemetry data missing product for cloud_account_stats {account}" - # assert ( uncomment once bug is solved https://github.com/elastic/security-team/issues/8149 - # len(account.package_policy_id) > 0 - # ), f"Telemetry data missing package_policy_id for cloud_account_stats {account}" + assert ( + len(account.package_policy_id) > 0 + ), f"Telemetry data missing package_policy_id for cloud_account_stats {account}" if not (account.product == "kspm" and "CIS Kubernetes" in account.posture_management_stats.benchmark_name): assert ( From e6a5f969384d327ec485c49a986e5284bf1f0332 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 10:20:35 +0000 Subject: [PATCH 2/7] Bump helm/kind-action from 1.8.0 to 1.9.0 in /.github/workflows (#1919) Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Oren Zohar <85433724+oren-zohar@users.noreply.github.com> --- .github/workflows/periodic-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/periodic-ci.yml b/.github/workflows/periodic-ci.yml index 418dbe6f36..f0a1d7df61 100644 --- a/.github/workflows/periodic-ci.yml +++ b/.github/workflows/periodic-ci.yml @@ -156,7 +156,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.8.0 + uses: helm/kind-action@v1.9.0 with: config: deploy/k8s/kind/kind-mono.yml From 33d3d2820f428ea16a7d764a571e4328ba5a4218 Mon Sep 17 00:00:00 2001 From: Or Ouziel Date: Tue, 13 Feb 2024 13:55:01 +0200 Subject: [PATCH 3/7] CIS Azure 5.1.5 (#1857) --- .../azure/assets_enricher_keyvault.go | 15 ++ .../azure/assets_enricher_keyvault_test.go | 33 +++- .../fetchers/azure/assets_fetcher_test.go | 3 + .../providers/azurelib/inventory/asset.go | 1 + .../azurelib/inventory/keyvault_provider.go | 58 ++++++- .../inventory/keyvault_provider_test.go | 154 ++++++++++++++++++ .../inventory/mock_key_vault_provider_api.go | 55 +++++++ .../providers/azurelib/mock_provider_api.go | 55 +++++++ .../resources/providers/azurelib/provider.go | 2 +- security-policies/README.md | 2 +- security-policies/RULES.md | 8 +- .../cis_azure/rules/cis_5_1_5/data.yaml | 133 +++++++++++++++ .../cis_azure/rules/cis_5_1_5/rule.rego | 31 ++++ .../cis_azure/rules/cis_5_1_5/test.rego | 73 +++++++++ .../data/azure/azure_key_vault_test_cases.py | 18 ++ 15 files changed, 624 insertions(+), 17 deletions(-) create mode 100644 security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/data.yaml create mode 100644 security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego create mode 100644 security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/test.rego diff --git a/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault.go b/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault.go index 211d5a0f38..d511eaeb9d 100644 --- a/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault.go +++ b/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault.go @@ -32,6 +32,7 @@ type keyVaultEnricher struct { func (e keyVaultEnricher) Enrich(ctx context.Context, _ cycle.Metadata, assets []inventory.AzureAsset) error { singleAssetEnrichers := []func(context.Context, *inventory.AzureAsset) error{ + e.enrichKeyVaultDiagnosticSettings, e.enrichKeyVaultWithKeys, e.enrichKeyVaultWithSecrets, } @@ -54,6 +55,20 @@ func (e keyVaultEnricher) Enrich(ctx context.Context, _ cycle.Metadata, assets [ return errors.Join(errs...) } +func (e keyVaultEnricher) enrichKeyVaultDiagnosticSettings(ctx context.Context, a *inventory.AzureAsset) error { + diagSettings, err := e.provider.ListKeyVaultDiagnosticSettings(ctx, *a) + if err != nil { + return err + } + + if len(diagSettings) == 0 { + return nil + } + + a.AddExtension(inventory.ExtensionKeyVaultDiagnosticSettings, diagSettings) + return nil +} + func (e keyVaultEnricher) enrichKeyVaultWithKeys(ctx context.Context, a *inventory.AzureAsset) error { keys, err := e.provider.ListKeyVaultKeys(ctx, *a) if err != nil { diff --git a/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault_test.go b/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault_test.go index df4a4d0770..c1387b844c 100644 --- a/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault_test.go +++ b/internal/resources/fetching/fetchers/azure/assets_enricher_keyvault_test.go @@ -50,11 +50,12 @@ func TestKeyVaultEnricher(t *testing.T) { } tests := map[string]struct { - inputAssets []inventory.AzureAsset - mockKeysPerVaultID map[string][]inventory.AzureAsset - mockSecretsPerVaultID map[string][]inventory.AzureAsset - expected []inventory.AzureAsset - expectError bool + inputAssets []inventory.AzureAsset + mockKeysPerVaultID map[string][]inventory.AzureAsset + mockSecretsPerVaultID map[string][]inventory.AzureAsset + mockedDiagnosticPerVaultID map[string][]inventory.AzureAsset + expected []inventory.AzureAsset + expectError bool }{ "single": { inputAssets: []inventory.AzureAsset{ @@ -66,11 +67,15 @@ func TestKeyVaultEnricher(t *testing.T) { mockSecretsPerVaultID: map[string][]inventory.AzureAsset{ "id1": {assetSecret("sec1")}, }, + mockedDiagnosticPerVaultID: map[string][]inventory.AzureAsset{ + "id1": {assetVault("diag1")}, + }, expected: func() []inventory.AzureAsset { a := assetVault("id1") a.Extension = map[string]any{} a.Extension[inventory.ExtensionKeyVaultKeys] = []inventory.AzureAsset{assetKey("key1")} a.Extension[inventory.ExtensionKeyVaultSecrets] = []inventory.AzureAsset{assetSecret("sec1")} + a.Extension[inventory.ExtensionKeyVaultDiagnosticSettings] = []inventory.AzureAsset{assetVault("diag1")} return []inventory.AzureAsset{a} }(), expectError: false, @@ -91,11 +96,17 @@ func TestKeyVaultEnricher(t *testing.T) { "id2": {}, "id3": {assetSecret("sec2"), assetSecret("sec3")}, }, + mockedDiagnosticPerVaultID: map[string][]inventory.AzureAsset{ + "id1": {assetVault("diag1")}, + "id2": {}, + "id3": {assetVault("diag3")}, + }, expected: func() []inventory.AzureAsset { a := assetVault("id1") a.Extension = map[string]any{} a.Extension[inventory.ExtensionKeyVaultKeys] = []inventory.AzureAsset{assetKey("key1"), assetKey("key2")} a.Extension[inventory.ExtensionKeyVaultSecrets] = []inventory.AzureAsset{assetSecret("sec1")} + a.Extension[inventory.ExtensionKeyVaultDiagnosticSettings] = []inventory.AzureAsset{assetVault("diag1")} b := assetVault("id2") b.Extension = map[string]any{} @@ -104,7 +115,7 @@ func TestKeyVaultEnricher(t *testing.T) { c := assetVault("id3") c.Extension = map[string]any{} c.Extension[inventory.ExtensionKeyVaultSecrets] = []inventory.AzureAsset{assetSecret("sec2"), assetSecret("sec3")} - + c.Extension[inventory.ExtensionKeyVaultDiagnosticSettings] = []inventory.AzureAsset{assetVault("diag3")} return []inventory.AzureAsset{a, b, c} }(), expectError: false, @@ -137,6 +148,16 @@ func TestKeyVaultEnricher(t *testing.T) { return sl, nil }). Times(len(tc.inputAssets)) + mockProvider.EXPECT(). + ListKeyVaultDiagnosticSettings(mock.Anything, mock.MatchedBy(func(a inventory.AzureAsset) bool { + _, found := tc.mockedDiagnosticPerVaultID[a.Id] + return found + })). + RunAndReturn(func(_ context.Context, a inventory.AzureAsset) ([]inventory.AzureAsset, error) { + sl := tc.mockedDiagnosticPerVaultID[a.Id] + return sl, nil + }). + Times(len(tc.inputAssets)) enricher := keyVaultEnricher{provider: mockProvider} diff --git a/internal/resources/fetching/fetchers/azure/assets_fetcher_test.go b/internal/resources/fetching/fetchers/azure/assets_fetcher_test.go index 44e9eb2231..ee2a573ee7 100644 --- a/internal/resources/fetching/fetchers/azure/assets_fetcher_test.go +++ b/internal/resources/fetching/fetchers/azure/assets_fetcher_test.go @@ -139,6 +139,9 @@ func (s *AzureAssetsFetcherTestSuite) TestFetcher_Fetch() { mockProvider.EXPECT(). ListKeyVaultSecrets(mock.Anything, v). Return(nil, nil) + mockProvider.EXPECT(). + ListKeyVaultDiagnosticSettings(mock.Anything, v). + Return(nil, nil) } // since we have app service asset we need to mock the enricher diff --git a/internal/resources/providers/azurelib/inventory/asset.go b/internal/resources/providers/azurelib/inventory/asset.go index 3649eb602a..06a58fde39 100644 --- a/internal/resources/providers/azurelib/inventory/asset.go +++ b/internal/resources/providers/azurelib/inventory/asset.go @@ -77,6 +77,7 @@ const ( ExtensionQueueDiagnosticSettings = "queueDiagnosticSettings" ExtensionKeyVaultKeys = "vaultKeys" ExtensionKeyVaultSecrets = "vaultSecrets" + ExtensionKeyVaultDiagnosticSettings = "vaultDiagnosticSettings" // AssetLocation assetLocationGlobal = "global" diff --git a/internal/resources/providers/azurelib/inventory/keyvault_provider.go b/internal/resources/providers/azurelib/inventory/keyvault_provider.go index 0fbb2d013b..afdd6c74fc 100644 --- a/internal/resources/providers/azurelib/inventory/keyvault_provider.go +++ b/internal/resources/providers/azurelib/inventory/keyvault_provider.go @@ -23,6 +23,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor" "github.com/elastic/elastic-agent-libs/logp" "github.com/samber/lo" @@ -31,11 +32,12 @@ import ( ) type azureKeyVaultWrapper struct { - AssetKeyVaultKeys func(ctx context.Context, subscriptionID string, resourceGroupName string, vaultName string) ([]armkeyvault.KeysClientListResponse, error) - AssetKeyVaultSecrets func(ctx context.Context, subscriptionID string, resourceGroupName string, vaultName string) ([]armkeyvault.SecretsClientListResponse, error) + AssetKeyVaultKeys func(ctx context.Context, subscriptionID string, resourceGroupName string, vaultName string) ([]armkeyvault.KeysClientListResponse, error) + AssetKeyVaultSecrets func(ctx context.Context, subscriptionID string, resourceGroupName string, vaultName string) ([]armkeyvault.SecretsClientListResponse, error) + AssetDiagnosticSettings func(ctx context.Context, resourceURI string, options *armmonitor.DiagnosticSettingsClientListOptions) ([]armmonitor.DiagnosticSettingsClientListResponse, error) } -func defaultAzureKeyVaultWrapper(credentials azcore.TokenCredential) *azureKeyVaultWrapper { +func defaultAzureKeyVaultWrapper(diagnosticSettingsClient *armmonitor.DiagnosticSettingsClient, credentials azcore.TokenCredential) *azureKeyVaultWrapper { return &azureKeyVaultWrapper{ AssetKeyVaultKeys: func(ctx context.Context, subscriptionID string, resourceGroupName string, vaultName string) ([]armkeyvault.KeysClientListResponse, error) { client, err := armkeyvault.NewKeysClient(subscriptionID, credentials, nil) @@ -51,18 +53,22 @@ func defaultAzureKeyVaultWrapper(credentials azcore.TokenCredential) *azureKeyVa } return readPager(ctx, client.NewListPager(resourceGroupName, vaultName, nil)) }, + AssetDiagnosticSettings: func(ctx context.Context, resourceURI string, options *armmonitor.DiagnosticSettingsClientListOptions) ([]armmonitor.DiagnosticSettingsClientListResponse, error) { + return readPager(ctx, diagnosticSettingsClient.NewListPager(resourceURI, options)) + }, } } type KeyVaultProviderAPI interface { ListKeyVaultKeys(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) ListKeyVaultSecrets(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) + ListKeyVaultDiagnosticSettings(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) } -func NewKeyVaultProvider(log *logp.Logger, credentials azcore.TokenCredential) KeyVaultProviderAPI { +func NewKeyVaultProvider(log *logp.Logger, diagnosticSettingsClient *armmonitor.DiagnosticSettingsClient, credentials azcore.TokenCredential) KeyVaultProviderAPI { return &keyVaultProvider{ log: log, - client: defaultAzureKeyVaultWrapper(credentials), + client: defaultAzureKeyVaultWrapper(diagnosticSettingsClient, credentials), } } @@ -71,6 +77,48 @@ type keyVaultProvider struct { client *azureKeyVaultWrapper } +func (p *keyVaultProvider) ListKeyVaultDiagnosticSettings(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) { + p.log.Info("Listing Azure Vault Diagnostic Settings") + + responses, err := p.client.AssetDiagnosticSettings(ctx, vault.Id, nil) + if err != nil { + return nil, fmt.Errorf("error while retrieving vault diagnostic settings: vaultId: %v, error: %w", vault.Id, err) + } + + return lo.FlatMap(responses, func(res armmonitor.DiagnosticSettingsClientListResponse, _ int) []AzureAsset { + return lo.FilterMap(res.Value, func(setting *armmonitor.DiagnosticSettingsResource, _ int) (AzureAsset, bool) { + return p.transformDiagnosticSetting(setting, vault) + }) + }), nil +} + +func (p *keyVaultProvider) transformDiagnosticSetting(setting *armmonitor.DiagnosticSettingsResource, vault AzureAsset) (AzureAsset, bool) { + if setting == nil { + return AzureAsset{}, false + } + + properties := map[string]any{} + + maps.AddIfNotNil(properties, "storageAccountId", setting.Properties.StorageAccountID) + maps.AddIfSliceNotEmpty(properties, "logs", setting.Properties.Logs) + + if len(properties) == 0 { + properties = nil + } + + return AzureAsset{ + Id: pointers.Deref(setting.ID), + Name: pointers.Deref(setting.Name), + DisplayName: "", + Location: "", + ResourceGroup: vault.ResourceGroup, + SubscriptionId: vault.SubscriptionId, + TenantId: vault.TenantId, + Type: pointers.Deref(setting.Type), + Properties: properties, + }, true +} + func (p *keyVaultProvider) ListKeyVaultKeys(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) { p.log.Info("Listing Azure Vault Keys") diff --git a/internal/resources/providers/azurelib/inventory/keyvault_provider_test.go b/internal/resources/providers/azurelib/inventory/keyvault_provider_test.go index cf75d425a1..b32d3248cc 100644 --- a/internal/resources/providers/azurelib/inventory/keyvault_provider_test.go +++ b/internal/resources/providers/azurelib/inventory/keyvault_provider_test.go @@ -19,11 +19,13 @@ package inventory import ( "context" + "errors" "testing" "time" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" @@ -44,6 +46,158 @@ func (m *mockAzureKeyVaultWrapper) AssetKeyVaultSecrets(_ context.Context, subsc return r.Get(0).([]armkeyvault.SecretsClientListResponse), r.Error(1) } +func (m *mockAzureKeyVaultWrapper) AssetDiagnosticSettings(_ context.Context, vaultId string, options *armmonitor.DiagnosticSettingsClientListOptions) ([]armmonitor.DiagnosticSettingsClientListResponse, error) { + r := m.Called(vaultId, options) + return r.Get(0).([]armmonitor.DiagnosticSettingsClientListResponse), r.Error(1) +} + +func TestListKeyVaultDiagnosticSettings(t *testing.T) { + log := testhelper.NewLogger(t) + + response := func(settings ...*armmonitor.DiagnosticSettingsResource) armmonitor.DiagnosticSettingsClientListResponse { + return armmonitor.DiagnosticSettingsClientListResponse{ + DiagnosticSettingsResourceCollection: armmonitor.DiagnosticSettingsResourceCollection{ + Value: settings, + }, + } + } + + settings := func(id string) *armmonitor.DiagnosticSettingsResource { + return &armmonitor.DiagnosticSettingsResource{ + ID: to.Ptr(id), + Name: to.Ptr("diagName"), + Type: to.Ptr("Microsoft.KeyVault/vaults"), + Properties: &armmonitor.DiagnosticSettings{ + StorageAccountID: to.Ptr("storage_account_id"), + Logs: []*armmonitor.LogSettings{ + { + Category: to.Ptr("AuditEvent"), + Enabled: to.Ptr(true), + }, + }, + }, + } + } + + vaultAsset := AzureAsset{ + Id: "kv1", + Name: "diagName", + ResourceGroup: "rg1", + SubscriptionId: "sub1", + TenantId: "ten1", + } + + tests := map[string]struct { + inputVault AzureAsset + mockWrapperResponse []armmonitor.DiagnosticSettingsClientListResponse + mockWrapperResponseError error + expected []AzureAsset + expectError bool + }{ + "test error": { + inputVault: vaultAsset, + mockWrapperResponse: nil, + mockWrapperResponseError: errors.New("some error"), + expected: []AzureAsset{}, + expectError: true, + }, + "test single": { + inputVault: vaultAsset, + mockWrapperResponse: []armmonitor.DiagnosticSettingsClientListResponse{ + response(nil, settings("diag1")), + }, + mockWrapperResponseError: nil, + expected: []AzureAsset{ + { + Id: "diag1", + Name: "diagName", + DisplayName: "", + ResourceGroup: "rg1", + SubscriptionId: "sub1", + TenantId: "ten1", + Type: "Microsoft.KeyVault/vaults", + Properties: map[string]any{ + "storageAccountId": settings("diag1").Properties.StorageAccountID, + "logs": settings("diag1").Properties.Logs, + }, + }, + }, + expectError: false, + }, + "test multiple": { + inputVault: AzureAsset{ + Id: "kv1", + Name: "name1", + ResourceGroup: "rg1", + SubscriptionId: "sub1", + TenantId: "ten1", + }, + mockWrapperResponse: []armmonitor.DiagnosticSettingsClientListResponse{ + response(nil, settings("diag1"), settings("diag2")), + }, + mockWrapperResponseError: nil, + expected: []AzureAsset{ + { + Id: "diag1", + Name: "diagName", + DisplayName: "", + ResourceGroup: "rg1", + SubscriptionId: "sub1", + TenantId: "ten1", + Type: "Microsoft.KeyVault/vaults", + Properties: map[string]any{ + "storageAccountId": settings("diag1").Properties.StorageAccountID, + "logs": settings("diag1").Properties.Logs, + }, + }, + { + Id: "diag2", + Name: "diagName", + DisplayName: "", + ResourceGroup: "rg1", + SubscriptionId: "sub1", + TenantId: "ten1", + Type: "Microsoft.KeyVault/vaults", + Properties: map[string]any{ + "storageAccountId": settings("diag2").Properties.StorageAccountID, + "logs": settings("diag2").Properties.Logs, + }, + }, + }, + expectError: false, + }, + } + + for name, tc := range tests { + tc := tc + t.Run(name, func(t *testing.T) { + mockWrapper := &mockAzureKeyVaultWrapper{} + mockWrapper.Test(t) + mockWrapper. + On("AssetDiagnosticSettings", tc.inputVault.Id, mock.Anything). + Return(tc.mockWrapperResponse, tc.mockWrapperResponseError). + Once() + t.Cleanup(func() { mockWrapper.AssertExpectations(t) }) + + provider := keyVaultProvider{ + log: log, + client: &azureKeyVaultWrapper{ + AssetDiagnosticSettings: mockWrapper.AssetDiagnosticSettings, + }, + } + + got, err := provider.ListKeyVaultDiagnosticSettings(context.Background(), tc.inputVault) + if tc.expectError { + require.Error(t, err) + } else { + require.NoError(t, err) + } + + require.ElementsMatch(t, tc.expected, got) + }) + } +} + func TestListKeyVaultKeys(t *testing.T) { log := testhelper.NewLogger(t) diff --git a/internal/resources/providers/azurelib/inventory/mock_key_vault_provider_api.go b/internal/resources/providers/azurelib/inventory/mock_key_vault_provider_api.go index c78a31e33c..331dc47da8 100644 --- a/internal/resources/providers/azurelib/inventory/mock_key_vault_provider_api.go +++ b/internal/resources/providers/azurelib/inventory/mock_key_vault_provider_api.go @@ -38,6 +38,61 @@ func (_m *MockKeyVaultProviderAPI) EXPECT() *MockKeyVaultProviderAPI_Expecter { return &MockKeyVaultProviderAPI_Expecter{mock: &_m.Mock} } +// ListKeyVaultDiagnosticSettings provides a mock function with given fields: ctx, vault +func (_m *MockKeyVaultProviderAPI) ListKeyVaultDiagnosticSettings(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) { + ret := _m.Called(ctx, vault) + + var r0 []AzureAsset + var r1 error + if rf, ok := ret.Get(0).(func(context.Context, AzureAsset) ([]AzureAsset, error)); ok { + return rf(ctx, vault) + } + if rf, ok := ret.Get(0).(func(context.Context, AzureAsset) []AzureAsset); ok { + r0 = rf(ctx, vault) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).([]AzureAsset) + } + } + + if rf, ok := ret.Get(1).(func(context.Context, AzureAsset) error); ok { + r1 = rf(ctx, vault) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListKeyVaultDiagnosticSettings' +type MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call struct { + *mock.Call +} + +// ListKeyVaultDiagnosticSettings is a helper method to define mock.On call +// - ctx context.Context +// - vault AzureAsset +func (_e *MockKeyVaultProviderAPI_Expecter) ListKeyVaultDiagnosticSettings(ctx interface{}, vault interface{}) *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call { + return &MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call{Call: _e.mock.On("ListKeyVaultDiagnosticSettings", ctx, vault)} +} + +func (_c *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call) Run(run func(ctx context.Context, vault AzureAsset)) *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Run(func(args mock.Arguments) { + run(args[0].(context.Context), args[1].(AzureAsset)) + }) + return _c +} + +func (_c *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call) Return(_a0 []AzureAsset, _a1 error) *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Return(_a0, _a1) + return _c +} + +func (_c *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call) RunAndReturn(run func(context.Context, AzureAsset) ([]AzureAsset, error)) *MockKeyVaultProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Return(run) + return _c +} + // ListKeyVaultKeys provides a mock function with given fields: ctx, vault func (_m *MockKeyVaultProviderAPI) ListKeyVaultKeys(ctx context.Context, vault AzureAsset) ([]AzureAsset, error) { ret := _m.Called(ctx, vault) diff --git a/internal/resources/providers/azurelib/mock_provider_api.go b/internal/resources/providers/azurelib/mock_provider_api.go index 645e2cf415..95c52063fa 100644 --- a/internal/resources/providers/azurelib/mock_provider_api.go +++ b/internal/resources/providers/azurelib/mock_provider_api.go @@ -603,6 +603,61 @@ func (_c *MockProviderAPI_ListFlexiblePostgresFirewallRules_Call) RunAndReturn(r return _c } +// ListKeyVaultDiagnosticSettings provides a mock function with given fields: ctx, vault +func (_m *MockProviderAPI) ListKeyVaultDiagnosticSettings(ctx context.Context, vault inventory.AzureAsset) ([]inventory.AzureAsset, error) { + ret := _m.Called(ctx, vault) + + var r0 []inventory.AzureAsset + var r1 error + if rf, ok := ret.Get(0).(func(context.Context, inventory.AzureAsset) ([]inventory.AzureAsset, error)); ok { + return rf(ctx, vault) + } + if rf, ok := ret.Get(0).(func(context.Context, inventory.AzureAsset) []inventory.AzureAsset); ok { + r0 = rf(ctx, vault) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).([]inventory.AzureAsset) + } + } + + if rf, ok := ret.Get(1).(func(context.Context, inventory.AzureAsset) error); ok { + r1 = rf(ctx, vault) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// MockProviderAPI_ListKeyVaultDiagnosticSettings_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListKeyVaultDiagnosticSettings' +type MockProviderAPI_ListKeyVaultDiagnosticSettings_Call struct { + *mock.Call +} + +// ListKeyVaultDiagnosticSettings is a helper method to define mock.On call +// - ctx context.Context +// - vault inventory.AzureAsset +func (_e *MockProviderAPI_Expecter) ListKeyVaultDiagnosticSettings(ctx interface{}, vault interface{}) *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call { + return &MockProviderAPI_ListKeyVaultDiagnosticSettings_Call{Call: _e.mock.On("ListKeyVaultDiagnosticSettings", ctx, vault)} +} + +func (_c *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call) Run(run func(ctx context.Context, vault inventory.AzureAsset)) *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Run(func(args mock.Arguments) { + run(args[0].(context.Context), args[1].(inventory.AzureAsset)) + }) + return _c +} + +func (_c *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call) Return(_a0 []inventory.AzureAsset, _a1 error) *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Return(_a0, _a1) + return _c +} + +func (_c *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call) RunAndReturn(run func(context.Context, inventory.AzureAsset) ([]inventory.AzureAsset, error)) *MockProviderAPI_ListKeyVaultDiagnosticSettings_Call { + _c.Call.Return(run) + return _c +} + // ListKeyVaultKeys provides a mock function with given fields: ctx, vault func (_m *MockProviderAPI) ListKeyVaultKeys(ctx context.Context, vault inventory.AzureAsset) ([]inventory.AzureAsset, error) { ret := _m.Called(ctx, vault) diff --git a/internal/resources/providers/azurelib/provider.go b/internal/resources/providers/azurelib/provider.go index 40a183de7a..f3872772ba 100644 --- a/internal/resources/providers/azurelib/provider.go +++ b/internal/resources/providers/azurelib/provider.go @@ -72,7 +72,7 @@ func (p *ProviderInitializer) Init(log *logp.Logger, azureConfig auth.AzureFacto resourceGraphProvider := inventory.NewResourceGraphProvider(log, resourceGraphClientFactory) return &provider{ AppServiceProviderAPI: inventory.NewAppServiceProvider(log, azureConfig.Credentials), - KeyVaultProviderAPI: inventory.NewKeyVaultProvider(log, azureConfig.Credentials), + KeyVaultProviderAPI: inventory.NewKeyVaultProvider(log, diagnosticSettingsClient, azureConfig.Credentials), MysqlProviderAPI: inventory.NewMysqlProvider(log, azureConfig.Credentials), PostgresqlProviderAPI: inventory.NewPostgresqlProvider(log, azureConfig.Credentials), ProviderAPI: governance.NewProvider(log, resourceGraphProvider), diff --git a/security-policies/README.md b/security-policies/README.md index 8a482b95bb..54b5cf2f04 100644 --- a/security-policies/README.md +++ b/security-policies/README.md @@ -4,7 +4,7 @@ [![CIS EKS](https://img.shields.io/badge/CIS-Amazon%20EKS%20(60%25)-FF9900?logo=Amazon+EKS)](RULES.md#eks-cis-benchmark) [![CIS AWS](https://img.shields.io/badge/CIS-AWS%20(87%25)-232F3E?logo=Amazon+AWS)](RULES.md#aws-cis-benchmark) [![CIS GCP](https://img.shields.io/badge/CIS-GCP%20(85%25)-4285F4?logo=Google+Cloud)](RULES.md#gcp-cis-benchmark) -[![CIS AZURE](https://img.shields.io/badge/CIS-AZURE%20(47%25)-0078D4?logo=Microsoft+Azure)](RULES.md#azure-cis-benchmark) +[![CIS AZURE](https://img.shields.io/badge/CIS-AZURE%20(48%25)-0078D4?logo=Microsoft+Azure)](RULES.md#azure-cis-benchmark) ![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/oren-zohar/a7160df46e48dff45b24096de9302d38/raw/csp-security-policies_coverage.json) diff --git a/security-policies/RULES.md b/security-policies/RULES.md index e407d03396..ee3144c32d 100644 --- a/security-policies/RULES.md +++ b/security-policies/RULES.md @@ -398,13 +398,13 @@ ## AZURE CIS Benchmark -### 71/151 implemented rules (47%) +### 72/151 implemented rules (48%) -#### Automated rules: 71/77 (92%) +#### Automated rules: 72/77 (94%) #### Manual rules: 0/74 (0%) -#### Integration Tests Coverage: 98/302 (32%) +#### Integration Tests Coverage: 100/302 (33%)

Full Table 📋

 @@ -512,7 +512,7 @@ | [5.1.2](bundle/compliance/cis_azure/rules/cis_5_1_2) | Configuring Diagnostic Settings | Ensure Diagnostic Setting captures appropriate categories | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | | [5.1.3](bundle/compliance/cis_azure/rules/cis_5_1_3) | Configuring Diagnostic Settings | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | :white_check_mark: | Passed :x: / Failed :x: | Automated | | [5.1.4](bundle/compliance/cis_azure/rules/cis_5_1_4) | Configuring Diagnostic Settings | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | :white_check_mark: | Passed :x: / Failed :x: | Automated | -| 5.1.5 | Configuring Diagnostic Settings | Ensure that logging for Azure Key Vault is 'Enabled' | :x: | Passed :x: / Failed :x: | Automated | +| [5.1.5](bundle/compliance/cis_azure/rules/cis_5_1_5) | Configuring Diagnostic Settings | Ensure that logging for Azure Key Vault is 'Enabled' | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | | 5.1.6 | Configuring Diagnostic Settings | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | :x: | Passed :x: / Failed :x: | Manual | | 5.1.7 | Configuring Diagnostic Settings | Ensure that logging for Azure AppService 'HTTP logs' is enabled | :x: | Passed :x: / Failed :x: | Manual | | [5.2.1](bundle/compliance/cis_azure/rules/cis_5_2_1) | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create Policy Assignment | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/data.yaml b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/data.yaml new file mode 100644 index 0000000000..b4e1836496 --- /dev/null +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/data.yaml @@ -0,0 +1,133 @@ +metadata: + id: 66cdd4cc-5870-50e1-959c-91443716b87a + name: Ensure that logging for Azure Key Vault is 'Enabled' + profile_applicability: '* Level 1' + description: |- + Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. + rationale: |- + Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. + Enabling logging for Key Vault saves information in an Azure storage account which the user provides. + This creates a new container named insights-logs-auditevent automatically for the specified storage account. + This same storage account can be used for collecting logs for multiple key vaults. + audit: |- + **From Azure Portal** + + 1. Go to `Key vaults` + 2. For each Key vault + 3. Go to `Diagnostic settings` + 4. Click on `Edit Settings` + 5. Ensure that `Archive to a storage account` is `Enabled` + 6. Ensure that `AuditEvent` is checked, and the retention days is set to `180 days` or as appropriate + + **From Azure CLI** + + List all key vaults + + ``` + az keyvault list + ``` + + For each keyvault `id` + ``` + az monitor diagnostic-settings list --resource + ``` + + Ensure that `storageAccountId` is set as appropriate. + Also, ensure that `category` and `days` are set. + One of the sample outputs is as below. + + ``` + "logs": [ + { + "category": "AuditEvent", + "enabled": true, + "retentionPolicy": { + "days": 180, + "enabled": true + } + } + ] + ``` + + **From PowerShell** + + List the key vault(s) in the subscription + + ``` + Get-AzKeyVault + ``` + + For each key vault, run the following: + + ``` + Get-AzDiagnosticSetting -ResourceId + ``` + + Ensure that `StorageAccountId`, `ServiceBusRuleId`, `MarketplacePartnerId`, or `WorkspaceId` is set as appropriate. + Also, ensure that `enabled` is set to `true`, and that `category` and `days` are set under the `Log` heading. + remediation: |- + **From Azure Portal** + + 1. Go to `Key vaults` + 2. Select a Key vault + 3. Select `Diagnostic settings` + 4. Click on `Edit setting` against an existing diagnostic setting, or `Add diagnostic setting` + 5. If creating a new diagnostic setting, provide a name + 6. Check `Archive to a storage account` + 7. Under Categories, check `Audit Logs` + 8. Set an appropriate value for `Retention (days)` + 9. Click `Save` + + **From Azure CLI** + + To update an existing `Diagnostic Settings` + ``` + az monitor diagnostic-settings update --name "" --resource --set retentionPolicy.days=90 + ``` + + To create a new `Diagnostic Settings` + + ``` + az monitor diagnostic-settings create --name --resource --logs "[{category:AuditEvents,enabled:true,retention-policy:{enabled:true,days:180}}]" --metrics "[{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}]" <[--event-hub --event-hub-rule | --storage-account |--workspace | --marketplace-partner-id ]> + ``` + + **From PowerShell** + + Create the `Log` settings object + + ``` + $logSettings = @() + $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent + ``` + + Create the `Metric` settings object + + ``` + $metricSettings = @() + $metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics + ``` + + Create the `Diagnostic Settings` for each `Key Vault` + + ``` + New-AzDiagnosticSetting -Name "" -ResourceId -Log $logSettings -Metric $metricSettings [-StorageAccountId | -EventHubName -EventHubAuthorizationRuleId | -WorkSpaceId | -MarketPlacePartnerId ] + ``` + impact: '' + default_value: '' + references: |- + 1. https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging + 2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository + 3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation + section: Configuring Diagnostic Settings + version: '1.0' + tags: + - CIS + - AZURE + - CIS 5.1.5 + - Configuring Diagnostic Settings + benchmark: + name: CIS Microsoft Azure Foundations + version: v2.0.0 + id: cis_azure + rule_number: 5.1.5 + posture_type: cspm diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego new file mode 100644 index 0000000000..b2f98e4be1 --- /dev/null +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego @@ -0,0 +1,31 @@ +package compliance.cis_azure.rules.cis_5_1_5 + +import data.compliance.lib.common +import data.compliance.policy.azure.data_adapter +import future.keywords.if + +finding = result if { + # filter + data_adapter.is_vault + + # set result + result := common.generate_result_without_expected( + common.calculate_result(is_vault_logging_enabled), + {"Resource": data_adapter.resource}, + ) +} + +is_audit_category(i) if i.categoryGroup == "allLogs" + +is_audit_category(i) if i.categoryGroup == "audit" + +# AuditEvent category is in both categoryGroup "allLogs" and "audit" +is_audit_category(i) if i.category == "AuditEvent" + +is_vault_logging_enabled if { + entry = data_adapter.resource.extension.vaultDiagnosticSettings[i].properties + entry.storageAccountId != null + logs := entry.logs[i] + logs.enabled == true + is_audit_category(logs) +} else = false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/test.rego new file mode 100644 index 0000000000..d586bd1986 --- /dev/null +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/test.rego @@ -0,0 +1,73 @@ +package compliance.cis_azure.rules.cis_5_1_5 + +import data.cis_azure.test_data +import data.compliance.policy.azure.data_adapter +import data.lib.test +import future.keywords.if + +test_violation if { + # fail if storage account id not defined + eval_fail with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": {"storageAccountId": null}}]}) + + # fail if logs category is not audit + eval_fail with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": { + "storageAccountId": "/subscriptions/1", + "logs": [{ + "category": "AzurePolicyEvaluationDetails", + "enabled": true, + }], + }}]}) + + # fail if logs category is audit, but not enabled + eval_fail with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": { + "storageAccountId": "/subscriptions/1", + "logs": [{ + "category": "AuditEvent", + "enabled": false, + }], + }}]}) +} + +test_pass if { + # pass if the diagnostic setting has: + # 1. a storage account id + # 2. logs category is "AuditEvent" or categoryGroup is "audit"/"allLogs" + # 3. said log category is enabled + eval_pass with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": { + "storageAccountId": "/subscription/1", + "logs": [{ + "category": "AuditEvent", + "enabled": true, + }], + }}]}) + eval_pass with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": { + "storageAccountId": "/subscription/1", + "logs": [{ + "categoryGroup": "audit", + "enabled": true, + }], + }}]}) + eval_pass with input as test_data.generate_key_vault({}, {"vaultDiagnosticSettings": [{"properties": { + "storageAccountId": "/subscription/1", + "logs": [{ + "categoryGroup": "allLogs", + "enabled": true, + }], + }}]}) +} + +test_not_evaluated if { + not_eval with input as test_data.not_eval_non_exist_type +} + +eval_fail if { + test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter +} + +eval_pass if { + test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter +} + +not_eval if { + not finding with data.benchmark_data_adapter as data_adapter +} diff --git a/tests/product/tests/data/azure/azure_key_vault_test_cases.py b/tests/product/tests/data/azure/azure_key_vault_test_cases.py index 08a8b41de4..4d8b3a14b6 100644 --- a/tests/product/tests/data/azure/azure_key_vault_test_cases.py +++ b/tests/product/tests/data/azure/azure_key_vault_test_cases.py @@ -9,6 +9,7 @@ from ..constants import RULE_PASS_STATUS, RULE_FAIL_STATUS CIS_8_5 = "CIS 8.5" +CIS_5_1_5 = "CIS 5.1.5" cis_azure_8_5_pass = AzureServiceCase( rule_tag=CIS_8_5, @@ -27,7 +28,24 @@ "8.5 Ensure the Key Vault is Recoverable expect: failed": cis_azure_8_5_fail, } +cis_azure_5_1_5_pass = AzureServiceCase( + rule_tag=CIS_5_1_5, + case_identifier="test-key-vault-diag-pass", + expected=RULE_PASS_STATUS, +) +cis_azure_5_1_5_fail = AzureServiceCase( + rule_tag=CIS_5_1_5, + case_identifier="test-key-vault-diag-fail", + expected=RULE_FAIL_STATUS, +) + +cis_azure_5_1_5 = { + "5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' expect: passed": cis_azure_5_1_5_pass, + "5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' expect: failed": cis_azure_5_1_5_fail, +} + # The name of this variable needs to be `tests_cases` in order to CIS Rules coverage stats to be generated test_cases = { **cis_azure_8_5, + **cis_azure_5_1_5, } From b8a53e37122e6929ded378d8a6246ddb70b1330a Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Wed, 14 Feb 2024 15:00:32 +0200 Subject: [PATCH 4/7] Fix cis eks 5.4.5 (#1911) --- .../bundle/compliance/cis_eks/test_data.rego | 14 +++++++------- .../policy/aws_elb/ensure_certificates.rego | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security-policies/bundle/compliance/cis_eks/test_data.rego b/security-policies/bundle/compliance/cis_eks/test_data.rego index 4bfdff33e0..02e2753948 100644 --- a/security-policies/bundle/compliance/cis_eks/test_data.rego +++ b/security-policies/bundle/compliance/cis_eks/test_data.rego @@ -70,7 +70,7 @@ generate_ecr_input_with_one_repo(image_scan_on_push) = { } # regal ignore:rule-length -generate_elb_input_with_two_load_balancers(first_instance_protocol, first_instance_ssl_cert, sec_instance_protocol, sec_instance_ssl_cert) = { +generate_elb_input_with_two_load_balancers(first_protocol, first_ssl_cert, sec_protocol, sec_ssl_cert) = { "resource": { "AvailabilityZones": [ "us-east-2b", @@ -96,20 +96,20 @@ generate_elb_input_with_two_load_balancers(first_instance_protocol, first_instan { "Listener": { "InstancePort": 32177, - "InstanceProtocol": first_instance_protocol, + "InstanceProtocol": "HTTP", "LoadBalancerPort": 443, - "Protocol": "TCP", - "SSLCertificateId": first_instance_ssl_cert, + "Protocol": first_protocol, + "SSLCertificateId": first_ssl_cert, }, "PolicyNames": null, }, { "Listener": { "InstancePort": 31829, - "InstanceProtocol": sec_instance_protocol, + "InstanceProtocol": "HTTP", "LoadBalancerPort": 80, - "Protocol": "TCP", - "SSLCertificateId": sec_instance_ssl_cert, + "Protocol": sec_protocol, + "SSLCertificateId": sec_ssl_cert, }, "PolicyNames": null, }, diff --git a/security-policies/bundle/compliance/policy/aws_elb/ensure_certificates.rego b/security-policies/bundle/compliance/policy/aws_elb/ensure_certificates.rego index 1737d83036..ada24d61c1 100644 --- a/security-policies/bundle/compliance/policy/aws_elb/ensure_certificates.rego +++ b/security-policies/bundle/compliance/policy/aws_elb/ensure_certificates.rego @@ -21,7 +21,7 @@ any_null_certificate if { # Verify that all listeners use https protocoal all_https if { every description in data_adapter.listener_descriptions { - description.Listener.InstanceProtocol == "HTTPS" + description.Listener.Protocol == "HTTPS" } } From 0a86f5ded18dce9b3913b86fbeae8eec3ff3a54e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 15:43:18 +0200 Subject: [PATCH 5/7] Bump the aws group with 8 updates (#1881) * Bump the aws group with 8 updates Bumps the aws group with 8 updates: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.49.21` | `1.50.5` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.26.3` | `1.26.6` | | [github.com/aws/aws-sdk-go-v2/service/cloudtrail](https://github.com/aws/aws-sdk-go-v2) | `1.35.7` | `1.36.0` | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.144.0` | `1.145.0` | | [github.com/aws/aws-sdk-go-v2/service/organizations](https://github.com/aws/aws-sdk-go-v2) | `1.23.6` | `1.23.7` | | [github.com/aws/aws-sdk-go-v2/service/rds](https://github.com/aws/aws-sdk-go-v2) | `1.66.2` | `1.68.0` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.48.0` | `1.48.1` | | [github.com/aws/aws-sdk-go-v2/service/securityhub](https://github.com/aws/aws-sdk-go-v2) | `1.44.2` | `1.44.3` | Updates `github.com/aws/aws-sdk-go` from 1.49.21 to 1.50.5 - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.49.21...v1.50.5) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.3 to 1.26.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.3...config/v1.26.6) Updates `github.com/aws/aws-sdk-go-v2/service/cloudtrail` from 1.35.7 to 1.36.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.36.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ssm/v1.35.7...service/s3/v1.36.0) Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.144.0 to 1.145.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.144.0...service/ec2/v1.145.0) Updates `github.com/aws/aws-sdk-go-v2/service/organizations` from 1.23.6 to 1.23.7 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ram/v1.23.6...service/ram/v1.23.7) Updates `github.com/aws/aws-sdk-go-v2/service/rds` from 1.66.2 to 1.68.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/ec2/v1.68.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/rds/v1.66.2...service/ec2/v1.68.0) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.48.0 to 1.48.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.48.0...service/s3/v1.48.1) Updates `github.com/aws/aws-sdk-go-v2/service/securityhub` from 1.44.2 to 1.44.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ssm/v1.44.2...service/ssm/v1.44.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/cloudtrail dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/organizations dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/rds dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws - dependency-name: github.com/aws/aws-sdk-go-v2/service/securityhub dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws ... Signed-off-by: dependabot[bot] * go mod tidy --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Oren Zohar <85433724+oren-zohar@users.noreply.github.com> Co-authored-by: oren zohar --- go.mod | 24 ++++++++++++------------ go.sum | 48 ++++++++++++++++++++++++------------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/go.mod b/go.mod index 74e6bb9db2..0838a606f3 100644 --- a/go.mod +++ b/go.mod @@ -20,28 +20,28 @@ require ( github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf github.com/aquasecurity/trivy v0.48.3 github.com/aquasecurity/trivy-db v0.0.0-20240101142613-9275a8f0adda - github.com/aws/aws-sdk-go v1.49.21 + github.com/aws/aws-sdk-go v1.50.5 github.com/aws/aws-sdk-go-v2 v1.24.1 - github.com/aws/aws-sdk-go-v2/config v1.26.3 - github.com/aws/aws-sdk-go-v2/credentials v1.16.14 + github.com/aws/aws-sdk-go-v2/config v1.26.6 + github.com/aws/aws-sdk-go-v2/credentials v1.16.16 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 github.com/aws/aws-sdk-go-v2/service/autoscaling v1.36.7 github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.6 - github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.7 + github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.36.0 github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.31.0 github.com/aws/aws-sdk-go-v2/service/configservice v1.44.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.144.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.145.0 github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.21.7 github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 - github.com/aws/aws-sdk-go-v2/service/organizations v1.23.6 - github.com/aws/aws-sdk-go-v2/service/rds v1.66.2 - github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0 + github.com/aws/aws-sdk-go-v2/service/organizations v1.23.7 + github.com/aws/aws-sdk-go-v2/service/rds v1.68.0 + github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1 github.com/aws/aws-sdk-go-v2/service/s3control v1.42.0 - github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.2 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.3 github.com/aws/aws-sdk-go-v2/service/sns v1.26.7 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 github.com/aws/smithy-go v1.19.0 @@ -177,7 +177,7 @@ require ( github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.21.3 // indirect @@ -185,8 +185,8 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect diff --git a/go.sum b/go.sum index 26073d3179..b0702c2f2e 100644 --- a/go.sum +++ b/go.sum @@ -825,17 +825,17 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go v1.49.21 h1:Rl8KW6HqkwzhATwvXhyr7vD4JFUMi7oXGAw9SrxxIFY= -github.com/aws/aws-sdk-go v1.49.21/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.50.5 h1:H2Aadcgwr7a2aqS6ZwcE+l1mA6ZrTseYCvjw2QLmxIA= +github.com/aws/aws-sdk-go v1.50.5/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 h1:OCs21ST2LrepDfD3lwlQiOqIGp6JiEUqG84GzTDoyJs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo= -github.com/aws/aws-sdk-go-v2/config v1.26.3 h1:dKuc2jdp10y13dEEvPqWxqLoc0vF3Z9FC45MvuQSxOA= -github.com/aws/aws-sdk-go-v2/config v1.26.3/go.mod h1:Bxgi+DeeswYofcYO0XyGClwlrq3DZEXli0kLf4hkGA0= -github.com/aws/aws-sdk-go-v2/credentials v1.16.14 h1:mMDTwwYO9A0/JbOCOG7EOZHtYM+o7OfGWfu0toa23VE= -github.com/aws/aws-sdk-go-v2/credentials v1.16.14/go.mod h1:cniAUh3ErQPHtCQGPT5ouvSAQ0od8caTO9OOuufZOAE= +github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o= +github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= +github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8= +github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11 h1:I6lAa3wBWfCz/cKkOpAcumsETRkFAl70sWi8ItcMEsM= @@ -846,8 +846,8 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/G github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 h1:5oE2WzJE56/mVveuDZPJESKlg/00AaS2pY2QZcnxg4M= github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10/go.mod h1:FHbKWQtRBYUz4vO5WBWjzMD2by126ny5y/1EoaWoLfI= github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 h1:rLdKcienXrk+JFX1+DZg160ebG8lIF2nFvnEZL7dnII= @@ -856,8 +856,8 @@ github.com/aws/aws-sdk-go-v2/service/autoscaling v1.36.7 h1:Vy2KdIN8tGSKBhwvjbWQ github.com/aws/aws-sdk-go-v2/service/autoscaling v1.36.7/go.mod h1:D5vhsHh8cnUikp91klW0VIEGG/ygAWiUOmGZU+Q4iZ0= github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.6 h1:XdEBz/eAB4K5QyQ9fx3sgbthOW3WiNOSomnhFXk6R+g= github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.6/go.mod h1:3+AceTAg/X5AUM/SkAbgxzviOBmsGaf9POso/Ymz5vc= -github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.7 h1:zuglRG8KYn6qSMX2bjXQk5lKzAnN7ohTzPR+Xa3DBeE= -github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.7/go.mod h1:ZyywmYcQbdJcIh8YMwqkw18mkA6nuQ+Uj1ouT2rXTYQ= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.36.0 h1:tRzTDe5E/dgGwJRR1cltjV9NPG9J5L7HK01+p2B4gCM= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.36.0/go.mod h1:ZyywmYcQbdJcIh8YMwqkw18mkA6nuQ+Uj1ouT2rXTYQ= github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2 h1:vQfCIHSDouEvbE4EuDrlCGKcrtABEqF3cMt61nGEV4g= github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2/go.mod h1:3ToKMEhVj+Q+HzZ8Hqin6LdAKtsi3zVXVNUPpQMd+Xk= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.31.0 h1:Rk+Ft0Mu/eiNt2iJ2oS8Gf1h5m6q5crwS8cmlTylnvM= @@ -866,8 +866,8 @@ github.com/aws/aws-sdk-go-v2/service/configservice v1.44.0 h1:xMScFSSjA+YjDU8xAy github.com/aws/aws-sdk-go-v2/service/configservice v1.44.0/go.mod h1:OxCAnijQ8xI3ZHSHDaF8r83HuK6G7mfWhLmReKCAwjs= github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 h1:CRzzXjmgx9p362yO39D6hbZULdMI23gaKqSxijJCXHM= github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7/go.mod h1:wnsHqpi3RgDwklS5SPHUgjcUUpontGPKJ+GJYOdV7pY= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.144.0 h1:1KE7EgE5xiPZ6H19hdF27B/p/CGhB2UNO5wcpOHe0JM= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.144.0/go.mod h1:hIsHE0PaWAQakLCshKS7VKWMGXaqrAFp4m95s2W9E6c= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.145.0 h1:SkSW6wtJmXqJJlBxSc+0mykDdv5nhl9xifMB7JuzNVo= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.145.0/go.mod h1:hIsHE0PaWAQakLCshKS7VKWMGXaqrAFp4m95s2W9E6c= github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 h1:3iaT/LnGV6jNtbBkvHZDlzz7Ky3wMHDJAyFtGd5GUJI= github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7/go.mod h1:mtzCLxk6M+KZbkJdq3cUH9GCrudw8qCy5C3EHO+5vLc= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.21.7 h1:+NF5RN/TOIgfISBUuYZYHL83z/95K9co3hQPouijgqA= @@ -886,22 +886,22 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 h1:KOxnQeWy5sXyS github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10/go.mod h1:jMx5INQFYFYB3lQD9W0D8Ohgq6Wnl7NYOJ2TQndbulI= github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 h1:W9PbZAZAEcelhhjb7KuwUtf+Lbc+i7ByYJRuWLlnxyQ= github.com/aws/aws-sdk-go-v2/service/kms v1.27.9/go.mod h1:2tFmR7fQnOdQlM2ZCEPpFnBIQD1U8wmXmduBgZbOag0= -github.com/aws/aws-sdk-go-v2/service/organizations v1.23.6 h1:ro8wxDwMuinSpinHkxw18VT9BGgtzK4AEmxbJR173t4= -github.com/aws/aws-sdk-go-v2/service/organizations v1.23.6/go.mod h1:zzSVlzK+VeF1LDOyehPish9VlrWlJkMxEn4d+UV7FRQ= -github.com/aws/aws-sdk-go-v2/service/rds v1.66.2 h1:2DwZGc7FM7swBDbkPlOhRJ5WolNYkIu+/ToEFK+rLmA= -github.com/aws/aws-sdk-go-v2/service/rds v1.66.2/go.mod h1:N/ijzTwR4cOG2P8Kvos/QOCetpDTtconhvDOheqnrTw= -github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0 h1:PJTdBMsyvra6FtED7JZtDpQrIAflYDHFoZAu/sKYkwU= -github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0/go.mod h1:4qXHrG1Ne3VGIMZPCB8OjH/pLFO94sKABIusjh0KWPU= +github.com/aws/aws-sdk-go-v2/service/organizations v1.23.7 h1:T0Z9cyigEnMH2Kh2Ops1sFgR47t7l+XQwIX/xl5LyBk= +github.com/aws/aws-sdk-go-v2/service/organizations v1.23.7/go.mod h1:zzSVlzK+VeF1LDOyehPish9VlrWlJkMxEn4d+UV7FRQ= +github.com/aws/aws-sdk-go-v2/service/rds v1.68.0 h1:qvpl0PIyXHVxz53Aw7kdeObSUQ2gpSuqIburDyh0N8w= +github.com/aws/aws-sdk-go-v2/service/rds v1.68.0/go.mod h1:N/ijzTwR4cOG2P8Kvos/QOCetpDTtconhvDOheqnrTw= +github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1 h1:5XNlsBsEvBZBMO6p82y+sqpWg8j5aBCe+5C2GBFgqBQ= +github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1/go.mod h1:4qXHrG1Ne3VGIMZPCB8OjH/pLFO94sKABIusjh0KWPU= github.com/aws/aws-sdk-go-v2/service/s3control v1.42.0 h1:XfB7Qow6MXyO+yqTGgo9Ycjc7/wySk+HIE6kZ5f8p+0= github.com/aws/aws-sdk-go-v2/service/s3control v1.42.0/go.mod h1:fxV+LYjoXZKrMMYSp+UMmgJK/oNxnogfYh12ZcrdbxU= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.2 h1:uzdslJwui029KDFFmB6a9pzhCDuRVqqdjUlbqKVmNrk= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.2/go.mod h1:/bd0JTnfysvNRGN27JGDeCco/KMMXOuZaI4wtQ7li38= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.3 h1:2DR6SF+Ev/DqVZZuh4fj7JZbHKpVnpgXJw3G4RItoVM= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.44.3/go.mod h1:/bd0JTnfysvNRGN27JGDeCco/KMMXOuZaI4wtQ7li38= github.com/aws/aws-sdk-go-v2/service/sns v1.26.7 h1:DylmW2c1Z7qGxN3Y02k+voPbtM1mh7Rp+gV+7maG5io= github.com/aws/aws-sdk-go-v2/service/sns v1.26.7/go.mod h1:mLFiISZfiZAqZEfPWUsZBK8gD4dYCKuKAfapV+KrIVQ= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 h1:dGrs+Q/WzhsiUKh82SfTVN66QzyulXuMDTV/G8ZxOac= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.6/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 h1:Yf2MIo9x+0tyv76GljxzqA3WtC5mw7NmazD2chwjxE4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= From a53d91fddacd69a798e31cb9f24096b3bf4ca2d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 13:53:12 +0000 Subject: [PATCH 6/7] Bump the azure group with 1 update (#1917) Bumps the azure group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go). Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.9.1 to 1.9.2 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.9.1...sdk/azcore/v1.9.2) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-type: direct:production update-type: version-update:semver-patch dependency-group: azure ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Oren Zohar <85433724+oren-zohar@users.noreply.github.com> --- go.mod | 6 ++---- go.sum | 15 +++++++-------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 0838a606f3..8a05516ef1 100644 --- a/go.mod +++ b/go.mod @@ -129,8 +129,8 @@ require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 - github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect @@ -382,7 +382,6 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect - github.com/onsi/ginkgo/v2 v2.11.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/opencontainers/runtime-spec v1.1.0 // indirect @@ -420,7 +419,6 @@ require ( github.com/sigstore/rekor v1.2.2 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect - github.com/smartystreets/assertions v1.0.0 // indirect github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect diff --git a/go.sum b/go.sum index b0702c2f2e..98902c2ef4 100644 --- a/go.sum +++ b/go.sum @@ -556,12 +556,12 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v56.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appservice/armappservice/v2 v2.3.0 h1:JI8PcWOImyvIUEZ0Bbmfe05FOlWkMi2KhjG+cAKaUms= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appservice/armappservice/v2 v2.3.0/go.mod h1:nJLFPGJkyKfDDyJiPuHIXsCi/gpJkm07EvRgiX7SGlI= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= @@ -2333,8 +2333,8 @@ github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8Ay github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw= github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= -github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= -github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -2622,9 +2622,8 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag= github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ= github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/assertions v1.0.0 h1:UVQPSSmc3qtTi+zPPkCXvZX9VvW/xT/NsRvKfwY81a8= -github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= From 00a855ec407ee2370da6baf09539dcecb41aa673 Mon Sep 17 00:00:00 2001 From: Oren Zohar <85433724+oren-zohar@users.noreply.github.com> Date: Wed, 14 Feb 2024 16:43:16 +0200 Subject: [PATCH 7/7] Remove GitHub's dependency-review (#1928) --- .github/workflows/unit-test.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 6aa795fa3f..212d32e4f3 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -119,18 +119,6 @@ jobs: - name: Go linter run: golangci-lint run --whole-files --out-format github-actions - dependency-review: - runs-on: ubuntu-20.04 - if: ${{ github.event_name == 'pull_request' }} - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Dependency Review - uses: actions/dependency-review-action@v4 - with: - allow-ghsas: GHSA-hj4r-2c9c-29h3 #CVE-2023-49922 - terraform-linter: name: terraform-lint runs-on: ubuntu-20.04