Merge pull request Checkmarx#7034 from Checkmarx/joaom/AST-40712

fix(query): fix query Bind Address Not Properly Set
liorj-orca · May 2, 2024 · 3a114ed · 3a114ed
2 parents a871623 + 7a80ae4
commit 3a114ed
Show file tree

Hide file tree

Showing 10 changed files with 17 additions and 16 deletions.
diff --git a/assets/queries/k8s/bind_address_not_properly_set/metadata.json b/assets/queries/k8s/bind_address_not_properly_set/metadata.json
@@ -3,10 +3,11 @@
   "queryName": "Bind Address Not Properly Set",
   "severity": "INFO",
   "category": "Networking and Firewall",
-  "descriptionText": "When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1",
-  "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "descriptionText": "When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should be set to 127.0.0.1",
+  "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/",
   "platform": "Kubernetes",
   "descriptionID": "b52844f2",
   "cwe": "",
-  "oldSeverity": "HIGH"
-}
+  "oldSeverity": "HIGH",
+  "cloudProvider": "common"
+}
diff --git a/assets/queries/k8s/bind_address_not_properly_set/query.rego b/assets/queries/k8s/bind_address_not_properly_set/query.rego
@@ -12,8 +12,8 @@ CxPolicy[result] {
 	types := {"initContainers", "containers"}
 	container := specInfo.spec[types[x]][j]
 	command := commandList[_]
-	common_lib.inArray(container.command, command)	
-	k8sLib.hasFlag(container, "--bind-address=127.0.0.1")
+	common_lib.inArray(container.command, command)
+	not k8sLib.hasFlag(container, "--bind-address=127.0.0.1")
 
 	result := {
 		"documentId": input.document[i].id,

diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/negative1.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/negative1.yaml
@@ -8,6 +8,6 @@ spec:
   containers:
     - name: command-demo-container
       image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
-      command: ["kube-controller-manager","--bind-address=0.0.0.0"]
-      args: []
+      command: ["kube-controller-manager"]
+      args: ["--bind-address=127.0.0.1"]
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/negative2.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/negative2.yaml
@@ -8,6 +8,6 @@ spec:
   containers:
     - name: command-demo-container
       image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
-      command: ["kube-controller-manager"]
+      command: ["kube-controller-manager","--bind-address=127.0.0.1"]
       args: []
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/negative3.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/negative3.yaml
@@ -18,5 +18,5 @@ spec:
     - name: command-demo-container
       image: k8s.gcr.io/kube-scheduler:v1.19.0
       command: ["kube-scheduler"]
-      args: []
+      args: ["--bind-address=127.0.0.1"]
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/negative4.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/negative4.yaml
@@ -17,6 +17,6 @@ spec:
   containers:
     - name: command-demo-container
       image: k8s.gcr.io/kube-scheduler:v1.19.0
-      command: ["kube-scheduler","--bind-address=0.0.0.0"]
+      command: ["kube-scheduler","--bind-address=127.0.0.1"]
       args: []
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive1.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/positive1.yaml
@@ -8,6 +8,6 @@ spec:
   containers:
     - name: command-demo-container
       image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
-      command: ["kube-controller-manager"]
-      args: ["--bind-address=127.0.0.1"]
+      command: ["kube-controller-manager","--bind-address=0.0.0.0"]
+      args: []
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive2.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/positive2.yaml
@@ -8,6 +8,6 @@ spec:
   containers:
     - name: command-demo-container
       image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
-      command: ["kube-controller-manager","--bind-address=127.0.0.1"]
+      command: ["kube-controller-manager"]
       args: []
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive3.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/positive3.yaml
@@ -18,5 +18,5 @@ spec:
     - name: command-demo-container
       image: k8s.gcr.io/kube-scheduler:v1.19.0
       command: ["kube-scheduler"]
-      args: ["--bind-address=127.0.0.1"]
+      args: []
   restartPolicy: OnFailure
diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive4.yaml b/assets/queries/k8s/bind_address_not_properly_set/test/positive4.yaml
@@ -17,6 +17,6 @@ spec:
   containers:
     - name: command-demo-container
       image: k8s.gcr.io/kube-scheduler:v1.19.0
-      command: ["kube-scheduler","--bind-address=127.0.0.1"]
+      command: ["kube-scheduler","--bind-address=0.0.0.0"]
       args: []
   restartPolicy: OnFailure