Skip to content

Commit

Permalink
Merge pull request #6862 from Checkmarx/joaom/kics-1293
Browse files Browse the repository at this point in the history 
fix(query): improve query Key Vault Not Recoverable
  • Loading branch information
@asofsilva
asofsilva authored Feb 6, 2024
2 parents 730aa82 + 94f9674 commit 0d07994
Show file tree
Hide file tree
Showing 5 changed files with 191 additions and 5 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/go-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,23 +83,23 @@ jobs:
- name: Test and Generate Report
if: matrix.os != 'windows-latest' && steps.changes.outputs.src == 'true'
run: |
go test -mod=vendor -v -timeout 1500s $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
go test -mod=vendor -v -timeout 2100s $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
result_code=${PIPESTATUS[0]}
exit $result_code
- name: Test and Generate Report Dev
if: matrix.os != 'windows-latest' && steps.changes.outputs.src == 'false'
run: |
go test -tags dev -mod=vendor -v -timeout 1500s $(go list -tags dev ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
go test -tags dev -mod=vendor -v -timeout 2100s $(go list -tags dev ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
result_code=${PIPESTATUS[0]}
exit $result_code
- name: Test and Generate Report Windows
if: matrix.os == 'windows-latest' && steps.changes.outputs.src == 'true'
run: |
go test -mod=vendor -v -timeout 1500s $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
go test -mod=vendor -v -timeout 2100s $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
- name: Test and Generate Report Windows Dev
if: matrix.os == 'windows-latest' && steps.changes.outputs.src == 'false'
run: |
go test -mod=vendor -tags dev -v -timeout 1500s $(go list -tags dev ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
go test -mod=vendor -tags dev -v -timeout 2100s $(go list -tags dev ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
- name: Archive test logs
if: always()
uses: actions/upload-artifact@v3
Expand Down
3 changes: 2 additions & 1 deletion assets/queries/azureResourceManager/key_vault_not_recoverable/query.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ CxPolicy[result] {
"keyExpectedValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' should have '%s' property defined", [fields[x]]),
"keyActualValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' doesn't have '%s' property defined", [fields[x]]),
"searchLine": common_lib.build_search_line(path, ["properties"]),

"searchValue": sprintf("%s",[fields[x]]),
}
}

Expand All @@ -45,5 +45,6 @@ CxPolicy[result] {
"keyExpectedValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' %s should have '%s' property set to true", [type, fields[x]]),
"keyActualValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' doesn't have '%s' property set to true", [fields[x]]),
"searchLine": common_lib.build_search_line(path, ["properties", fields[x]]),
"searchValue": sprintf("%s",[fields[x]]),
}
}
172 changes: 172 additions & 0 deletions assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive5.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_pgs_bot_prod_name')]",
"location": "westeurope",
"tags": {
"ProjectCodeBU": "UKMUMD",
"ApplicationName": "PGS HR Chatbot",
"ProjectCodePGDS": "PRJ0024896",
"CostCentreBU": "UKMUMD",
"DataClassification": "General",
"BusinessUnit": "PGS",
"Owner": "Pru UK Andover Innovation Team",
"Contact": "[email protected]",
"CostCentrePGDS": "ITBUEXP",
"Criticality": "Low"
},
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"accessPolicies": [
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "f3e7baf5-8d66-4fb2-b7aa-7b7484309df6",
"permissions": {
"keys": [
"Get",
"Create",
"Delete",
"List",
"Update",
"Import",
"Backup",
"Restore",
"Recover"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover"
],
"certificates": [
"Get",
"Delete",
"List",
"Create",
"Import",
"Update",
"DeleteIssuers",
"GetIssuers",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"SetIssuers"
],
"storage": [
"delete",
"deletesas",
"get",
"getsas",
"list",
"listsas",
"regeneratekey",
"set",
"setsas",
"update"
]
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "1033a977-ffdc-4359-869a-b673d075f128",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "13be5d2d-6e1f-4667-add4-02d2d1142ac5",
"permissions": {
"keys": [],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Backup",
"Restore",
"Recover",
"Purge"
],
"certificates": [],
"storage": []
}
},
{
"tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66",
"objectId": "e56a2de8-a788-415f-b10f-14bfd3000e1d",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"Decrypt",
"Encrypt",
"UnwrapKey",
"WrapKey",
"Verify",
"Sign",
"Purge"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore",
"Purge"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers",
"Purge"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false
}
}
]
}
12 changes: 12 additions & 0 deletions ...queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,17 @@
"severity": "HIGH",
"line": 41,
"fileName": "positive4.json"
},
{
"queryName": "Key Vault Not Recoverable",
"severity": "HIGH",
"line": 23,
"fileName": "positive5.json"
},
{
"queryName": "Key Vault Not Recoverable",
"severity": "HIGH",
"line": 23,
"fileName": "positive5.json"
}
]
1 change: 1 addition & 0 deletions test/queries_content_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ var (
"../assets/queries/openAPI/general/response_code_missing",
"../assets/queries/cicd/github/run_block_injection",
"../assets/queries/cicd/github/script_block_injection",
"../assets/queries/azureResourceManager/key_vault_not_recoverable",
}

// TODO uncomment this test once all metadata are fixed
Expand Down

0 comments on commit 0d07994

Please sign in to comment.