fix(queries): Fixed aws unique identifiers from common queries (#5236)

* separated ids Signed-off-by: joaorufi <[email protected]> * added positive41 sample Signed-off-by: joaorufi <[email protected]>
Checkmarx · Apr 27, 2022 · 0f82031 · 0f82031
1 parent adc7ca4
commit 0f82031
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 11 deletions.
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -3,22 +3,22 @@
     {
       "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
       "name": "Generic Password",
-      "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-.]{4,})['\"]?",
+      "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?",
       "allowRules": [
         {
           "description": "Avoiding TF resource access",
           "regex": "(?i)['\"]?password['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
         },
         {
           "description": "Avoiding CF AllowUsersToChangePassword",
-          "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-.]{4,})['\"]?"
+          "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
         }
       ]
     },
     {
       "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
       "name": "Generic Secret",
-      "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?",
+      "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]{10,})['\"]?",
       "entropies": [
         {
           "group": 3,
@@ -37,7 +37,7 @@
         },
         {
           "description": "Avoiding Secrets Manager arn",
-          "regex": ":secretsmanager:[a-z0-9-]+:[0-9]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?"
+          "regex": ":secretsmanager:[a-z0-9-]+:[0-9]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]{10,})['\"]?"
         }
       ]
     },
@@ -69,7 +69,17 @@
     {
       "id": "76c0bcde-903d-456e-ac13-e58c34987852",
       "name": "AWS Access Key",
-      "regex": "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
+      "regex": "(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}"
+    },
+    {
+      "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+      "name": "AWS Context-specific credential",
+      "regex": "(A3T[A-Z0-9]|ACCA)[A-Z0-9]{16}"
+    },
+    {
+      "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+      "name": "AWS Certificate",
+      "regex": "(A3T[A-Z0-9]|ASCA)[A-Z0-9]{16}"
     },
     {
       "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
@@ -198,12 +208,12 @@
     {
       "id": "2f665079-c383-4b33-896e-88268c1fa258",
       "name": "Generic Private Key",
-      "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?"
+      "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
     },
     {
       "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
       "name": "Generic Token",
-      "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+      "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
       "allowRules": [
         {
           "description": "Avoiding Amazon MWS Auth Token",
@@ -235,19 +245,19 @@
         },
         {
           "description": "Avoiding TF creation token",
-          "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?"
+          "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
         }
       ]
     },
     {
       "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
       "name": "CloudFormation Secret Template",
-      "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9\/~^_!@&%()=?*+-]{10,})}"
+      "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}"
     },
     {
       "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
       "name": "Encryption Key",
-      "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+      "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
       "allowRules": [
         {
           "description": "Avoiding TF resource access",
@@ -283,7 +293,7 @@
     },
     {
       "description": "Avoiding array access",
-      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
     },
     {
       "description": "Avoiding TF file function",

diff --git a/assets/queries/common/passwords_and_secrets/test/positive41.tf b/assets/queries/common/passwords_and_secrets/test/positive41.tf
@@ -0,0 +1,28 @@
+resource "aws_instance" "web_host" {
+  # ec2 have plain text secrets in user data
+  ami           = var.ami
+  instance_type = "t2.nano"
+
+  vpc_security_group_ids = [
+  "${aws_security_group.web-node.id}"]
+  subnet_id = aws_subnet.web_subnet.id
+  user_data = <<EOF
+#! /bin/bash
+sudo apt-get update
+sudo apt-get install -y apache2
+sudo systemctl start apache2
+sudo systemctl enable apache2
+export AWS_CONTEXT_CREDENTIAL=ACCAIOSFODNN7EXAMAAA
+export AWS_CERTIFICATE=ASCAIOSFODNN7EXAMAAA
+export AWS_DEFAULT_REGION=us-west-2
+echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
+EOF
+  tags = merge({
+    Name = "${local.resource_prefix.value}-ec2"
+    }, {
+    git_last_modified_by = "[email protected]"
+    git_modifiers        = "felipe.avelar"
+    git_org              = "checkmarx"
+    git_repo             = "kics"
+  })
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -334,5 +334,17 @@
     "severity": "HIGH",
     "line": 3,
     "fileName": "positive40.tf"
+  },
+  {
+    "queryName": "Passwords And Secrets - AWS Context-specific credential",
+    "severity": "HIGH",
+    "line": 15,
+    "fileName": "positive41.tf"
+  },
+  {
+    "queryName": "Passwords And Secrets - AWS Certificate",
+    "severity": "HIGH",
+    "line": 16,
+    "fileName": "positive41.tf"
   }
 ]