Merge branch 'master' into dependabot/github_actions/peter-evans/crea…

…te-pull-request-6
Checkmarx · May 9, 2024 · 8bd4aae · 8bd4aae
2 parents f351205 + 56ccd87
commit 8bd4aae
Show file tree

Hide file tree

Showing 32 changed files with 354 additions and 210 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM cgr.dev/chainguard/go@sha256:a06a462f22445088e8bbb4478dedf83228af0db9003cd4f4cde5981694bc3d3d as build_env
+FROM --platform=linux/amd64 cgr.dev/chainguard/go@sha256:4d51574ef33b4edc57a22da062fe335a500eda30a1f1315cb39b4977bf2aef5f as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -31,12 +31,10 @@ USER nonroot
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM cgr.dev/chainguard/git@sha256:f20defbb71126cae9e76cb95d24399df877b4fe62476525c0e67b05c0206b51d
+FROM --platform=linux/amd64 cgr.dev/chainguard/git@sha256:de87d065b0efb4332080a55ccf45015891fce6aa9ee6101730779850d4634a56
 
 ENV TERM xterm-256color
 
-USER root
-
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated
 # kics-scan ignore-line

diff --git a/...ResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego b/...ResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego
@@ -49,7 +49,7 @@ prepare_issue(val1, val2) = issue {
     issue := {
     	"kav": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')",
         "sk": ".properties.publicNetworkAccess",
-        "sl": ["properties", "publicNetworkAccess"],
+        "sl": ["properties"],
         "issueType": "MissingAttribute"
     }
 } else = issue {

diff --git a/...anager/default_azure_storage_account_network_access_is_too_permissive/test/negative1.json b/...anager/default_azure_storage_account_network_access_is_too_permissive/test/negative1.json
@@ -1,23 +1,21 @@
 {
-    "document": [
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
         {
-            "resources": [
-                {
-                    "apiVersion": "[variables('storageApiVersion')]",
-                    "dependsOn": [],
-                    "kind": "Storage",
-                    "location": "[variables('computeLocation')]",
-                    "name": "negative1",
-                    "properties": {
-                        "publicNetworkAccess": "Disabled"
-                    },
-                    "sku": {
-                        "name": "[parameters('supportLogStorageAccountType')]"
-                    },
-                    "tags": {},
-                    "type": "Microsoft.Storage/storageAccounts"
-                }
-            ]
+            "apiVersion": "[variables('storageApiVersion')]",
+            "dependsOn": [],
+            "kind": "Storage",
+            "location": "[variables('computeLocation')]",
+            "name": "negative1",
+            "properties": {
+                "publicNetworkAccess": "Disabled"
+            },
+            "sku": {
+                "name": "[parameters('supportLogStorageAccountType')]"
+            },
+            "tags": {},
+            "type": "Microsoft.Storage/storageAccounts"
         }
     ]
 }
diff --git a/...anager/default_azure_storage_account_network_access_is_too_permissive/test/negative2.json b/...anager/default_azure_storage_account_network_access_is_too_permissive/test/negative2.json
@@ -1,25 +1,23 @@
 {
-    "document": [
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
         {
-            "resources": [
-                {
-                    "apiVersion": "[variables('storageApiVersion')]",
-                    "dependsOn": [],
-                    "kind": "Storage",
-                    "location": "[variables('computeLocation')]",
-                    "name": "negative2",
-                    "properties": {
-                        "networkAcls": {
-                            "defaultAction": "Deny"
-                        }
-                    },
-                    "sku": {
-                        "name": "[parameters('supportLogStorageAccountType')]"
-                    },
-                    "tags": {},
-                    "type": "Microsoft.Storage/storageAccounts"
+            "apiVersion": "[variables('storageApiVersion')]",
+            "dependsOn": [],
+            "kind": "Storage",
+            "location": "[variables('computeLocation')]",
+            "name": "negative2",
+            "properties": {
+                "networkAcls": {
+                    "defaultAction": "Deny"
                 }
-            ]
+            },
+            "sku": {
+                "name": "[parameters('supportLogStorageAccountType')]"
+            },
+            "tags": {},
+            "type": "Microsoft.Storage/storageAccounts"
         }
     ]
 }
diff --git a/...anager/default_azure_storage_account_network_access_is_too_permissive/test/positive2.json b/...anager/default_azure_storage_account_network_access_is_too_permissive/test/positive2.json
@@ -1,21 +1,19 @@
 {
-    "document": [
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
         {
-            "resources": [
-                {
-                    "apiVersion": "[variables('storageApiVersion')]",
-                    "dependsOn": [],
-                    "kind": "Storage",
-                    "location": "[variables('computeLocation')]",
-                    "name": "positive2",
-                    "properties": {},
-                    "sku": {
-                        "name": "[parameters('supportLogStorageAccountType')]"
-                    },
-                    "tags": {},
-                    "type": "Microsoft.Storage/storageAccounts"
-                }
-            ]
+            "apiVersion": "[variables('storageApiVersion')]",
+            "dependsOn": [],
+            "kind": "Storage",
+            "location": "[variables('computeLocation')]",
+            "name": "positive2",
+            "properties": {},
+            "sku": {
+                "name": "[parameters('supportLogStorageAccountType')]"
+            },
+            "tags": {},
+            "type": "Microsoft.Storage/storageAccounts"
         }
     ]
 }
diff --git a/...anager/default_azure_storage_account_network_access_is_too_permissive/test/positive3.json b/...anager/default_azure_storage_account_network_access_is_too_permissive/test/positive3.json
@@ -1,23 +1,21 @@
 {
-    "document": [
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
         {
-            "resources": [
-                {
-                    "apiVersion": "[variables('storageApiVersion')]",
-                    "dependsOn": [],
-                    "kind": "Storage",
-                    "location": "[variables('computeLocation')]",
-                    "name": "positive3",
-                    "properties": {
-                        "publicNetworkAccess": "Enabled"
-                    },
-                    "sku": {
-                        "name": "[parameters('supportLogStorageAccountType')]"
-                    },
-                    "tags": {},
-                    "type": "Microsoft.Storage/storageAccounts"
-                }
-            ]
+            "apiVersion": "[variables('storageApiVersion')]",
+            "dependsOn": [],
+            "kind": "Storage",
+            "location": "[variables('computeLocation')]",
+            "name": "positive3",
+            "properties": {
+                "publicNetworkAccess": "Enabled"
+            },
+            "sku": {
+                "name": "[parameters('supportLogStorageAccountType')]"
+            },
+            "tags": {},
+            "type": "Microsoft.Storage/storageAccounts"
         }
     ]
 }
diff --git a/...queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego b/...queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego
@@ -73,3 +73,32 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(childPath, ["properties", "publicAccess"]),
 	}
 }
+
+
+
+CxPolicy[result] {
+	doc := input.document[i]
+
+	[path, value] = walk(doc)
+	value.type == "Microsoft.Storage/storageAccounts"
+
+	[childPath, childValue] := walk(value.resources)
+	childValue.type == "blobServices"
+
+	[subchildPath, subchildValue] := walk(childValue.resources)
+	subchildValue.type == "containers"
+
+	[val, val_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, subchildValue.properties.publicAccess)
+	val == publicOptions[o]
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": value.type,
+		"resourceName": value.name,
+        "searchKey": sprintf("%s.name=%s.resources.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name, subchildValue.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]),
+		"keyActualValue": sprintf("resource with type 'containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]),
+		"searchLine": common_lib.build_search_line(path, ["resources", childPath[0], "resources", subchildPath[0], "properties", "publicAccess"]),
+	}
+}
diff --git a/...zureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json b/...zureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json
@@ -0,0 +1,105 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "existingVNETName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the virtual network to use for cloud shell containers."
+      }
+    },
+    "existingStorageSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the subnet to use for storage account."
+      }
+    },
+    "existingContainerSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the subnet to use for cloud shell containers."
+      }
+    },
+    "storageAccountName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the storage account in subnet."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
+    "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2019-06-01",
+      "name": "[parameters('storageAccountName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_LRS",
+        "tier": "Standard"
+      },
+      "kind": "StorageV2",
+      "properties": {
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "supportsHttpsTrafficOnly": true,
+        "encryption": {
+          "services": {
+            "file": {
+              "keyType": "Account",
+              "enabled": true
+            },
+            "blob": {
+              "keyType": "Account",
+              "enabled": true
+            }
+          },
+          "keySource": "Microsoft.Storage"
+        },
+        "accessTier": "Cool"
+      },
+      "resources": [
+        {
+          "type": "blobServices",
+          "apiVersion": "2019-06-01",
+          "name": "[concat(parameters('storageAccountName'), '/default')]",
+          "dependsOn": [
+            "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+          ],
+          "sku": {
+            "name": "Standard_LRS",
+            "tier": "Standard"
+          },
+          "properties": {
+            "deleteRetentionPolicy": {
+              "enabled": false
+            }
+          },
+          "resources": [
+            {
+              "type": "containers",
+              "apiVersion": "2019-06-01",
+              "name": "container",
+              "properties": {
+                "denyEncryptionScopeOverride": true,
+                "publicAccess": "Blob",
+                "metadata": {}
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/...ager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/...ager/storage_blob_service_container_with_public_access/test/positive_expected_result.json
@@ -34,5 +34,11 @@
     "severity": "HIGH",
     "line": 52,
     "fileName": "positive6.json"
+  },
+  {
+    "queryName": "Storage Blob Service Container With Public Access",
+    "severity": "HIGH",
+    "line": 96,
+    "fileName": "positive7.json"
   }
 ]