Merge branch 'master' into feature/terraform-variables

Checkmarx · Apr 5, 2021 · ae0ca51 · ae0ca51
2 parents c62c95a + 2bf7a18
commit ae0ca51
Show file tree

Hide file tree

Showing 196 changed files with 3,321 additions and 2,921 deletions.
diff --git a/.github/new_changes_nightly.sh b/.github/new_changes_nightly.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+CHANGES=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD)
+if [[ -n ${CHANGES} ]]; then
+  echo 'yes'
+else
+  echo 'no'
+fi
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -18,7 +18,7 @@ jobs:
       with:
         go-version: 1.16.x
     - name: golangci-lint
-      uses: golangci/[email protected].1
+      uses: golangci/[email protected].2
       with:
         version: v1.37
         args: -c .golangci.yml

diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -6,43 +6,49 @@ on:
   workflow_dispatch:
 
 jobs:
-  goreleaser:
+  pre_release_job:
     runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.lasttag.outputs.newchanges }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
       - name: Check if there are new commits since last nightly
-        id: sincelasttag
-        run: echo "::set-output name=commits=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD)"
+        id: lasttag
+        run: echo "::set-output name=newchanges::$(bash ./.github/new_changes_nightly.sh)"
+  goreleaser:
+    needs: pre_release_job
+    if: ${{ needs.pre_release_job.outputs.changes == 'yes' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
       - name: Set up Go
-        if: steps.sincelasttag.outputs.commits != ""
         uses: actions/setup-go@v2
         with:
           go-version: 1.16
       - name: Set short hash
-        if: steps.sincelasttag.outputs.commits != ""
         id: shorthash
         run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)"
       - name: Run GoReleaser
-        if: steps.sincelasttag.outputs.commits != ""
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist --config="./.goreleaser-nightly.yml"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: delete release
-        if: steps.sincelasttag.outputs.commits != ""
         uses: dev-drprasad/[email protected]
         with:
           delete_release: true # default: false
           tag_name: nightly # tag name to delete
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Create Release
-        if: steps.sincelasttag.outputs.commits != ""
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -53,11 +59,9 @@ jobs:
           draft: false
           prerelease: true
       - name: Display assets
-        if: steps.sincelasttag.outputs.commits != ""
         run: |
           ls -l /home/runner/work/kics/kics/dist
       - name: Upload Release Asset Linux
-        if: steps.sincelasttag.outputs.commits != ""
         id: upload-release-asset-linux
         uses: actions/upload-release-asset@v1
         env:
@@ -68,7 +72,6 @@ jobs:
           asset_name: kics_nightly-release_linux_amd64.tar.gz
           asset_content_type: application/gzip
       - name: Upload Release Asset Darwin
-        if: steps.sincelasttag.outputs.commits != ""
         id: upload-release-asset-darwin
         uses: actions/upload-release-asset@v1
         env:
@@ -79,7 +82,6 @@ jobs:
           asset_name: kics_nightly-release_darwin_amd64.tar.gz
           asset_content_type: application/gzip
       - name: Upload Release Asset Windows
-        if: steps.sincelasttag.outputs.commits != ""
         id: upload-release-asset-windows
         uses: actions/upload-release-asset@v1
         env:
@@ -90,7 +92,6 @@ jobs:
           asset_name: kics_nightly-release_windows_amd64.zip
           asset_content_type: application/zip
       - name: Upload Release Asset Checksum
-        if: steps.sincelasttag.outputs.commits != ""
         id: upload-release-asset-checksums
         uses: actions/upload-release-asset@v1
         env:
@@ -102,6 +103,8 @@ jobs:
           asset_content_type: text/plain
   push_to_registry:
     name: Push Docker image to Docker Hub
+    needs: pre_release_job
+    if: ${{ needs.pre_release_job.outputs.changes == 'yes' }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo

diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,10 @@ bin
 *.so
 *.dylib
 
+# MacOS finder files
+.DS_Store
+**/.DS_Store
+
 # Test binary, built with `go test -c`
 *.test
 

diff --git a/Dockerfile.integration b/Dockerfile.integration
@@ -32,7 +32,7 @@ USER Checkmarx
 HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
 
 #runtime image
-FROM alpine:3.13.4
+FROM alpine:3.13
 
 COPY --from=build_env /app/bin/kics /app/bin/kics
 COPY --from=build_env /app/assets/ /app/bin/assets/

diff --git a/..._volume_encrytpion_disabled/metadata.json → ..._volume_encryption_disabled/metadata.json b/..._volume_encrytpion_disabled/metadata.json → ..._volume_encryption_disabled/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "4b6012e7-7176-46e4-8108-e441785eae57",
   "queryName": "EBS Volume Encryption Disabled",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "EBS Encryption should be enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted",
   "platform": "Ansible"
-}
+}
diff --git a/...ebs_volume_encrytpion_disabled/query.rego → ...ebs_volume_encryption_disabled/query.rego b/...ebs_volume_encrytpion_disabled/query.rego → ...ebs_volume_encryption_disabled/query.rego
diff --git a/...me_encrytpion_disabled/test/negative.yaml → ...me_encryption_disabled/test/negative.yaml b/...me_encrytpion_disabled/test/negative.yaml → ...me_encryption_disabled/test/negative.yaml
diff --git a/...me_encrytpion_disabled/test/positive.yaml → ...me_encryption_disabled/test/positive.yaml b/...me_encrytpion_disabled/test/positive.yaml → ...me_encryption_disabled/test/positive.yaml
diff --git a/...sabled/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json b/...sabled/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json
@@ -1,22 +1,22 @@
 [
   {
     "queryName": "EBS Volume Encryption Disabled",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 5
   },
   {
     "queryName": "EBS Volume Encryption Disabled",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 12
   },
   {
     "queryName": "EBS Volume Encryption Disabled",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 19
   },
   {
     "queryName": "EBS Volume Encryption Disabled",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 24
   }
 ]
diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json
@@ -2,7 +2,7 @@
   "id": "01aec7c2-3e4d-4274-ae47-2b8fea22fd1f",
   "queryName": "ECS Task Definition Network Mode Not Recommended",
   "severity": "HIGH",
-  "category": "Access Control",
+  "category": "Insecure Configurations",
   "descriptionText": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode",
   "platform": "Ansible"

diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json
@@ -1,9 +1,9 @@
 {
-	"id": "bd77554e-f138-40c5-91b2-2a09f878608e",
-	"queryName": "EFS Without KMS",
-	"severity": "HIGH",
-	"category": "Secret Management",
-	"descriptionText": "Elastic File System (EFS) must have KMS Key ID",
-	"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
-	"platform": "Ansible"
+  "id": "bd77554e-f138-40c5-91b2-2a09f878608e",
+  "queryName": "EFS Without KMS",
+  "severity": "HIGH",
+  "category": "Encryption",
+  "descriptionText": "Elastic File System (EFS) must have KMS Key ID",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
+  "platform": "Ansible"
 }
diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "e401d614-8026-4f4b-9af9-75d1197461ba",
   "queryName": "IAM Policies With Full Privileges",
-  "severity": "MEDIUM",
+  "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "IAM policies that allow full administrative privileges (for all resources)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible"
-}
+}
diff --git a/.../queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/.../queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json
@@ -1,7 +1,7 @@
 [
   {
     "queryName": "IAM Policies With Full Privileges",
-    "severity": "MEDIUM",
+    "severity": "HIGH",
     "line": 8
   }
-]
+]
diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json
@@ -2,7 +2,7 @@
   "id": "f2ea6481-1d31-4d40-946a-520dc6321dd7",
   "queryName": "Kinesis Not Encrypted With KMS",
   "severity": "HIGH",
-  "category": "Secret Management",
+  "category": "Encryption",
   "descriptionText": "AWS Kinesis Streams and metadata should be protected with KMS",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html",
   "platform": "Ansible"

diff --git a/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json b/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json
@@ -2,8 +2,8 @@
   "id": "5b9d237a-57d5-4177-be0e-71434b0fef47",
   "queryName": "KMS Key With Vulnerable Policy",
   "severity": "HIGH",
-  "category": "Networking and Firewall",
+  "category": "Insecure Configurations",
   "descriptionText": "Checks if the policy is vulnerable and needs updating.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html",
   "platform": "Ansible"
-}
+}
diff --git a/...le/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/...le/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json
diff --git a/...sers_group_gets_read_access/metadata.json → ...cl_allows_read_to_all_users/metadata.json b/...sers_group_gets_read_access/metadata.json → ...cl_allows_read_to_all_users/metadata.json
diff --git a/...l_users_group_gets_read_access/query.rego → ...t_acl_allows_read_to_all_users/query.rego b/...l_users_group_gets_read_access/query.rego → ...t_acl_allows_read_to_all_users/query.rego
diff --git a/...group_gets_read_access/test/negative.yaml → ...lows_read_to_all_users/test/negative.yaml b/...group_gets_read_access/test/negative.yaml → ...lows_read_to_all_users/test/negative.yaml
diff --git a/...group_gets_read_access/test/positive.yaml → ...lows_read_to_all_users/test/positive.yaml b/...group_gets_read_access/test/positive.yaml → ...lows_read_to_all_users/test/positive.yaml
diff --git a/...access/test/positive_expected_result.json → ..._users/test/positive_expected_result.json b/...access/test/positive_expected_result.json → ..._users/test/positive_expected_result.json
diff --git a/..._read_or_write_to_all_users/metadata.json → ..._action_from_all_principals/metadata.json b/..._read_or_write_to_all_users/metadata.json → ..._action_from_all_principals/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "7529b8d2-55d7-44d2-b1cd-d7d2984a2a81",
-  "queryName": "S3 Bucket ACL Allows Read Or Write to All Users",
+  "queryName": "S3 Bucket Allows WriteACP Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.",

diff --git a/...ows_read_or_write_to_all_users/query.rego → ...acp_action_from_all_principals/query.rego b/...ows_read_or_write_to_all_users/query.rego → ...acp_action_from_all_principals/query.rego
diff --git a/..._or_write_to_all_users/test/negative.yaml → ...on_from_all_principals/test/negative.yaml b/..._or_write_to_all_users/test/negative.yaml → ...on_from_all_principals/test/negative.yaml
diff --git a/..._or_write_to_all_users/test/positive.yaml → ...on_from_all_principals/test/positive.yaml b/..._or_write_to_all_users/test/positive.yaml → ...on_from_all_principals/test/positive.yaml
diff --git a/...s/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json b/...s/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json
@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "S3 Bucket Allows WriteACP Action From All Principals",
+    "severity": "HIGH",
+    "line": 8
+  }
+]
diff --git a/...les_with_master_key_id_null/metadata.json → .../aws/s3_bucket_sse_disabled/metadata.json b/...les_with_master_key_id_null/metadata.json → .../aws/s3_bucket_sse_disabled/metadata.json
diff --git a/..._rules_with_master_key_id_null/query.rego → ...ble/aws/s3_bucket_sse_disabled/query.rego b/..._rules_with_master_key_id_null/query.rego → ...ble/aws/s3_bucket_sse_disabled/query.rego
diff --git a/...ith_master_key_id_null/test/negative.yaml → ...s3_bucket_sse_disabled/test/negative.yaml b/...ith_master_key_id_null/test/negative.yaml → ...s3_bucket_sse_disabled/test/negative.yaml
diff --git a/...ith_master_key_id_null/test/positive.yaml → ...s3_bucket_sse_disabled/test/positive.yaml b/...ith_master_key_id_null/test/positive.yaml → ...s3_bucket_sse_disabled/test/positive.yaml
diff --git a/...d_null/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json b/...d_null/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json
diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "9232306a-f839-40aa-b3ef-b352001da9a5",
   "queryName": "S3 Bucket Without Versioning",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "S3 bucket without versioning",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning",
   "platform": "Ansible"
-}
+}
diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
   {
     "queryName": "S3 Bucket Without Versioning",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 3
   },
   {
     "queryName": "S3 Bucket Without Versioning",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 15
   }
-]
+]
diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json
@@ -2,8 +2,8 @@
   "id": "b176e927-bbe2-44a6-a9c3-041417137e5f",
   "queryName": "AD Admin Not Configured For SQL Server",
   "severity": "HIGH",
-  "category": "Access Control",
+  "category": "Insecure Configurations",
   "descriptionText": "The Active Directory Administrator is not configured for a SQL server",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user",
   "platform": "Ansible"
-}
+}
diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/metadata.json b/assets/queries/ansible/azure/blob_container_with_public_access/metadata.json
diff --git a/...ueries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json b/...ueries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json
diff --git a/...ies/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/...ies/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json
@@ -2,8 +2,8 @@
   "id": "69f72007-502e-457b-bd2d-5012e31ac049",
   "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache",
   "severity": "MEDIUM",
-  "category": "Access Control",
+  "category": "Networking and Firewall",
   "descriptionText": "Check if any firewall rule allows too many hosts to access Redis Cache.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html",
   "platform": "Ansible"
-}
+}
diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json b/assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json
diff --git a/...ts/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json b/...ts/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json