Merge branch 'master' into fix/forced_containerd_version

Checkmarx · Jan 17, 2022 · b986444 · b986444
2 parents 03d8438 + 236ecab
commit b986444
Show file tree

Hide file tree

Showing 83 changed files with 1,039 additions and 213 deletions.
diff --git a/.github/workflows/release-apispec.yml b/.github/workflows/release-apispec.yml
@@ -36,7 +36,7 @@ jobs:
         with:
           go-version: 1.17
       - name: Run GoReleaser
-        uses: goreleaser/[email protected].0
+        uses: goreleaser/[email protected].1
         with:
           version: v0.160.0
           args: release --rm-dist --snapshot --skip-validate --config="./.goreleaser-apispec.yml"

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -53,7 +53,7 @@ jobs:
         with:
           go-version: 1.17
       - name: Run GoReleaser
-        uses: goreleaser/[email protected].0
+        uses: goreleaser/[email protected].1
         with:
           version: v0.160.0
           args: release --rm-dist --snapshot --skip-validate --config="./.goreleaser-nightly.yml"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           go-version: 1.17
       - name: Run GoReleaser
-        uses: goreleaser/[email protected].0
+        uses: goreleaser/[email protected].1
         with:
           version: latest
           args: release --rm-dist

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.17.5-alpine as build_env
+FROM golang:1.17.6-alpine as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app

diff --git a/Dockerfile.apispec b/Dockerfile.apispec
@@ -1,4 +1,4 @@
-FROM golang:1.17.5-alpine as build_env
+FROM golang:1.17.6-alpine as build_env
 # Create a group and user
 RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx
 USER Checkmarx

diff --git a/Dockerfile.apispec.debian b/Dockerfile.apispec.debian
@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM golang:1.17.5-buster as build_env
+FROM golang:1.17.6-buster as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx

diff --git a/Dockerfile.debian b/Dockerfile.debian
@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.17.5-buster as build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.17.6-buster as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx

diff --git a/assets/queries/ansible/aws/db_security_group_has_public_ip/query.rego b/assets/queries/ansible/aws/db_security_group_has_public_ip/query.rego
diff --git a/assets/queries/ansible/aws/db_security_group_has_public_ip/test/positive.yaml b/assets/queries/ansible/aws/db_security_group_has_public_ip/test/positive.yaml
diff --git a/...ts/queries/ansible/aws/db_security_group_has_public_ip/test/positive_expected_result.json b/...ts/queries/ansible/aws/db_security_group_has_public_ip/test/positive_expected_result.json
diff --git a/...ecurity_group_has_public_ip/metadata.json → ..._group_has_public_interface/metadata.json b/...ecurity_group_has_public_ip/metadata.json → ..._group_has_public_interface/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "5330b503-3319-44ff-9b1c-00ee873f728a",
-  "queryName": "DB Security Group Has Public IP",
+  "queryName": "EC2 Group Has Public Interface",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "The CIDR IP must not be Public",
+  "descriptionText": "The CIDR IP should not be a public interface",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html",
   "platform": "Ansible",
   "descriptionID": "506f9dd8",

diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego b/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego
@@ -0,0 +1,29 @@
+package Cx
+
+import data.generic.ansible as ans_lib
+import data.generic.common as common_lib
+
+modules := {"amazon.aws.ec2_group", "ec2_group"}
+
+CxPolicy[result] {
+	task := ans_lib.tasks[id][t]
+	ec2_instance = task[modules[m]]
+	ans_lib.checkState(ec2_instance)
+
+	rule := ec2_instance.rules[idx]
+
+	cidrs := {"cidr_ip": "0.0.0.0/0", "cidr_ipv6" : "::/0"}
+
+	cidrValue := cidrs[cidr]
+
+	rule[cidr] == cidrValue
+
+	result := {
+		"documentId": id,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.rules.%s", [task.name, modules[m], cidr]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'ec2_group.rules.%s' is not %s", [cidr, cidrValue]),
+		"keyActualValue": sprintf("'ec2_group.rules.%s' is %s", [cidr, rule[cidr]]),
+		"searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "rules", idx, cidr], []),
+	}
+}
diff --git a/...ty_group_has_public_ip/test/negative.yaml → ...p_has_public_interface/test/negative.yaml b/...ty_group_has_public_ip/test/negative.yaml → ...p_has_public_interface/test/negative.yaml
@@ -11,11 +11,3 @@
       from_port: 80
       to_port: 80
       cidr_ip: 10.1.1.1/32
-  rules_egress:
-  - proto: tcp
-    from_port: 80
-    to_port: 80
-    cidr_ip: 10.1.1.1/32
-    group_name: example-other
-        # description to use if example-other needs to be created
-    group_desc: other example EC2 group
diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive.yaml b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive.yaml
@@ -0,0 +1,22 @@
+- name: create minimal aurora instance in default VPC and default subnet group
+  community.aws.rds_instance:
+    engine: aurora
+    db_instance_identifier: ansible-test-aurora-db-instance
+    instance_type: db.t2.small
+    password: "{{ password }}"
+    username: "{{ username }}"
+    cluster_id: ansible-test-cluster
+    db_security_groups: ["example"]
+- name: example ec2 group
+  ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1a
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules:
+      - proto: tcp
+        from_port: 80
+        to_port: 80
+        cidr_ip: 0.0.0.0/0
diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json
@@ -0,0 +1,8 @@
+[
+	{
+		"queryName": "EC2 Group Has Public Interface",
+		"severity": "HIGH",
+		"line": 22,
+		"fileName": "positive.yaml"
+	}
+]
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "338b6cab-961d-4998-bb49-e5b6a11c9a5c",
+  "queryName": "EC2 Not EBS Optimized",
+  "severity": "INFO",
+  "category": "Best Practices",
+  "descriptionText": "It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-ebs_optimized",
+  "platform": "Ansible",
+  "descriptionID": "a99c1fe0",
+  "cloudProvider": "aws"
+}
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/ansible/aws/ec2_not_ebs_optimized/query.rego
@@ -0,0 +1,39 @@
+package Cx
+
+import data.generic.ansible as ans_lib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	task := ans_lib.tasks[id][t]
+	modules := {"amazon.aws.ec2", "ec2"}
+	ec2 := task[modules[m]]
+	ans_lib.checkState(ec2)
+
+	not common_lib.valid_key(ec2, "ebs_optimized")
+
+	result := {
+		"documentId": id,
+		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "ec2 to have ebs_optimized set to true.",
+		"keyActualValue":  "ec2 doesn't have ebs_optimized set to true.",
+	}
+}
+
+CxPolicy[result] {
+	task := ans_lib.tasks[id][t]
+	modules := {"amazon.aws.ec2", "ec2"}
+	ec2 := task[modules[m]]
+	ans_lib.checkState(ec2)
+
+	ec2["ebs_optimized"] == false
+
+	result := {
+		"documentId": id,
+		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "ec2 to have ebs_optimized set to true.",
+		"keyActualValue":  "ec2 ebs_optimized is set to false.",
+	}
+}
+
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/negative.yaml b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/negative.yaml
@@ -0,0 +1,10 @@
+- name: example2
+  amazon.aws.ec2:
+    key_name: mykey
+    instance_type: t2.micro
+    image: ami-123456
+    wait: yes
+    group: my_sg
+    count: 3
+    vpc_subnet_id: subnet-29e63245
+    ebs_optimized: true
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive1.yaml b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive1.yaml
@@ -0,0 +1,9 @@
+- name: example
+  amazon.aws.ec2:
+    key_name: mykey
+    instance_type: t2.micro
+    image: ami-123456
+    wait: yes
+    group: default
+    count: 3
+    vpc_subnet_id: subnet-29e63245
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive2.yaml b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive2.yaml
@@ -0,0 +1,10 @@
+- name: example2
+  amazon.aws.ec2:
+    key_name: mykey
+    instance_type: t2.micro
+    image: ami-123456
+    wait: yes
+    group: default
+    count: 3
+    vpc_subnet_id: subnet-29e63245
+    ebs_optimized: false
diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "EC2 Not EBS Optimized",
+    "severity": "INFO",
+    "line": 2,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "EC2 Not EBS Optimized",
+    "severity": "INFO",
+    "line": 2,
+    "fileName": "positive2.yaml"
+  }
+]
diff --git a/...ecurity_group_has_public_ip/metadata.json → ...nstance_publicly_accessible/metadata.json b/...ecurity_group_has_public_ip/metadata.json → ...nstance_publicly_accessible/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "de38e1d5-54cb-4111-a868-6f7722695007",
-  "queryName": "DB Security Group Has Public IP",
+  "queryName": "DB Instance Publicly Accessible",
   "severity": "HIGH",
   "category": "Insecure Configurations",
   "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.",

diff --git a/...b_security_group_has_public_ip/query.rego → ...b_instance_publicly_accessible/query.rego b/...b_security_group_has_public_ip/query.rego → ...b_instance_publicly_accessible/query.rego
@@ -1,5 +1,7 @@
 package Cx
 
+import data.generic.common as common_lib
+
 CxPolicy[result] {
 	resource := input.document[i].Resources[name]
 	resource.Type == "AWS::RDS::DBInstance"
@@ -9,7 +11,8 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("Resources.%s.Properties.PubliclyAccessible", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'Resources.%s.Properties.PubliclyAccessible' is false", [name]),
-		"keyActualValue": sprintf("'Resources.%s.Properties.PubliclyAccessible' is true", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.PubliclyAccessible' is set to false", [name]),
+		"keyActualValue": sprintf("'Resources.%s.Properties.PubliclyAccessible' is set to true", [name]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "PubliclyAccessible"], []),
 	}
 }
diff --git a/...y_group_has_public_ip/test/negative1.yaml → ...e_publicly_accessible/test/negative1.yaml b/...y_group_has_public_ip/test/negative1.yaml → ...e_publicly_accessible/test/negative1.yaml
diff --git a/...y_group_has_public_ip/test/negative2.json → ...e_publicly_accessible/test/negative2.json b/...y_group_has_public_ip/test/negative2.json → ...e_publicly_accessible/test/negative2.json
diff --git a/...y_group_has_public_ip/test/positive1.yaml → ...e_publicly_accessible/test/positive1.yaml b/...y_group_has_public_ip/test/positive1.yaml → ...e_publicly_accessible/test/positive1.yaml
diff --git a/...y_group_has_public_ip/test/positive2.json → ...e_publicly_accessible/test/positive2.json b/...y_group_has_public_ip/test/positive2.json → ...e_publicly_accessible/test/positive2.json
diff --git a/...ies/cloudFormation/aws/db_instance_publicly_accessible/test/positive_expected_result.json b/...ies/cloudFormation/aws/db_instance_publicly_accessible/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 69,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 61,
+    "fileName": "positive2.json"
+  }
+]