Merge pull request #5730 from Checkmarx/query/kics529

feat(query): added App Service Without Latest Python Version query for Terraform
Checkmarx · Aug 24, 2022 · cbb23fb · cbb23fb
2 parents 1663382 + 05ba591
commit cbb23fb
Show file tree

Hide file tree

Showing 10 changed files with 270 additions and 0 deletions.
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "cc4aaa9d-1070-461a-b519-04e00f42db8a",
+  "queryName": "App Service Without Latest Python Version",
+  "severity": "LOW",
+  "category": "Best Practices",
+  "descriptionText": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version",
+  "platform": "Terraform",
+  "descriptionID": "848bf695",
+  "cloudProvider": "azure"
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego b/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego
@@ -0,0 +1,58 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# for deprecated version (before AzureRM 3.0)
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_app_service[name]
+	python_version := resource.site_config.python_version
+    to_number(python_version) != 3.10
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_app_service",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_app_service[%s].site_config.python_version", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)",
+		"keyActualValue": "'python_version' is not the latest avaliable stable version (3.10)",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "python_version"], []),
+	}
+}
+
+# After 3.0, for windows
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_windows_web_app[name]
+    python_version := resource.site_config.application_stack.python_version
+	python_version != "v3.10"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_windows_web_app",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_windows_web_app[%s].site_config.application_stack.python_version", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)",
+		"keyActualValue": "'python_version' is not the latest avaliable stable version (3.10)",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_windows_web_app", name, "site_config", "application_stack", "python_version"], []),
+	}
+}
+
+# After 3.0, for linux
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_linux_web_app[name]
+    python_version := resource.site_config.application_stack.python_version
+	to_number(python_version) != 3.10
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_linux_web_app",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_linux_web_app[%s].site_config.application_stack.python_version", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)",
+		"keyActualValue": "'python_version' is not the latest avaliable stable version (3.10)",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_linux_web_app", name, "site_config", "application_stack", "python_version"], []),
+	}
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative1.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative1.tf
@@ -0,0 +1,23 @@
+resource "azurerm_app_service" "example1" {
+  name                = "example1-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  # SiteConfig block is optional before AzureRM version 3.0 
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    python_version              = "3.10"
+  }
+
+  app_settings = {
+    "SOME_KEY" = "some-value"
+  }
+
+  connection_string {
+    name  = "Database"
+    type  = "SQLServer"
+    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative2.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative2.tf
@@ -0,0 +1,28 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_service_plan" "example" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  sku_name            = "P1v2"
+}
+
+resource "azurerm_windows_web_app" "example2" {
+  name                = "example2"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+
+   site_config{
+    application_stack{
+      python_version = "v3.10"
+    }    
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative3.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative3.tf
@@ -0,0 +1,28 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_service_plan" "example" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  sku_name            = "P1v2"
+}
+
+resource "azurerm_linux_web_app" "example3" {
+  name                = "example3"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+
+  site_config{
+    application_stack{
+      python_version = "3.10"
+    }    
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative4.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/negative4.tf
@@ -0,0 +1,22 @@
+resource "azurerm_app_service" "example1" {
+  name                = "example1-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  # SiteConfig block is optional before AzureRM version 3.0 
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+  }
+
+  app_settings = {
+    "SOME_KEY" = "some-value"
+  }
+
+  connection_string {
+    name  = "Database"
+    type  = "SQLServer"
+    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive1.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive1.tf
@@ -0,0 +1,23 @@
+resource "azurerm_app_service" "example4" {
+  name                = "example4-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  # SiteConfig block is optional before AzureRM version 3.0 
+  site_config { 
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    python_version              = "2.7"
+  }
+
+  app_settings = {
+    "SOME_KEY" = "some-value"
+  }
+
+  connection_string {
+    name  = "Database"
+    type  = "SQLServer"
+    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive2.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive2.tf
@@ -0,0 +1,28 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_service_plan" "example" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  sku_name            = "P1v2"
+}
+
+resource "azurerm_windows_web_app" "example5" {
+  name                = "example5"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+
+   site_config{
+    application_stack{
+      python_version = "v2.7"
+    }    
+  }
+}
diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive3.tf b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive3.tf
@@ -0,0 +1,29 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_service_plan" "example" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  os_type             = "Linux"
+  sku_name            = "P1v2"
+}
+
+resource "azurerm_linux_web_app" "example6" {
+  name                = "example6"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+
+  site_config{
+    application_stack{
+      python_version = "2.7"
+    }    
+  }
+}
diff --git a/...raform/azure/app_service_without_latest_python_version/test/positive_expected_result.json b/...raform/azure/app_service_without_latest_python_version/test/positive_expected_result.json
@@ -0,0 +1,20 @@
+[
+  {
+    "queryName": "App Service Without Latest Python Version",
+    "severity": "LOW",
+    "line": 11,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "App Service Without Latest Python Version",
+    "severity": "LOW",
+    "line": 25,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "App Service Without Latest Python Version",
+    "severity": "LOW",
+    "line": 26,
+    "fileName": "positive3.tf"
+  }
+]