feat(result): added resourceType and resourceName to Ansible queries …

…result (#5362) * added resourceType and resourceName to ANS AWS * added resourceType and resourceName to ANS AZURE * added resourceType and resourceName to ANS GCP
Checkmarx · May 24, 2022 · ff00ceb · ff00ceb
1 parent 830be5d
commit ff00ceb
Show file tree

Hide file tree

Showing 221 changed files with 704 additions and 3 deletions.
diff --git a/assets/queries/ansible/aws/alb_listening_on_http/query.rego b/assets/queries/ansible/aws/alb_listening_on_http/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.listeners.Protocol=%s", [task.name, modules[m], applicationLb.listeners[index].Protocol]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.listeners", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'",

diff --git a/assets/queries/ansible/aws/ami_not_encrypted/query.rego b/assets/queries/ansible/aws/ami_not_encrypted/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "ec2_ami.device_mapping.device_name.encrypted should be set to true",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.device_mapping.encrypted", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "ec2_ami.device_mapping.encrypted should be set to true",

diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/query.rego b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.launch_permissions", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI",

diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/query.rego b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.endpoint_type", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'aws_api_gateway.endpoint_type' is 'PRIVATE'",

diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudwatchlogs_log_grouptracing_enabled should contain log_group_name",

diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/query.rego b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/query.rego
@@ -18,6 +18,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.%s", [task.name, modules[m], content_info.attribute]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'%s.%s' has a authorizer set", [modules[m], content_info.attribute]),
@@ -37,6 +39,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.swagger_text", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'%s.swagger_text' has a authorizer set", [modules[m]]),
@@ -54,6 +58,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'%s' has swagger_file, swagger_text or swagger_dict set", [modules[m]]),

diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/query.rego b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "aws_api_gateway.validate_certs is set",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.validate_certs", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "aws_api_gateway.validate_certs is set to yes",

diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/query.rego b/assets/queries/ansible/aws/api_gateway_without_waf/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "API Gateway Stage is associated with a Web Application Firewall",

diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/query.rego b/assets/queries/ansible/aws/api_gateway_xray_disabled/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "aws_api_gateway.tracing_enabled is defined",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.tracing_enabled", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "aws_api_gateway.tracing_enabled is true",

diff --git a/assets/queries/ansible/aws/authentication_without_mfa/query.rego b/assets/queries/ansible/aws/authentication_without_mfa/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("sts_assume_role.%s is set", [attributes[j]]),

diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/query.rego b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("%s.load_balancers is set and not empty", [modules[m]]),
@@ -31,6 +33,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.load_balancers", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("%s.load_balancers is not empty", [modules[m]]),

diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/query.rego b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.auto_minor_version_upgrade", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "rds_instance.auto_minor_version_upgrade should be true",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "rds_instance.auto_minor_version_upgrade should be set",

diff --git a/assets/queries/ansible/aws/aws_passord_policy_with_unchangeable_passwords/query.rego b/assets/queries/ansible/aws/aws_passord_policy_with_unchangeable_passwords/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}%s", [task.name, modules[m], searchKey]),
 		"issueType": issueType(searchKey),
 		"keyExpectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true",

diff --git a/.../queries/ansible/aws/batch_job_definition_with_privileged_container_properties/query.rego b/.../queries/ansible/aws/batch_job_definition_with_privileged_container_properties/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.privileged", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.privileged is 'false' or not set", [task.name, modules[m]]),

diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/query.rego b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "rds_instance.ca_certificate_identifier should be defined",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.ca_certificate_identifier", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "rds_instance.ca_certificate_identifier is equal to 'rds-ca-2019'",

diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/query.rego b/assets/queries/ansible/aws/cdn_configuration_is_missing/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.enabled is set to 'true'", [task.name, modules[m]]),
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.enabled", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.enabled is set to 'true'", [task.name, modules[m]]),
@@ -47,6 +51,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.origins is defined", [task.name, modules[m]]),

diff --git a/assets/queries/ansible/aws/certificate_has_expired/query.rego b/assets/queries/ansible/aws/certificate_has_expired/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": "community.aws.aws_acm",
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.community.aws.aws_acm.certificate", [task.name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'community.aws.aws_acm.certificate' does not have expired",

diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+        "resourceType": "community.aws.aws_acm",
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.community.aws.aws_acm.certificate", [task.name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'community.aws.aws_acm.certificate' uses a RSA key with a length equal to or higher than 256 bytes",

diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/query.rego b/assets/queries/ansible/aws/cloudfront_logging_disabled/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudfront_distribution.logging is defined",
@@ -30,6 +32,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.logging.enabled", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "cloudfront_distribution.logging.enabled is true",

diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudfront_distribution.viewer_certificate is defined",
@@ -33,6 +35,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.viewer_certificate.minimum_protocol_version", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.viewer_certificate.minimum_protocol_version' is TLSv1.2_x", [task.name, modules[m]]),

diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/query.rego b/assets/queries/ansible/aws/cloudfront_without_waf/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudfront_distribution.web_acl_id is defined",

diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/query.rego b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/query.rego
@@ -15,6 +15,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudtrail.enable_log_file_validation or cloudtrail.log_file_validation_enabled is defined",
@@ -34,6 +36,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.%s", [task.name, modules[m], attr]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("cloudtrail.%s is set to true or yes", [attr]),

diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudtrail.kms_key_id is set",

diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/query.rego b/assets/queries/ansible/aws/cloudtrail_logging_disabled/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.enable_logging", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "cloudtrail.enable_logging is true",

diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/query.rego b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/query.rego
@@ -12,6 +12,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.is_multi_region_trail", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "cloudtrail.is_multi_region_trail is true",

diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("name={{%s}}.{{%s}}.%s is defined", [task.name, modules[m], properties[p]]),

diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/query.rego b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/query.rego
@@ -13,6 +13,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudtrail.sns_topic_name is set",
@@ -29,6 +31,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.sns_topic_name", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "cloudtrail.sns_topic_name is set",

diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/query.rego b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/query.rego
@@ -14,6 +14,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "cloudwatchlogs_log_group.retention is set",
@@ -33,6 +35,8 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}.retention", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "cloudwatchlogs_log_group.retention is set and valid",