Checkmarx · rafaela-soares · Aug 2, 2022 · Aug 1, 2022 · Aug 2, 2022 · Aug 2, 2022
diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Storage Account Not Forcing HTTPS",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "See that Storage Accounts forces the use of HTTPS",
+  "descriptionText": "Storage Accounts should enforce the use of HTTPS",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-https_only",
   "platform": "Ansible",
   "descriptionID": "bc830876",

diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "49e30ac8-f58e-4222-b488-3dcb90158ec1",
+  "queryName": "Redis Cache Allows Non SSL Connections",
+  "severity": "MEDIUM",
+  "category": "Encryption",
+  "descriptionText": "Redis Cache resource should not allow non-SSL connections.",
+  "descriptionUrl": "https://www.pulumi.com/registry/packages/azure-native/api-docs/cache/redis/#enablenonsslport_yaml",
+  "platform": "Pulumi",
+  "descriptionID": "64acf7a6",
+  "cloudProvider": "azure"
+}
diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego
@@ -0,0 +1,22 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.pulumi as plm_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "azure-native:cache:Redis"
+
+	resource.properties.enableNonSslPort == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": plm_lib.getResourceName(resource, name),
+		"searchKey": sprintf("resources[%s].properties.enableNonSslPort", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false",
+		"keyActualValue": "Redis Cache has attribute 'enableNonSslPort' set to true",
+		"searchLine": common_lib.build_search_line(["resources", name, "properties"], ["enableNonSslPort"]),
+	}
+}
diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml
@@ -0,0 +1,25 @@
+name: azure-aks
+runtime: yaml
+description: An Aks cluster
+resources:
+  redis:
+    type: azure-native:cache:Redis
+    properties:
+      enableNonSslPort: false
+      location: West US
+      minimumTlsVersion: 1.2
+      name: cache1
+      redisConfiguration:
+        maxmemoryPolicy: allkeys-lru
+      replicasPerMaster: 2
+      resourceGroupName: rg1
+      shardCount: 2
+      sku:
+        capacity: 1
+        family: P
+        name: Premium
+      staticIP: 192.168.0.5
+      subnetId: /subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1
+      zones:
+        - 1
+
diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml
@@ -0,0 +1,25 @@
+name: azure-aks
+runtime: yaml
+description: An Aks cluster
+resources:
+  redis:
+    type: azure-native:cache:Redis
+    properties:
+      enableNonSslPort: true
+      location: West US
+      minimumTlsVersion: 1.2
+      name: cache1
+      redisConfiguration:
+        maxmemoryPolicy: allkeys-lru
+      replicasPerMaster: 2
+      resourceGroupName: rg1
+      shardCount: 2
+      sku:
+        capacity: 1
+        family: P
+        name: Premium
+      staticIP: 192.168.0.5
+      subnetId: /subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1
+      zones:
+        - 1
+
diff --git a/...es/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/...es/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json
@@ -0,0 +1,8 @@
+[
+	{
+		"queryName": "Redis Cache Allows Non SSL Connections",
+		"severity": "MEDIUM",
+		"line": 8,
+		"fileName": "positive.yaml"
+	}
+]
diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "cb8e4bf0-903d-45c6-a278-9a947d82a27b",
+  "queryName": "Storage Account Not Forcing HTTPS",
+  "severity": "HIGH",
+  "category": "Encryption",
+  "descriptionText": "Storage Accounts should enforce the use of HTTPS",
+  "descriptionUrl": "https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/#enablehttpstrafficonly_yaml",
+  "platform": "Pulumi",
+  "descriptionID": "406540e1",
+  "cloudProvider": "azure"
+}
diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego b/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego
@@ -0,0 +1,22 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.pulumi as plm_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "azure-native:storage:StorageAccount"
+
+	resource.properties.enableHttpsTrafficOnly == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": plm_lib.getResourceName(resource, name),
+		"searchKey": sprintf("resources[%s].properties.enableHttpsTrafficOnly", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true",
+		"keyActualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false",
+		"searchLine": common_lib.build_search_line(["resources", name, "properties"], ["enableHttpsTrafficOnly"]),
+	}
+}
diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/negative.yaml b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/negative.yaml
@@ -0,0 +1,23 @@
+name: azure-aks
+runtime: yaml
+description: An Aks cluster
+resources:
+  storageAccount:
+    type: azure-native:storage:StorageAccount
+    properties:
+      accountName: sto4445
+      enableHttpsTrafficOnly: true
+      enableNfsV3: true
+      isHnsEnabled: true
+      kind: BlockBlobStorage
+      location: eastus
+      networkRuleSet:
+        bypass: AzureServices
+        defaultAction: Allow
+        ipRules: []
+        virtualNetworkRules:
+          - virtualNetworkResourceId: /subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Network/virtualNetworks/net123/subnets/subnet12
+      resourceGroupName: res9101
+      sku:
+        name: Premium_LRS
+
diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive.yaml b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive.yaml
@@ -0,0 +1,23 @@
+name: azure-aks
+runtime: yaml
+description: An Aks cluster
+resources:
+  storageAccount:
+    type: azure-native:storage:StorageAccount
+    properties:
+      accountName: sto4445
+      enableHttpsTrafficOnly: false
+      enableNfsV3: true
+      isHnsEnabled: true
+      kind: BlockBlobStorage
+      location: eastus
+      networkRuleSet:
+        bypass: AzureServices
+        defaultAction: Allow
+        ipRules: []
+        virtualNetworkRules:
+          - virtualNetworkResourceId: /subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Network/virtualNetworks/net123/subnets/subnet12
+      resourceGroupName: res9101
+      sku:
+        name: Premium_LRS
+
diff --git a/...queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/...queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json
@@ -0,0 +1,8 @@
+[
+	{
+		"queryName": "Storage Account Not Forcing HTTPS",
+		"severity": "HIGH",
+		"line": 9,
+		"fileName": "positive.yaml"
+	}
+]
diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Storage Account Not Forcing HTTPS",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "See that Storage Accounts forces the use of HTTPS",
+  "descriptionText": "Storage Accounts should enforce the use of HTTPS",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account",
   "platform": "Terraform",
   "descriptionID": "ab6688ca",

diff --git a/test/main_test.go b/test/main_test.go
@@ -41,6 +41,7 @@ var (
 		"../assets/queries/pulumi/aws":              {FileKind: []model.FileKind{model.KindYAML}, Platform: "pulumi"},
 		"../assets/queries/pulumi/gcp":              {FileKind: []model.FileKind{model.KindYAML}, Platform: "pulumi"},
 		"../assets/queries/pulumi/kubernetes":       {FileKind: []model.FileKind{model.KindYAML}, Platform: "pulumi"},
+		"../assets/queries/pulumi/azure":            {FileKind: []model.FileKind{model.KindYAML}, Platform: "pulumi"},
 		"../assets/queries/k8s":                     {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "k8s"},
 		"../assets/queries/cloudFormation/aws":      {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "cloudFormation"},
 		"../assets/queries/cloudFormation/aws_bom":  {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "cloudFormation"},