Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(query): tf mfa delete doing checks out of its scope #7051

Merged
merged 13 commits into from
May 20, 2024
Merged

fix(query): tf mfa delete doing checks out of its scope #7051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5a0a9bf
changed E2E 54
JulioSCX May 13, 2024
9728a9b
removed versioning from e2e query
JulioSCX May 13, 2024
b29b8b2
removed versioning from query
JulioSCX May 13, 2024
2f15f42
changed query tests
JulioSCX May 13, 2024
1f2c493
fixed bom test
JulioSCX May 13, 2024
687b4ba
Merge branch 'master' into AST-42523
ArturRibeiro-CX May 13, 2024
fece738
Merge branch 'master' into AST-42523
gabriel-cx May 15, 2024
cf491f4
changed names in resources to keep them consistent with their respect…
JulioSCX May 15, 2024
fa1bbe9
Merge branch 'AST-42523' of https://github.com/Checkmarx/kics into AS…
JulioSCX May 15, 2024
4a13eea
Merge branch 'master' into AST-42523
cx-ruiaraujo May 16, 2024
1d61f7c
Merge branch 'master' into AST-42523
cx-ruiaraujo May 16, 2024
a026de3
Merge branch 'master' into AST-42523
ArturRibeiro-CX May 16, 2024
7073208
Merge branch 'master' into AST-42523
ArturRibeiro-CX May 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 0 additions & 41 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,6 @@ package Cx
import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
bucket := input.document[i].resource.aws_s3_bucket[name]
# version before TF AWS 4.0
not common_lib.valid_key(bucket, "lifecycle_rule")
not common_lib.valid_key(bucket, "versioning")

# version after TF AWS 4.0
not tf_lib.has_target_resource(name, "aws_s3_bucket_lifecycle_configuration")
not tf_lib.has_target_resource(name, "aws_s3_bucket_versioning")

result := {
"documentId": input.document[i].id,
"resourceType": "aws_s3_bucket",
"resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name),
"searchKey": sprintf("aws_s3_bucket[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "versioning should be defined and not null",
"keyActualValue": "versioning is undefined or null",
"searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []),
}
}

checkedFields = {
"enabled",
"mfa_delete"
Expand Down Expand Up @@ -66,25 +44,6 @@ CxPolicy[result] {
}
}

CxPolicy[result] {
module := input.document[i].module[name]
keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning")

not common_lib.valid_key(module, "lifecycle_rule")
not common_lib.valid_key(module, keyToCheck)

result := {
"documentId": input.document[i].id,
"resourceType": "n/a",
"resourceName": "n/a",
"searchKey": sprintf("module[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "'versioning' should be defined and not null",
"keyActualValue": "'versioning' is undefined or null",
"searchLine": common_lib.build_search_line(["module", name], []),
}
}

CxPolicy[result] {
module := input.document[i].module[name]
keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning")
Expand Down
22 changes: 22 additions & 0 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
provider "aws" {
region = "us-east-1"
}

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}

resource "aws_s3_bucket" "negative6" {
bucket = "my-tf-test-bucket"
acl = "private"

tags = {
Name = "My bucket"
Environment = "Dev"
}
}
7 changes: 7 additions & 0 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"

bucket = "my-s3-bucket"
acl = "private"
}
4 changes: 4 additions & 0 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,8 @@ resource "aws_s3_bucket" "positive1" {
Name = "My bucket"
Environment = "Dev"
}

versioning {
enabled = true
}
}
30 changes: 0 additions & 30 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf
View file
Open in desktop

This file was deleted.

1 change: 1 addition & 0 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,6 @@ resource "aws_s3_bucket" "positive2" {

versioning {
enabled = true
mfa_delete = false
}
}
3 changes: 1 addition & 2 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ resource "aws_s3_bucket" "positive3" {
}

versioning {
enabled = true
mfa_delete = false
enabled = false
}
}
25 changes: 5 additions & 20 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,11 @@
provider "aws" {
region = "us-east-1"
}

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"

resource "aws_s3_bucket" "positive3" {
bucket = "my-tf-test-bucket"
bucket = "my-s3-bucket"
acl = "private"

tags = {
Name = "My bucket"
Environment = "Dev"
}

versioning {
enabled = false
enabled = true
}
}
5 changes: 5 additions & 0 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,9 @@ module "s3_bucket" {

bucket = "my-s3-bucket"
acl = "private"

versioning {
enabled = true
mfa_delete = false
}
}
2 changes: 1 addition & 1 deletion assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@ module "s3_bucket" {
acl = "private"

versioning {
enabled = true
enabled = false
}
}
34 changes: 26 additions & 8 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,30 @@
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}

provider "aws" {
# Configuration options
}

resource "aws_s3_bucket" "b0" {
bucket = "my-tf-test-bucket"

tags = {
Name = "My bucket"
Environment = "Dev"
}
}

bucket = "my-s3-bucket"
acl = "private"
resource "aws_s3_bucket_versioning" "example2" {
bucket = aws_s3_bucket.b0.id

versioning {
enabled = true
mfa_delete = false
versioning_configuration {
status = "Enabled"
mfa_delete = "Disabled"
}
}
33 changes: 26 additions & 7 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,30 @@
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}

provider "aws" {
# Configuration options
}

resource "aws_s3_bucket" "bbb" {
bucket = "my-tf-test-bucket"

tags = {
Name = "My bucket"
Environment = "Dev"
}
}

bucket = "my-s3-bucket"
acl = "private"
resource "aws_s3_bucket_versioning" "example" {
bucket = aws_s3_bucket.bbb.id

versioning {
enabled = false
versioning_configuration {
status = "Disabled"
mfa_delete = "Enabled"
}
}
30 changes: 0 additions & 30 deletions assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf
View file
Open in desktop

This file was deleted.

32 changes: 10 additions & 22 deletions ...ies/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,74 +1,62 @@
[
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 14,
"fileName": "positive1.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 23,
"fileName": "positive2.tf"
"fileName": "positive1.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 25,
"fileName": "positive3.tf"
"fileName": "positive2.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 24,
"fileName": "positive4.tf"
"fileName": "positive3.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 23,
"fileName": "positive4.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 1,
"fileName": "positive5.tf"
"fileName": "positive3.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 8,
"fileName": "positive6.tf"
"fileName": "positive4.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 10,
"fileName": "positive7.tf"
"fileName": "positive5.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 8,
"fileName": "positive8.tf"
"fileName": "positive6.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 9,
"fileName": "positive8.tf"
"fileName": "positive6.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 28,
"fileName": "positive9.tf"
"fileName": "positive7.tf"
},
{
"queryName": "S3 Bucket Without Enabled MFA Delete",
"severity": "LOW",
"line": 27,
"fileName": "positive10.tf"
"fileName": "positive8.tf"
}
]
Loading
Loading