feat(query): reduce NET_RAW capability not being dropped severity to …

…MEDIUM

fixes Checkmarx#5895

assets/queries/k8s/net_raw_capabilities_not_being_dropped/metadata.json

@@ -1,7 +1,7 @@
 {
   "id": "dbbc6705-d541-43b0-b166-dd4be8208b54",
   "queryName": "NET_RAW Capabilities Not Being Dropped",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Insecure Configurations",
   "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities",
   "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",

assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json

@@ -1,31 +1,31 @@
 [
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 11,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 18,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 21,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 13,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 31,
     "fileName": "positive2.yaml"
   }

assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json

@@ -1,7 +1,7 @@
 {
   "id": "e5587d53-a673-4a6b-b3f2-ba07ec274def",
   "queryName": "NET_RAW Capabilities Not Being Dropped",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Insecure Configurations",
   "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop",

assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json

@@ -1,22 +1,22 @@
 [
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 8
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 8
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 8
   },
   {
     "queryName": "NET_RAW Capabilities Not Being Dropped",
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "line": 140
   }
 ]

docs/queries/all-queries.md

@@ -286,7 +286,7 @@ This page contains all queries.
 |PSP Allows Containers To Share The Host Network Namespace<br/><sup><sub>a33e9173-b674-4dfb-9d82-cf3754816e4b</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|<a href="https://kubernetes.io/docs/concepts/policy/pod-security-policy/">Documentation</a><br/>|
 |Tiller (Helm v2) Is Deployed<br/><sup><sub>6d173be7-545a-46c6-a81d-2ae52ed1605d</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Check if Tiller is deployed.|<a href="https://kubernetes.io/docs/concepts/containers/images/">Documentation</a><br/>|
 |Tiller Service Is Not Deleted<br/><sup><sub>8b862ca9-0fbd-4959-ad72-b6609bdaa22d</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Check if there is any Tiller Service present|<a href="https://kubernetes.io/docs/concepts/services-networking/service">Documentation</a><br/>|
-|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>dbbc6705-d541-43b0-b166-dd4be8208b54</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
+|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>dbbc6705-d541-43b0-b166-dd4be8208b54</sub></sup>|Kubernetes|<span style="color:#C60">Medium</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
 |Object Is Using A Deprecated API Version<br/><sup><sub>94b76ea5-e074-4ca2-8a03-c5a606e30645</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Check if any objects are using a deprecated version of API.|<a href="https://kubernetes.io/docs/reference/using-api/deprecation-policy/">Documentation</a><br/>|
 |Privilege Escalation Allowed<br/><sup><sub>5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
 |Container Is Privileged<br/><sup><sub>dd29336b-fe57-445b-a26e-e6aa867ae609</sub></sup>|Kubernetes|<span style="color:#C00">High</span>|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|<a href="https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers">Documentation</a><br/>|
@@ -1143,7 +1143,7 @@ This page contains all queries.
 |Not Limited Capabilities For Pod Security Policy<br/><sup><sub>2acb555f-f4ad-4b1b-b984-84e6588f4b05</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Limit capabilities for a Pod Security Policy|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities">Documentation</a><br/>|
 |Cluster Allows Unsafe Sysctls<br/><sup><sub>a9174d31-d526-4ad9-ace4-ce7ddbf52e03</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls">Documentation</a><br/>|
 |Tiller (Helm v2) Is Deployed<br/><sup><sub>ca2fba76-c1a7-4afd-be67-5249f861cb0e</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Check if Tiller is deployed.|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image">Documentation</a><br/>|
-|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>e5587d53-a673-4a6b-b3f2-ba07ec274def</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop">Documentation</a><br/>|
+|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>e5587d53-a673-4a6b-b3f2-ba07ec274def</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop">Documentation</a><br/>|
 |Privilege Escalation Allowed<br/><sup><sub>c878abb4-cca5-4724-92b9-289be68bd47c</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation">Documentation</a><br/>|
 |PSP Allows Containers To Share The Host Network Namespace<br/><sup><sub>4950837c-0ce5-4e42-9bee-a25eae73740b</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network">Documentation</a><br/>|
 |Container Is Privileged<br/><sup><sub>87065ef8-de9b-40d8-9753-f4a4303e27a4</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged">Documentation</a><br/>|

docs/queries/kubernetes-queries.md

@@ -19,7 +19,7 @@ This page contains all queries from Kubernetes.
 |PSP Allows Containers To Share The Host Network Namespace<br/><sup><sub>a33e9173-b674-4dfb-9d82-cf3754816e4b</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|<a href="https://kubernetes.io/docs/concepts/policy/pod-security-policy/">Documentation</a><br/>|
 |Tiller (Helm v2) Is Deployed<br/><sup><sub>6d173be7-545a-46c6-a81d-2ae52ed1605d</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Check if Tiller is deployed.|<a href="https://kubernetes.io/docs/concepts/containers/images/">Documentation</a><br/>|
 |Tiller Service Is Not Deleted<br/><sup><sub>8b862ca9-0fbd-4959-ad72-b6609bdaa22d</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Check if there is any Tiller Service present|<a href="https://kubernetes.io/docs/concepts/services-networking/service">Documentation</a><br/>|
-|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>dbbc6705-d541-43b0-b166-dd4be8208b54</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
+|NET_RAW Capabilities Not Being Dropped<br/><sup><sub>dbbc6705-d541-43b0-b166-dd4be8208b54</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
 |Object Is Using A Deprecated API Version<br/><sup><sub>94b76ea5-e074-4ca2-8a03-c5a606e30645</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Check if any objects are using a deprecated version of API.|<a href="https://kubernetes.io/docs/reference/using-api/deprecation-policy/">Documentation</a><br/>|
 |Privilege Escalation Allowed<br/><sup><sub>5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|<a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Documentation</a><br/>|
 |Container Is Privileged<br/><sup><sub>dd29336b-fe57-445b-a26e-e6aa867ae609</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|<a href="https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers">Documentation</a><br/>|