Merge branch 'master' into AST-121533

Author: cx-ricardo-jesus

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.25.5-r0-88daadd3e5be94@sha256:88daadd3e5be943116bb664f39f0d94a87ed80f993a94069fe8c348e9e2d3677 AS build_env
+FROM checkmarx/go:1.25.6-r0@sha256:8e7befa1320d506ee2e5511501196bc4afa0df731b54809a7404cdd766d3b940 AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.52.0-r0-ebac36fe57b6e8@sha256:ebac36fe57b6e814f276560a1e4515c0390acb216a57a3ed667fab04f1b5fcf4
+FROM checkmarx/git:2.52.0-r2@sha256:02efaee67a44a711d858628a6c02b06ee3ef90ed42906c9c8d98ef054a6b7165
 
 ENV TERM xterm-256color
 

assets/libraries/common.rego

@@ -642,7 +642,7 @@ get_user_from_policy_attachment(attachment) = user {
 }
 
 unrecommended_permission_policy(resourcePolicy, permission) {
-	policy := json_unmarshal(resourcePolicy.policy)
+	policy := get_policy(resourcePolicy.policy)
 
 	st := get_statement(policy)
 	statement := st[_]

assets/libraries/terraform.rego

@@ -534,11 +534,11 @@ is_publicly_accessible(policy) {
 }
 
 get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
-	policy := common_lib.json_unmarshal(resource.policy)
+	policy := common_lib.get_policy(resource.policy)
 	is_publicly_accessible(policy)
 	info = {"accessibility": "public", "policy": policy}
 } else = info {
-	policy := common_lib.json_unmarshal(resource.policy)
+	policy := common_lib.get_policy(resource.policy)
 	not is_publicly_accessible(policy)
 	info = {"accessibility": "hasPolicy", "policy": policy}
 } else = info {
@@ -547,7 +547,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
 	resourcePolicy := input.document[_].resource[resourcePolicyName][_]
 	split(resourcePolicy[resourceTarget], ".")[1] == name
 
-	policy := common_lib.json_unmarshal(resourcePolicy.policy)
+	policy := common_lib.get_policy(resourcePolicy.policy)
 	is_publicly_accessible(policy)
 	info = {"accessibility": "public", "policy": policy}
 } else = info {
@@ -556,7 +556,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
 	resourcePolicy := input.document[_].resource[resourcePolicyName][_]
 	split(resourcePolicy[resourceTarget], ".")[1] == name
 
-	policy := common_lib.json_unmarshal(resourcePolicy.policy)
+	policy := common_lib.get_policy(resourcePolicy.policy)
 	not is_publicly_accessible(policy)
 	info = {"accessibility": "hasPolicy", "policy": policy}
 } else = info {
@@ -613,7 +613,7 @@ has_target_resource(bucketName, resourceName) {
 
 #Checks if an action is allowed for all principals
 allows_action_from_all_principals(json_policy, action) {
- 	policy := common_lib.json_unmarshal(json_policy)
+ 	policy := common_lib.get_policy(json_policy)
 	st := common_lib.get_statement(policy)
 	statement := st[_]
 	statement.Effect == "Allow"
@@ -622,7 +622,7 @@ allows_action_from_all_principals(json_policy, action) {
 }
 
 allows_all_s3_actions_from_all_principals_match(json_policy) {
-    policy := common_lib.json_unmarshal(json_policy)
+    policy := common_lib.get_policy(json_policy)
 	st := common_lib.get_statement(policy)
 	statement := st[_]
 	statement.Effect == "Allow"

assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego

@@ -8,56 +8,47 @@ CxPolicy[result] {
 
 	value.type == "Microsoft.Web/sites"
 
-	not common_lib.valid_key(value, "identity")
+	res := get_res(value, path)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": value.type,
 		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
-		"searchLine": common_lib.build_search_line(path, ["name"]),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	doc := input.document[i]
-	[path, value] = walk(doc)
-
-	value.type == "Microsoft.Web/sites"
+get_res(value, path) = res {
+	not common_lib.valid_key(value, "identity")
+	res := {
+		"sk": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
+		"it": "MissingAttribute",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
+		"sl": common_lib.build_search_line(path, ["name"])
+	}
+} else = res {
 	not common_lib.valid_key(value.identity, "type")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": value.type,
-		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
-		"searchLine": common_lib.build_search_line(path, ["identity"]),
+	res := {
+		"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
+		"it": "MissingAttribute",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
+		"sl": common_lib.build_search_line(path, ["identity"])
 	}
-}
-
-CxPolicy[result] {
-	doc := input.document[i]
-	[path, value] = walk(doc)
-
-	value.type == "Microsoft.Web/sites"
+} else = res {
 	common_lib.valid_key(value.identity, "type")
 	not is_valid_identity(value.identity)
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": value.type,
-		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to %s",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to %s",
-		"searchLine": common_lib.build_search_line(path, ["identity"]),
+	res := {
+		"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
+		"it": "IncorrectValue",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'",
+		"sl": common_lib.build_search_line(path, ["identity"])
 	}
 }
 

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep

@@ -0,0 +1,12 @@
+resource webSitePositive7 'Microsoft.Web/sites@2020-12-01' = {
+  name: 'webSitePositive7'
+  location: 'location1'
+  tags: {}
+  identity: {
+    type: 'UserAssigned'
+  }
+  properties: {
+    enabled: true
+    httpsOnly: true
+  }
+}

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.39.26.7824",
+      "templateHash": "623030832249271008"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2020-12-01",
+      "name": "webSitePositive7",
+      "location": "location1",
+      "tags": {},
+      "identity": {
+        "type": "UserAssigned"
+      },
+      "properties": {
+        "enabled": true,
+        "httpsOnly": true
+      }
+    }
+  ]
+}

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json

@@ -35,6 +35,12 @@
     "line": 17,
     "fileName": "positive6.json"
   },
+  {
+    "queryName": "Website Azure Active Directory Disabled",
+    "severity": "LOW",
+    "line": 18,
+    "fileName": "positive7.json"
+  },
   {
     "queryName": "Website Azure Active Directory Disabled",
     "severity": "LOW",
@@ -70,5 +76,11 @@
     "severity": "LOW",
     "line": 5,
     "fileName": "positive6.bicep"
+  },
+  {
+    "queryName": "Website Azure Active Directory Disabled",
+    "severity": "LOW",
+    "line": 5,
+    "fileName": "positive7.bicep"
   }
 ]

assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego

@@ -10,58 +10,45 @@ CxPolicy[result] {
 	resource.Type == "AWS::ApiGateway::RestApi"
 	properties := resource.Properties
 
-	properties.MinimumCompressionSize < 0
+	res := get_res(properties, name, path)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0",
-		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	docs := input.document[i]
-	[path, Resources] := walk(docs)
-	resource := Resources[name]
-	resource.Type == "AWS::ApiGateway::RestApi"
-	properties := resource.Properties
-
+get_res(properties, name, path) = res {
+	properties.MinimumCompressionSize < 0
+	res := {
+		"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+	}
+} else = res {
 	properties.MinimumCompressionSize > 10485759
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759",
-		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+	res := {
+		"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
 	}
-}
-
-CxPolicy[result] {
-	docs := input.document[i]
-	[path, Resources] := walk(docs)
-	resource := Resources[name]
-	resource.Type == "AWS::ApiGateway::RestApi"
-	properties := resource.Properties
-
+} else = res {
 	not common_lib.valid_key(properties, "MinimumCompressionSize")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
-		"searchLine": common_lib.build_search_line(path, [name, "Properties"]),
+	res := {
+		"sk": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
+		"it": "MissingAttribute",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties"]),
 	}
-}
+}

assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego

@@ -9,43 +9,42 @@ CxPolicy[result] {
 	resource.Type == "AWS::Serverless::Api"
 	properties := resource.Properties
 
-	unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
+	res := get_res(properties, name)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759",
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
-	resource.Type == "AWS::Serverless::Api"
-	properties := resource.Properties
-
+get_res(properties, name) = res {
+	unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
+	res := {
+		"sk": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", [name]),
+		"sl": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+	}
+} else = res {
 	not common_lib.valid_key(properties, "MinimumCompressionSize")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+	res := {
+		"sk": sprintf("Resources.%s.Properties", [name]),
+		"it": "MissingAttribute",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
+		"sl": common_lib.build_search_line(["Resources", name, "Properties"], []),
 	}
 }
 
-
 unrecommended_minimum_compression_size(value) {
 	value < 0
 } else {
 	value > 10485759
-}
+}

assets/queries/terraform/alicloud/alb_listening_on_http/query.rego

@@ -13,8 +13,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("alicloud_alb_listener[%s].listener_protocol", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'",
-		"keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'",
+		"keyExpectedValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", [name]),
+		"keyActualValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []),
 		"remediation": json.marshal({
 			"before": "HTTP",