Skip to content

Commit 1be74e5

Browse files
Merge branch 'master' into AST-121533
2 parents 0cb83ca + 8d02dfd commit 1be74e5

File tree

182 files changed

+3160
-355
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

182 files changed

+3160
-355
lines changed

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM checkmarx/go:1.25.5-r0-88daadd3e5be94@sha256:88daadd3e5be943116bb664f39f0d94a87ed80f993a94069fe8c348e9e2d3677 AS build_env
1+
FROM checkmarx/go:1.25.6-r0@sha256:8e7befa1320d506ee2e5511501196bc4afa0df731b54809a7404cdd766d3b940 AS build_env
22

33
# Copy the source from the current directory to the Working Directory inside the container
44
WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
2929
# Runtime image
3030
# Ignore no User Cmd since KICS container is stopped afer scan
3131
# kics-scan ignore-line
32-
FROM checkmarx/git:2.52.0-r0-ebac36fe57b6e8@sha256:ebac36fe57b6e814f276560a1e4515c0390acb216a57a3ed667fab04f1b5fcf4
32+
FROM checkmarx/git:2.52.0-r2@sha256:02efaee67a44a711d858628a6c02b06ee3ef90ed42906c9c8d98ef054a6b7165
3333

3434
ENV TERM xterm-256color
3535

assets/libraries/common.rego

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -642,7 +642,7 @@ get_user_from_policy_attachment(attachment) = user {
642642
}
643643

644644
unrecommended_permission_policy(resourcePolicy, permission) {
645-
policy := json_unmarshal(resourcePolicy.policy)
645+
policy := get_policy(resourcePolicy.policy)
646646

647647
st := get_statement(policy)
648648
statement := st[_]

assets/libraries/terraform.rego

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -534,11 +534,11 @@ is_publicly_accessible(policy) {
534534
}
535535

536536
get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
537-
policy := common_lib.json_unmarshal(resource.policy)
537+
policy := common_lib.get_policy(resource.policy)
538538
is_publicly_accessible(policy)
539539
info = {"accessibility": "public", "policy": policy}
540540
} else = info {
541-
policy := common_lib.json_unmarshal(resource.policy)
541+
policy := common_lib.get_policy(resource.policy)
542542
not is_publicly_accessible(policy)
543543
info = {"accessibility": "hasPolicy", "policy": policy}
544544
} else = info {
@@ -547,7 +547,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
547547
resourcePolicy := input.document[_].resource[resourcePolicyName][_]
548548
split(resourcePolicy[resourceTarget], ".")[1] == name
549549

550-
policy := common_lib.json_unmarshal(resourcePolicy.policy)
550+
policy := common_lib.get_policy(resourcePolicy.policy)
551551
is_publicly_accessible(policy)
552552
info = {"accessibility": "public", "policy": policy}
553553
} else = info {
@@ -556,7 +556,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info {
556556
resourcePolicy := input.document[_].resource[resourcePolicyName][_]
557557
split(resourcePolicy[resourceTarget], ".")[1] == name
558558

559-
policy := common_lib.json_unmarshal(resourcePolicy.policy)
559+
policy := common_lib.get_policy(resourcePolicy.policy)
560560
not is_publicly_accessible(policy)
561561
info = {"accessibility": "hasPolicy", "policy": policy}
562562
} else = info {
@@ -613,7 +613,7 @@ has_target_resource(bucketName, resourceName) {
613613

614614
#Checks if an action is allowed for all principals
615615
allows_action_from_all_principals(json_policy, action) {
616-
policy := common_lib.json_unmarshal(json_policy)
616+
policy := common_lib.get_policy(json_policy)
617617
st := common_lib.get_statement(policy)
618618
statement := st[_]
619619
statement.Effect == "Allow"
@@ -622,7 +622,7 @@ allows_action_from_all_principals(json_policy, action) {
622622
}
623623

624624
allows_all_s3_actions_from_all_principals_match(json_policy) {
625-
policy := common_lib.json_unmarshal(json_policy)
625+
policy := common_lib.get_policy(json_policy)
626626
st := common_lib.get_statement(policy)
627627
statement := st[_]
628628
statement.Effect == "Allow"

assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego

Lines changed: 29 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -8,56 +8,47 @@ CxPolicy[result] {
88

99
value.type == "Microsoft.Web/sites"
1010

11-
not common_lib.valid_key(value, "identity")
11+
res := get_res(value, path)
1212

1313
result := {
1414
"documentId": input.document[i].id,
1515
"resourceType": value.type,
1616
"resourceName": value.name,
17-
"searchKey": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
18-
"issueType": "MissingAttribute",
19-
"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
20-
"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
21-
"searchLine": common_lib.build_search_line(path, ["name"]),
17+
"searchKey": res.sk,
18+
"issueType": res.it,
19+
"keyExpectedValue": res.kev,
20+
"keyActualValue": res.kav,
21+
"searchLine": res.sl,
2222
}
2323
}
2424

25-
CxPolicy[result] {
26-
doc := input.document[i]
27-
[path, value] = walk(doc)
28-
29-
value.type == "Microsoft.Web/sites"
25+
get_res(value, path) = res {
26+
not common_lib.valid_key(value, "identity")
27+
res := {
28+
"sk": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
29+
"it": "MissingAttribute",
30+
"kev": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
31+
"kav": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
32+
"sl": common_lib.build_search_line(path, ["name"])
33+
}
34+
} else = res {
3035
not common_lib.valid_key(value.identity, "type")
31-
32-
result := {
33-
"documentId": input.document[i].id,
34-
"resourceType": value.type,
35-
"resourceName": value.name,
36-
"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
37-
"issueType": "MissingAttribute",
38-
"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
39-
"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
40-
"searchLine": common_lib.build_search_line(path, ["identity"]),
36+
res := {
37+
"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
38+
"it": "MissingAttribute",
39+
"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
40+
"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
41+
"sl": common_lib.build_search_line(path, ["identity"])
4142
}
42-
}
43-
44-
CxPolicy[result] {
45-
doc := input.document[i]
46-
[path, value] = walk(doc)
47-
48-
value.type == "Microsoft.Web/sites"
43+
} else = res {
4944
common_lib.valid_key(value.identity, "type")
5045
not is_valid_identity(value.identity)
51-
52-
result := {
53-
"documentId": input.document[i].id,
54-
"resourceType": value.type,
55-
"resourceName": value.name,
56-
"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
57-
"issueType": "IncorrectValue",
58-
"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to %s",
59-
"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to %s",
60-
"searchLine": common_lib.build_search_line(path, ["identity"]),
46+
res := {
47+
"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
48+
"it": "IncorrectValue",
49+
"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'",
50+
"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'",
51+
"sl": common_lib.build_search_line(path, ["identity"])
6152
}
6253
}
6354

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
resource webSitePositive7 'Microsoft.Web/sites@2020-12-01' = {
2+
name: 'webSitePositive7'
3+
location: 'location1'
4+
tags: {}
5+
identity: {
6+
type: 'UserAssigned'
7+
}
8+
properties: {
9+
enabled: true
10+
httpsOnly: true
11+
}
12+
}
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"metadata": {
5+
"_generator": {
6+
"name": "bicep",
7+
"version": "0.39.26.7824",
8+
"templateHash": "623030832249271008"
9+
}
10+
},
11+
"resources": [
12+
{
13+
"type": "Microsoft.Web/sites",
14+
"apiVersion": "2020-12-01",
15+
"name": "webSitePositive7",
16+
"location": "location1",
17+
"tags": {},
18+
"identity": {
19+
"type": "UserAssigned"
20+
},
21+
"properties": {
22+
"enabled": true,
23+
"httpsOnly": true
24+
}
25+
}
26+
]
27+
}

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,12 @@
3535
"line": 17,
3636
"fileName": "positive6.json"
3737
},
38+
{
39+
"queryName": "Website Azure Active Directory Disabled",
40+
"severity": "LOW",
41+
"line": 18,
42+
"fileName": "positive7.json"
43+
},
3844
{
3945
"queryName": "Website Azure Active Directory Disabled",
4046
"severity": "LOW",
@@ -70,5 +76,11 @@
7076
"severity": "LOW",
7177
"line": 5,
7278
"fileName": "positive6.bicep"
79+
},
80+
{
81+
"queryName": "Website Azure Active Directory Disabled",
82+
"severity": "LOW",
83+
"line": 5,
84+
"fileName": "positive7.bicep"
7385
}
7486
]

assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego

Lines changed: 30 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -10,58 +10,45 @@ CxPolicy[result] {
1010
resource.Type == "AWS::ApiGateway::RestApi"
1111
properties := resource.Properties
1212

13-
properties.MinimumCompressionSize < 0
13+
res := get_res(properties, name, path)
1414

1515
result := {
1616
"documentId": input.document[i].id,
1717
"resourceType": resource.Type,
1818
"resourceName": cf_lib.get_resource_name(resource, name),
19-
"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
20-
"issueType": "IncorrectValue",
21-
"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
22-
"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0",
23-
"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
19+
"searchKey": res.sk,
20+
"issueType": res.it,
21+
"keyExpectedValue": res.kev,
22+
"keyActualValue": res.kav,
23+
"searchLine": res.sl,
2424
}
2525
}
2626

27-
CxPolicy[result] {
28-
docs := input.document[i]
29-
[path, Resources] := walk(docs)
30-
resource := Resources[name]
31-
resource.Type == "AWS::ApiGateway::RestApi"
32-
properties := resource.Properties
33-
27+
get_res(properties, name, path) = res {
28+
properties.MinimumCompressionSize < 0
29+
res := {
30+
"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
31+
"it": "IncorrectValue",
32+
"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
33+
"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]),
34+
"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
35+
}
36+
} else = res {
3437
properties.MinimumCompressionSize > 10485759
35-
36-
result := {
37-
"documentId": input.document[i].id,
38-
"resourceType": resource.Type,
39-
"resourceName": cf_lib.get_resource_name(resource, name),
40-
"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
41-
"issueType": "IncorrectValue",
42-
"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
43-
"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759",
44-
"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
38+
res := {
39+
"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
40+
"it": "IncorrectValue",
41+
"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
42+
"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]),
43+
"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
4544
}
46-
}
47-
48-
CxPolicy[result] {
49-
docs := input.document[i]
50-
[path, Resources] := walk(docs)
51-
resource := Resources[name]
52-
resource.Type == "AWS::ApiGateway::RestApi"
53-
properties := resource.Properties
54-
45+
} else = res {
5546
not common_lib.valid_key(properties, "MinimumCompressionSize")
56-
57-
result := {
58-
"documentId": input.document[i].id,
59-
"resourceType": resource.Type,
60-
"resourceName": cf_lib.get_resource_name(resource, name),
61-
"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
62-
"issueType": "MissingAttribute",
63-
"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
64-
"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
65-
"searchLine": common_lib.build_search_line(path, [name, "Properties"]),
47+
res := {
48+
"sk": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
49+
"it": "MissingAttribute",
50+
"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
51+
"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
52+
"sl": common_lib.build_search_line(path, [name, "Properties"]),
6653
}
67-
}
54+
}

assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego

Lines changed: 23 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -9,43 +9,42 @@ CxPolicy[result] {
99
resource.Type == "AWS::Serverless::Api"
1010
properties := resource.Properties
1111

12-
unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
12+
res := get_res(properties, name)
1313

1414
result := {
1515
"documentId": input.document[i].id,
1616
"resourceType": resource.Type,
1717
"resourceName": cf_lib.get_resource_name(resource, name),
18-
"searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
19-
"issueType": "IncorrectValue",
20-
"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
21-
"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759",
22-
"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
18+
"searchKey": res.sk,
19+
"issueType": res.it,
20+
"keyExpectedValue": res.kev,
21+
"keyActualValue": res.kav,
22+
"searchLine": res.sl,
2323
}
2424
}
2525

26-
CxPolicy[result] {
27-
document := input.document
28-
resource = document[i].Resources[name]
29-
resource.Type == "AWS::Serverless::Api"
30-
properties := resource.Properties
31-
26+
get_res(properties, name) = res {
27+
unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
28+
res := {
29+
"sk": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
30+
"it": "IncorrectValue",
31+
"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
32+
"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", [name]),
33+
"sl": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
34+
}
35+
} else = res {
3236
not common_lib.valid_key(properties, "MinimumCompressionSize")
33-
34-
result := {
35-
"documentId": input.document[i].id,
36-
"resourceType": resource.Type,
37-
"resourceName": cf_lib.get_resource_name(resource, name),
38-
"searchKey": sprintf("Resources.%s.Properties", [name]),
39-
"issueType": "MissingAttribute",
40-
"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
41-
"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
42-
"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
37+
res := {
38+
"sk": sprintf("Resources.%s.Properties", [name]),
39+
"it": "MissingAttribute",
40+
"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
41+
"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
42+
"sl": common_lib.build_search_line(["Resources", name, "Properties"], []),
4343
}
4444
}
4545

46-
4746
unrecommended_minimum_compression_size(value) {
4847
value < 0
4948
} else {
5049
value > 10485759
51-
}
50+
}

assets/queries/terraform/alicloud/alb_listening_on_http/query.rego

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@ CxPolicy[result] {
1313
"resourceName": tf_lib.get_resource_name(resource, name),
1414
"searchKey": sprintf("alicloud_alb_listener[%s].listener_protocol", [name]),
1515
"issueType": "IncorrectValue",
16-
"keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'",
17-
"keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'",
16+
"keyExpectedValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", [name]),
17+
"keyActualValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", [name]),
1818
"searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []),
1919
"remediation": json.marshal({
2020
"before": "HTTP",

0 commit comments

Comments
 (0)