feat(kics_ar): add remediation for terraform alicloud security queries (

#5600)

* (kics auto remediation): first approach

* adding tests

* replacement approach change

* alicloud

* QUERIES THAT VERIFY A FIELD SET TO FALSE

* UNRECOMMENDED VALUE

* added E2E tests

* fixing unit test + improving

* fix errors

* fix

* correcting f.Close

* improving

* improving

* fixing E2E

* test

* adding more tests

* fixing codacy issue

* improving tests

* testing permissions on Dockerfile.ubi8

* Merge branch 'kics_auto_remediation/terraform_alic

* remove changes

* delete newline at file end

Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com>

assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego

@@ -6,8 +6,26 @@ import data.generic.terraform as tf_lib
 CxPolicy[result] {
 	some i
 	resource := input.document[i].resource.alicloud_actiontrail_trail[name]
+    not common_lib.valid_key(resource, "oss_bucket_name")
 
-    possibilities := {"event_rw", "oss_bucket_name", "trail_region"}
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "alicloud_actiontrail_trail",
+		"resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_actiontrail_trail", name),
+		"searchKey": sprintf("alicloud_actiontrail_trail[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "oss_bucket_name is set.",
+		"keyActualValue": "oss_bucket_name is not set.",
+        "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []),
+	}
+}
+
+CxPolicy[result] {
+	some i
+	resource := input.document[i].resource.alicloud_actiontrail_trail[name]
+
+    possibilities := {"event_rw", "trail_region"}
     not common_lib.valid_key(resource, possibilities[p])
 
 
@@ -20,6 +38,8 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("'%s' is set.",[possibilities[p]]),
 		"keyActualValue": sprintf("'%s' is not set.",[possibilities[p]]),
         "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []),
+		"remediation": sprintf("%s= \"ALL\"", [p]),
+		"remediationType": "addition",
 	}
 }
 
@@ -30,7 +50,7 @@ CxPolicy[result] {
     p := {"event_rw", "trail_region"}
     resource[p[f]] != "All"
 
-
+    remediation := {"before":resource[p[f]] , "after": "All" }
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "alicloud_actiontrail_trail",
@@ -40,5 +60,7 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("'%s' is set to All", [p[f]]),
 		"keyActualValue": sprintf("'%s' is not set to All", [p[f]]),
         "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, p[f]], []),
+		"remediation": json.marshal(remediation),
+		"remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego

@@ -14,12 +14,17 @@ CxPolicy[result] {
 
     result := {
         "documentId": input.document[i].id,
-        "resourceType": "alicloud_actiontrail_trail",
-		"resourceName": tf_lib.get_specific_resource_name(actiontrail, "alicloud_actiontrail_trail", name),
-        "searchKey": sprintf("alicloud_actiontrail_trail[%s].oss_bucket_name", [name]),
+        "resourceType": "alicloud_oss_bucket",
+		"resourceName": tf_lib.get_specific_resource_name(actiontrail, "alicloud_oss_bucket", name),
+        "searchKey": sprintf("alicloud_oss_bucket[%s].acl", [name]),
         "issueType": "IncorrectValue",
-        "keyExpectedValue": sprintf("'alicloud_actiontrail_trail[%s].oss_bucket_name' is private", [name]),
-        "keyActualValue": sprintf("'alicloud_actiontrail_trail[%s].oss_bucket_name' is %s", [name, possibilities[p]]),
-        "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, "oss_bucket_name"], []),
+        "keyExpectedValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is private", [name]),
+        "keyActualValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is %s", [name, possibilities[p]]),
+        "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []),
+        "remediation": json.marshal({
+            "before": p,
+            "after": "private"
+        }),
+        "remediationType": "replacement",
     }
 }

assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json

@@ -2,13 +2,13 @@
   {
     "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible",
     "severity": "HIGH",
-    "line": 9,
+    "line": 3,
     "fileName": "positive2.tf"
   },
   {
     "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible",
     "severity": "HIGH",
-    "line": 9,
+    "line": 3,
     "fileName": "positive1.tf"
   }
 ]

assets/queries/terraform/alicloud/alb_listening_on_http/query.rego

@@ -16,5 +16,10 @@ CxPolicy[result] {
 		"keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'",
 		"keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []),
+		"remediation": json.marshal({
+			"before": "HTTP",
+			"after": "HTTPS"
+		}),
+		"remediationType": "replacement"
 	}
 }

assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego

@@ -9,7 +9,7 @@ CxPolicy[result] {
 
 	auto_repair := resource.management.auto_repair 
     auto_repair == false
-	
+
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "alicloud_cs_kubernetes_node_pool",
@@ -19,6 +19,11 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have 'auto_repair' set to true.", [name]),
 		"keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has 'auto_repair' set to false.", [name]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management", "auto_repair"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -53,5 +58,7 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have a 'management' block containing 'auto_repair' set to true.", [name]),
 		"keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has a 'management' block but it doesn't contain 'auto_repair' ", [name]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management"], []),
+		"remediation": "auto_repair = true",
+		"remediationType": "addition",
 	}
 }

assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego

@@ -6,8 +6,7 @@ import data.generic.terraform as tf_lib
 CxPolicy[result] {
 
 	resource := input.document[i].resource.alicloud_disk[name]
-    resource.encrypted == false
-
+    resource.encrypted == false  
 
 	result := {
 		"documentId": input.document[i].id,
@@ -18,6 +17,11 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("[%s] has encryption set to true", [name]),
 		"keyActualValue": sprintf("[%s] has encryption set to false", [name]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name, "encrypted"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -26,7 +30,6 @@ CxPolicy[result] {
 	resource := input.document[i].resource.alicloud_disk[name]
     not common_lib.valid_key(resource, "encrypted")
 	not common_lib.valid_key(resource, "snapshot_id")
-
 
 	result := {
 		"documentId": input.document[i].id,
@@ -37,6 +40,8 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("[%s] has encryption enabled",[name]),
 		"keyActualValue": sprintf("[%s] does not have encryption enabled",[name]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name], []),
+		"remediation": "encrypted = true",
+		"remediationType": "addition",		
 	}
 }
 

assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego

@@ -18,6 +18,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'rotation_interval' value should not be higher than a year",
 		"keyActualValue": "'rotation_interval' value is higher than a year",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "rotation_interval"], []),
+		"remediation": json.marshal({
+			"before": resource.rotation_interval,
+			"after": "365d"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -35,6 +40,8 @@ CxPolicy[result] {
 		"keyExpectedValue": "'automatic_rotation' should be defined and set to Enabled",
 		"keyActualValue": "'automatic_rotation' is not defined",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name], []),
+		"remediation": "automatic_rotation = \"Enabled\"",
+		"remediationType": "addition",
 	}
 }
 
@@ -52,6 +59,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'automatic_rotation' should be set to Enabled",
 		"keyActualValue": "'automatic_rotation' is set to Disabled",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "automatic_rotation"], []),
+		"remediation": json.marshal({
+			"before": "Disabled",
+			"after": "Enabled"
+		}),
+		"remediationType": "replacement",
 	}
 }
 

assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego

@@ -16,6 +16,11 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_launch_template[%s].encrypted to be true", [name]),
 		"keyActualValue": sprintf("alicloud_launch_template[%s].encrypted is false", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_launch_template", name, "encrypted"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -32,5 +37,7 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_launch_template[%s] 'encrypted' should be defined and set to true", [name]),
 		"keyActualValue": sprintf("alicloud_launch_template[%s] 'encrypted' argument is not defined", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_launch_template", name], []),
+		"remediation": "encrypted = true",
+		"remediationType": "addition",
 	}
 }

assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego

@@ -17,6 +17,8 @@ CxPolicy[result] {
 		"keyExpectedValue": "For attribute 'retention_period' to be set and over 90 days.",
 		"keyActualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.",
         "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name], []),
+		"remediation": "retention_period = 100",
+		"remediationType": "addition",
 	}
 }
 
@@ -35,5 +37,10 @@ CxPolicy[result] {
 		"keyExpectedValue": "For the attribite 'retention_period' to be set to 90+ days",
 		"keyActualValue": "The attribute 'retention_period' is not set to 90+ days",
         "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name, "retention_period"], []),
+		"remediation": json.marshal({
+			"before": sprintf("%d", [rperiod]),
+			"after": "100"
+		}),
+		"remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego

@@ -16,6 +16,11 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should not be 0", [name]),
 		"keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is 0", [name]),
 		"searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []),
+		"remediation": json.marshal({
+			"before": "0",
+			"after": "2"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -32,5 +37,7 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be defined and the value different from 0 ", [name]),
 		"keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is undefined", [name]),
 		"searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []),
+		"remediation": "encrypt_type = \"2\"",
+		"remediationType": "addition",
 	}
 }

assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego

@@ -16,6 +16,8 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be defined and set to 2'", [name]),
 		"keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is not defined", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []),
+		"remediation": "encrypt_type = \"2\"",
+		"remediationType": "addition",
 	}
 }
 
@@ -32,5 +34,10 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be set to 2'", [name]),
 		"keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is not set to 2  ", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []),
+		"remediation": json.marshal({
+			"before": resource.encrypt_type,
+			"after": "2"
+		}),
+		"remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego

@@ -18,6 +18,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'lifecycle_rule' is set and enabled",
 		"keyActualValue": "'lifecycle_rule' is set but disabled",
         "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "lifecycle_rule", "enabled"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }
 

assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego

@@ -34,5 +34,10 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("%s 'logging_isenable' argument should be set to true",[name]),
 		"keyActualValue": sprintf("%s 'logging_isenable' argument is set to false",[name]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "logging_isenable"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego

@@ -19,5 +19,10 @@ CxPolicy[result] {
 		"keyExpectedValue": "'acl' is set to private or not set",
 		"keyActualValue": sprintf("'acl' is %s", [possibilities[p]]),
         "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []),
+		"remediation": json.marshal({
+            "before": p,
+            "after": "private"
+        }),
+        "remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego

@@ -18,6 +18,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'transfer_acceleration.enabled' is defined and set to true",
 		"keyActualValue": "'transfer_acceleration.enabled' is false",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "transfer_acceleration", "enabled"], []),
+		"remediation": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"remediationType": "replacement",
 	}
 }
 
@@ -36,5 +41,7 @@ CxPolicy[result] {
 		"keyExpectedValue": "'transfer_acceleration.enabled' is defined and set to true",
 		"keyActualValue": "'transfer_acceleration' is missing",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []),
+		"remediation": "transfer_acceleration{\n\t\tenabled = true\n\t}",
+		"remediationType": "addition",
 	}
 }

assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego

@@ -18,6 +18,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'versioning.status' is enabled",
 		"keyActualValue": "'versioning.status' is suspended",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "versioning", "status"], []),
+		"remediation": json.marshal({
+            "before": "Suspended",
+            "after": "Enabled"
+        }),
+        "remediationType": "replacement",
 	}
 }
 
@@ -36,5 +41,7 @@ CxPolicy[result] {
 		"keyExpectedValue": "'versioning.status' is defined and set to enabled",
 		"keyActualValue": "'versioning' is missing",
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []),
+		"remediation": "versioning {\n\t\tstatus = \"Enabled\"\n\t}",
+        "remediationType": "addition",
 	}
 }

assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego

@@ -17,6 +17,10 @@ CxPolicy[result] {
 		"keyExpectedValue": "'max_login_attempts' is set to 5 or less",
 		"keyActualValue": "'max_login_attempts' is above than 5",
         "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_login_attempts"], []),
-
+		"remediation": json.marshal({
+            "before": sprintf("%d", [resource.max_login_attempts]),
+            "after": "5"
+        }),
+        "remediationType": "replacement",
 	}
 }

assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego

@@ -36,6 +36,11 @@ CxPolicy[result] {
 		"keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91",
 		"keyActualValue": "'max_password_age' is higher than 90",
         "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []),
+		"remediation": json.marshal({
+            "before": sprintf("%d", [resource.max_password_age]),
+            "after": "12"
+        }),
+        "remediationType": "replacement",
 
 	}
 }
@@ -54,6 +59,10 @@ CxPolicy[result] {
 		"keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91",
 		"keyActualValue": "'max_password_age' is equal to 0",
         "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []),
-
+		"remediation": json.marshal({
+            "before": sprintf("%d", [resource.max_password_age]),
+            "after": "12"
+        }),
+        "remediationType": "replacement",		
 	}
 }