From fbfa9e5a48aee502ba474e5414c43f0c0f121c52 Mon Sep 17 00:00:00 2001 From: Miguel Silva <100352574+cxMiguelSilva@users.noreply.github.com> Date: Thu, 28 Jul 2022 14:11:29 +0100 Subject: [PATCH] feat(knative&crossplane): add support to knative and crossplane (#5634) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * stage * add constants and change tests * crossplane aws queries * add crossplane azure queries * crossplane gcp queires * update * build(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 (#5627) Bumps [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/BurntSushi/toml/releases) - [Commits](https://github.com/BurntSushi/toml/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: github.com/BurntSushi/toml dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.58 to 1.44.59 (#5628) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.58 to 1.44.59. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.58...v1.44.59) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5629) * fix(detector): fixed memory leak (#5626) Co-authored-by: João Reigota Co-authored-by: Rafaela Soares * add check for apiVersion * fix type bug * delete crossplane demo file * update github actions * delete knative folder and change regex expressions * update regex * update parser supported types * push changes * update metrics and main_test.go * change queries to use rego walk function * RDS Instance * update changes * add changes * change package-lock * package lock changes * package lock * add getPath to crossplane lib * correct typos and metadata info * correction Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kicsbot <76819998+kicsbot@users.noreply.github.com> Co-authored-by: Rafaela Soares Co-authored-by: João Reigota Co-authored-by: Rafaela Soares --- .github/scripts/metrics/get_metrics.py | 4 ++ .../queries-validator/metadata-schema.json | 2 + assets/libraries/common.rego | 22 ++++++ assets/libraries/crossplane.rego | 13 ++++ .../cloudfront_logging_disabled/metadata.json | 4 +- .../test/positive_expected_result.json | 4 +- .../aws/cloudfront_without_waf/metadata.json | 2 +- .../test/positive_expected_result.json | 2 +- .../metadata.json | 2 +- .../aws/elb_using_weak_ciphers/query.rego | 28 +------- .../aws/sqs_with_sse_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../cloudfront_logging_disabled/metadata.json | 2 +- .../cloudfront_logging_disabled/query.rego | 4 +- .../query.rego | 2 + .../test/positive1.yaml | 2 + .../test/positive2.json | 2 + .../test/positive_expected_result.json | 8 +-- .../aws/cloudfront_without_waf/query.rego | 1 + .../test/negative1.yaml | 3 +- .../test/negative2.json | 1 + .../test/positive1.yaml | 3 +- .../test/positive2.json | 1 + .../aws/sqs_with_sse_disabled/metadata.json | 2 +- .../cloudfront_logging_disabled/metadata.json | 11 +++ .../cloudfront_logging_disabled/query.rego | 70 ++++++++++++++++++ .../test/negative.yaml | 60 ++++++++++++++++ .../test/positive.yaml | 60 ++++++++++++++++ .../test/positive2.yaml | 52 ++++++++++++++ .../test/positive3.yaml | 58 +++++++++++++++ .../test/positive_expected_result.json | 38 ++++++++++ .../metadata.json | 11 +++ .../query.rego | 71 +++++++++++++++++++ .../test/negative.yaml | 60 ++++++++++++++++ .../test/positive.yaml | 60 ++++++++++++++++ .../test/positive2.yaml | 52 ++++++++++++++ .../test/positive3.yaml | 58 +++++++++++++++ .../test/positive_expected_result.json | 39 ++++++++++ .../aws/cloudfront_without_waf/metadata.json | 11 +++ .../aws/cloudfront_without_waf/query.rego | 26 +++++++ .../cloudfront_without_waf/test/negative.yaml | 62 ++++++++++++++++ .../cloudfront_without_waf/test/positive.yaml | 60 ++++++++++++++++ .../test/positive_expected_result.json | 14 ++++ .../metadata.json | 11 +++ .../query.rego | 48 +++++++++++++ .../test/negative.yaml | 38 ++++++++++ .../test/positive.yaml | 38 ++++++++++ .../test/positive2.yaml | 36 ++++++++++ .../test/positive_expected_result.json | 26 +++++++ .../metadata.json | 11 +++ .../query.rego | 46 ++++++++++++ .../test/negative.yaml | 64 +++++++++++++++++ .../test/positive.yaml | 64 +++++++++++++++++ .../test/positive2.yaml | 62 ++++++++++++++++ .../test/positive_expected_result.json | 26 +++++++ .../metadata.json | 11 +++ .../query.rego | 27 +++++++ .../test/negative.yaml | 56 +++++++++++++++ .../test/positive.yaml | 56 +++++++++++++++ .../test/positive_expected_result.json | 14 ++++ .../aws/efs_not_encrypted/metadata.json | 11 +++ .../aws/efs_not_encrypted/query.rego | 46 ++++++++++++ .../aws/efs_not_encrypted/test/negative.yaml | 40 +++++++++++ .../aws/efs_not_encrypted/test/positive.yaml | 40 +++++++++++ .../aws/efs_not_encrypted/test/positive2.yaml | 38 ++++++++++ .../test/positive_expected_result.json | 26 +++++++ .../aws/efs_without_kms/metadata.json | 11 +++ .../crossplane/aws/efs_without_kms/query.rego | 25 +++++++ .../aws/efs_without_kms/test/negative.yaml | 42 +++++++++++ .../aws/efs_without_kms/test/positive.yaml | 40 +++++++++++ .../test/positive_expected_result.json | 14 ++++ .../aws/elb_using_weak_ciphers/metadata.json | 11 +++ .../aws/elb_using_weak_ciphers/query.rego | 47 ++++++++++++ .../elb_using_weak_ciphers/test/negative.yaml | 60 ++++++++++++++++ .../elb_using_weak_ciphers/test/positive.yaml | 60 ++++++++++++++++ .../test/positive_expected_result.json | 14 ++++ .../metadata.json | 11 +++ .../query.rego | 46 ++++++++++++ .../test/negative.yaml | 50 +++++++++++++ .../test/positive.yaml | 48 +++++++++++++ .../test/positive2.yaml | 50 +++++++++++++ .../test/positive_expected_result.json | 26 +++++++ .../aws/sqs_with_sse_disabled/metadata.json | 11 +++ .../aws/sqs_with_sse_disabled/query.rego | 25 +++++++ .../sqs_with_sse_disabled/test/negative.yaml | 50 +++++++++++++ .../sqs_with_sse_disabled/test/positive.yaml | 48 +++++++++++++ .../test/positive_expected_result.json | 14 ++++ .../azure/aks_rbac_disabled/metadata.json | 11 +++ .../azure/aks_rbac_disabled/query.rego | 25 +++++++ .../aks_rbac_disabled/test/negative.yaml | 39 ++++++++++ .../aks_rbac_disabled/test/positive.yaml | 40 +++++++++++ .../test/positive_expected_result.json | 14 ++++ .../metadata.json | 11 +++ .../query.rego | 25 +++++++ .../test/negative.yaml | 29 ++++++++ .../test/positive.yaml | 14 ++++ .../test/positive_expected_result.json | 8 +++ .../metadata.json | 11 +++ .../query.rego | 25 +++++++ .../test/negative.yaml | 14 ++++ .../test/positive.yaml | 12 ++++ .../test/positive_expected_result.json | 8 +++ .../metadata.json | 11 +++ .../query.rego | 69 ++++++++++++++++++ .../test/negative.yaml | 20 ++++++ .../test/positive.yaml | 39 ++++++++++ .../test/positive_expected_result.json | 14 ++++ .../cloudfront_logging_disabled/metadata.json | 4 +- .../cloudfront_logging_disabled/query.rego | 1 + .../test/positive_expected_result.json | 2 +- .../query.rego | 4 ++ .../aws/cloudfront_without_waf/metadata.json | 2 +- .../aws/cloudfront_without_waf/query.rego | 1 + .../test/positive_expected_result.json | 2 +- .../metadata.json | 2 +- .../aws/elb_using_weak_ciphers/query.rego | 31 +------- .../aws/sqs_with_sse_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- docs/commands.md | 2 +- docs/dockerhub.md | 2 +- docs/platforms.md | 8 +++ e2e/fixtures/E2E_CLI_010 | 2 + e2e/fixtures/E2E_CLI_013 | 2 + e2e/fixtures/assets/scan_help | 2 +- e2e/fixtures/schemas/result.json | 2 + e2e/fixtures/schemas/resultBoM.json | 2 + internal/constants/constants.go | 2 + pkg/analyzer/analyzer.go | 20 ++++++ pkg/analyzer/analyzer_test.go | 2 +- pkg/engine/source/filesystem.go | 4 ++ pkg/engine/source/filesystem_test.go | 2 + pkg/parser/yaml/parser.go | 2 + pkg/parser/yaml/parser_test.go | 2 + res/demoKnative.yaml | 15 ++++ test/fixtures/analyzer_test/crossplane.yaml | 10 +++ test/fixtures/analyzer_test/knative.yaml | 15 ++++ test/main_test.go | 20 +++--- 141 files changed, 3048 insertions(+), 97 deletions(-) create mode 100644 assets/libraries/crossplane.rego create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive3.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive3.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json create mode 100644 assets/queries/crossplane/aws/cloudfront_without_waf/query.rego create mode 100644 assets/queries/crossplane/aws/cloudfront_without_waf/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_waf/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/query.rego create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json create mode 100644 assets/queries/crossplane/aws/db_security_group_has_public_interface/query.rego create mode 100644 assets/queries/crossplane/aws/db_security_group_has_public_interface/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/metadata.json create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/query.rego create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/efs_without_kms/metadata.json create mode 100644 assets/queries/crossplane/aws/efs_without_kms/query.rego create mode 100644 assets/queries/crossplane/aws/efs_without_kms/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/efs_without_kms/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json create mode 100644 assets/queries/crossplane/aws/elb_using_weak_ciphers/query.rego create mode 100644 assets/queries/crossplane/aws/elb_using_weak_ciphers/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/query.rego create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json create mode 100644 assets/queries/crossplane/aws/sqs_with_sse_disabled/query.rego create mode 100644 assets/queries/crossplane/aws/sqs_with_sse_disabled/test/negative.yaml create mode 100644 assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive.yaml create mode 100644 assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json create mode 100644 assets/queries/crossplane/azure/aks_rbac_disabled/query.rego create mode 100644 assets/queries/crossplane/azure/aks_rbac_disabled/test/negative.yaml create mode 100644 assets/queries/crossplane/azure/aks_rbac_disabled/test/positive.yaml create mode 100644 assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json create mode 100644 assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/query.rego create mode 100644 assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml create mode 100644 assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml create mode 100644 assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json create mode 100644 assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/query.rego create mode 100644 assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/negative.yaml create mode 100644 assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive.yaml create mode 100644 assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json create mode 100644 assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json create mode 100644 assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego create mode 100644 assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/negative.yaml create mode 100644 assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive.yaml create mode 100644 assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json create mode 100644 res/demoKnative.yaml create mode 100644 test/fixtures/analyzer_test/crossplane.yaml create mode 100644 test/fixtures/analyzer_test/knative.yaml diff --git a/.github/scripts/metrics/get_metrics.py b/.github/scripts/metrics/get_metrics.py index 839a32bdb1b..b194935f922 100644 --- a/.github/scripts/metrics/get_metrics.py +++ b/.github/scripts/metrics/get_metrics.py @@ -11,7 +11,9 @@ 'azureresourcemanager': os.path.join(queries_basepath, 'azureResourceManager', '*'), 'cloudformation': os.path.join(queries_basepath, 'cloudFormation', '**', '*'), 'openapi': os.path.join(queries_basepath, 'openAPI', '**', '*'), + 'crossplane': os.path.join(queries_basepath, 'crossplane', '*'), 'k8s': os.path.join(queries_basepath, 'k8s', '*'), + #'knative': os.path.join(queries_basepath, 'knative', '*'), 'common': os.path.join(queries_basepath, 'common', '*'), 'dockerfile': os.path.join(queries_basepath, 'dockerfile', '*'), 'terraform': os.path.join(queries_basepath, 'terraform', '**', '*'), @@ -22,8 +24,10 @@ samples_ext = { 'azureresourcemanager': ['json'], 'cloudformation': ['yaml', 'json'], + 'crossplane': ['yaml'], 'openapi': ['yaml', 'json'], 'ansible': ['yaml'], + 'knative': ['yaml'], 'k8s': ['yaml'], 'common': ['yaml', 'json', 'dockerfile', 'tf'], 'dockerfile': ['dockerfile'], diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json index 538d3449fac..34d18648c68 100644 --- a/.github/scripts/queries-validator/metadata-schema.json +++ b/.github/scripts/queries-validator/metadata-schema.json @@ -86,11 +86,13 @@ "AzureResourceManager", "Buildah", "CloudFormation", + "Crossplane", "Common", "Dockerfile", "DockerCompose", "GRPC", "GoogleDeploymentManager", + "Knative", "Kubernetes", "OpenAPI", "Terraform" diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego index 434dd7a5413..cf23fbf110d 100644 --- a/assets/libraries/common.rego +++ b/assets/libraries/common.rego @@ -779,3 +779,25 @@ is_aws_ebs_optimized_by_default(instanceType) { inArray(data.common_lib.aws_ebs_optimized_by_default, instanceType) } +# IANA +weakCipher(aux) { + weak_ciphers_IANA_Format = { + "TLS_NULL_WITH_NULL_NULL", "TLS_RSA_WITH_NULL_MD5", "TLS_RSA_WITH_NULL_SHA", "TLS_RSA_EXPORT_WITH_RC4_40_MD5", "TLS_RSA_WITH_RC4_128_MD5", "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_RSA_WITH_IDEA_CBC_SHA", "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_RSA_WITH_DES_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_DSS_WITH_DES_CBC_SHA", "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_RSA_WITH_DES_CBC_SHA", "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_DSS_WITH_DES_CBC_SHA", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_RSA_WITH_DES_CBC_SHA", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", "TLS_DH_anon_WITH_RC4_128_MD5", "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_anon_WITH_DES_CBC_SHA", "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_SHA", "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_RC4_128_SHA", "TLS_KRB5_WITH_IDEA_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_MD5", "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "TLS_KRB5_WITH_RC4_128_MD5", "TLS_KRB5_WITH_IDEA_CBC_MD5", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "TLS_PSK_WITH_NULL_SHA", "TLS_DHE_PSK_WITH_NULL_SHA", "TLS_RSA_PSK_WITH_NULL_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_DH_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_anon_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA", "TLS_DH_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_anon_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "TLS_DH_anon_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", "TLS_PSK_WITH_RC4_128_SHA", "TLS_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_PSK_WITH_AES_128_CBC_SHA", "TLS_PSK_WITH_AES_256_CBC_SHA", "TLS_DHE_PSK_WITH_RC4_128_SHA", "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_PSK_WITH_RC4_128_SHA", "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_SEED_CBC_SHA", "TLS_DH_DSS_WITH_SEED_CBC_SHA", "TLS_DH_RSA_WITH_SEED_CBC_SHA", "TLS_DHE_DSS_WITH_SEED_CBC_SHA", "TLS_DHE_RSA_WITH_SEED_CBC_SHA", "TLS_DH_anon_WITH_SEED_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_anon_WITH_AES_128_GCM_SHA256", "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_GCM_SHA256", "TLS_PSK_WITH_AES_256_GCM_SHA384", "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_CBC_SHA256", "TLS_PSK_WITH_AES_256_CBC_SHA384", "TLS_PSK_WITH_NULL_SHA256", "TLS_PSK_WITH_NULL_SHA384", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_DHE_PSK_WITH_NULL_SHA256", "TLS_DHE_PSK_WITH_NULL_SHA384", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_NULL_SHA256", "TLS_RSA_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "TLS_SM4_GCM_SM3", "TLS_SM4_CCM_SM3", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_AES_128_CCM_8_SHA256", "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_anon_WITH_NULL_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_RC4_128_SHA", "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_NULL_SHA", "TLS_ECDHE_PSK_WITH_NULL_SHA256", "TLS_ECDHE_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", + "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_PSK_DHE_WITH_AES_128_CCM_8", "TLS_PSK_DHE_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", "TLS_SHA256_SHA256", "TLS_SHA384_SHA384", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", + } + weak_ciphers_IANA_Format[_] == aux +} + +# OpenSSL +weakCipher(aux) { + weak_ciphers_OpenSSL_Format = {"NULL-MD5", "NULL-SHA", "IDEA-CBC-SHA", "DES-CBC3-SHA", "DHE-DSS-DES-CBC3-SHA", "DHE-RSA-DES-CBC3-SHA", "ADH-DES-CBC3-SHA", "PSK-NULL-SHA", "DHE-PSK-NULL-SHA", "RSA-PSK-NULL-SHA", "AES128-SHA", "DHE-DSS-AES128-SHA", "DHE-RSA-AES128-SHA", "ADH-AES128-SHA", "AES256-SHA", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", "ADH-AES256-SHA", "NULL-SHA256", "AES128-SHA256", "AES256-SHA256", "DHE-DSS-AES128-SHA256", "CAMELLIA128-SHA", "DHE-DSS-CAMELLIA128-SHA", "DHE-RSA-CAMELLIA128-SHA", "ADH-CAMELLIA128-SHA", "DHE-RSA-AES128-SHA256", "DHE-DSS-AES256-SHA256", "DHE-RSA-AES256-SHA256", "ADH-AES128-SHA256", "ADH-AES256-SHA256", "CAMELLIA256-SHA", "DHE-DSS-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA256-SHA", "ADH-CAMELLIA256-SHA", "PSK-3DES-EDE-CBC-SHA", "PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA", "DHE-PSK-3DES-EDE-CBC-SHA", "DHE-PSK-AES128-CBC-SHA", "DHE-PSK-AES256-CBC-SHA", "RSA-PSK-3DES-EDE-CBC-SHA", "RSA-PSK-AES128-CBC-SHA", "RSA-PSK-AES256-CBC-SHA", "SEED-SHA", "DHE-DSS-SEED-SHA", "DHE-RSA-SEED-SHA", "ADH-SEED-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES256-GCM-SHA384", "ADH-AES128-GCM-SHA256", "ADH-AES256-GCM-SHA384", "PSK-AES128-GCM-SHA256", "PSK-AES256-GCM-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES256-GCM-SHA384", "PSK-AES128-CBC-SHA256", "PSK-AES256-CBC-SHA384", "PSK-NULL-SHA256", "PSK-NULL-SHA384", "DHE-PSK-AES128-CBC-SHA256", "DHE-PSK-AES256-CBC-SHA384", "DHE-PSK-NULL-SHA256", "DHE-PSK-NULL-SHA384", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-NULL-SHA256", "RSA-PSK-NULL-SHA384", "CAMELLIA128-SHA256", "DHE-DSS-CAMELLIA128-SHA256", "DHE-RSA-CAMELLIA128-SHA256", "ADH-CAMELLIA128-SHA256", "CAMELLIA256-SHA256", "DHE-DSS-CAMELLIA256-SHA256", "DHE-RSA-CAMELLIA256-SHA256", "ADH-CAMELLIA256-SHA256", "ECDHE-ECDSA-NULL-SHA", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-NULL-SHA", "ECDHE-RSA-DES-CBC3-SHA", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AECDH-NULL-SHA", "AECDH-DES-CBC3-SHA", "AECDH-AES128-SHA", "AECDH-AES256-SHA", "SRP-3DES-EDE-CBC-SHA", "SRP-RSA-3DES-EDE-CBC-SHA", "SRP-DSS-3DES-EDE-CBC-SHA", "SRP-AES-128-CBC-SHA", "SRP-RSA-AES-128-CBC-SHA", "SRP-DSS-AES-128-CBC-SHA", "SRP-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-DSS-AES-256-CBC-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-SHA384", "ECDHE-PSK-3DES-EDE-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA", "ECDHE-PSK-AES256-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA256", "ECDHE-PSK-AES256-CBC-SHA384", "ECDHE-PSK-NULL-SHA", "ECDHE-PSK-NULL-SHA256", "ECDHE-PSK-NULL-SHA384", "ECDHE-ECDSA-CAMELLIA128-SHA256", "ECDHE-ECDSA-CAMELLIA256-SHA384", "ECDHE-RSA-CAMELLIA128-SHA256", "ECDHE-RSA-CAMELLIA256-SHA384", "PSK-CAMELLIA128-SHA256", "PSK-CAMELLIA256-SHA384", "DHE-PSK-CAMELLIA128-SHA256", "DHE-PSK-CAMELLIA256-SHA384", "RSA-PSK-CAMELLIA128-SHA256", "RSA-PSK-CAMELLIA256-SHA384", "ECDHE-PSK-CAMELLIA128-SHA256", "ECDHE-PSK-CAMELLIA256-SHA384", "AES128-CCM", "AES256-CCM", "AES128-CCM8", "AES256-CCM8", "DHE-RSA-AES128-CCM8", "DHE-RSA-AES256-CCM8", "PSK-AES128-CCM", "PSK-AES256-CCM", "PSK-AES128-CCM8", "PSK-AES256-CCM8", "DHE-PSK-AES128-CCM8", "DHE-PSK-AES256-CCM8", "ECDHE-ECDSA-AES128-CCM", "ECDHE-ECDSA-AES256-CCM", "ECDHE-ECDSA-AES128-CCM8", "ECDHE-ECDSA-AES256-CCM8", "PSK-CHACHA20-POLY1305", "RSA-PSK-CHACHA20-POLY1305"} + weak_ciphers_OpenSSL_Format[_] == aux +} + +# GnuTLS +weakCipher(aux) { + weak_ciphers_GnuTLS_Format = {"TLS_RSA_NULL_MD5", "TLS_RSA_NULL_SHA1", "TLS_RSA_ARCFOUR_128_MD5", "TLS_RSA_ARCFOUR_128_SHA1", "TLS_RSA_3DES_EDE_CBC_SHA1", "TLS_DHE_DSS_3DES_EDE_CBC_SHA1", "TLS_DHE_RSA_3DES_EDE_CBC_SHA1", "TLS_DH_ANON_ARCFOUR_128_MD5", "TLS_DH_ANON_3DES_EDE_CBC_SHA1", "TLS_PSK_NULL_SHA1", "TLS_DHE_PSK_NULL_SHA1", "TLS_RSA_PSK_NULL_SHA1", "TLS_RSA_AES_128_CBC_SHA1", "TLS_DHE_DSS_AES_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA1", "TLS_DH_ANON_AES_128_CBC_SHA1", "TLS_RSA_AES_256_CBC_SHA1", "TLS_DHE_DSS_AES_256_CBC_SHA1", "TLS_DHE_RSA_AES_256_CBC_SHA1", "TLS_DH_ANON_AES_256_CBC_SHA1", "TLS_RSA_NULL_SHA256", "TLS_RSA_AES_128_CBC_SHA256", "TLS_RSA_AES_256_CBC_SHA256", "TLS_DHE_DSS_AES_128_CBC_SHA256", "TLS_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA256", "TLS_DHE_DSS_AES_256_CBC_SHA256", "TLS_DHE_RSA_AES_256_CBC_SHA256", "TLS_DH_ANON_AES_128_CBC_SHA256", "TLS_DH_ANON_AES_256_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA1", "TLS_PSK_ARCFOUR_128_SHA1", "TLS_PSK_3DES_EDE_CBC_SHA1", "TLS_PSK_AES_128_CBC_SHA1", "TLS_PSK_AES_256_CBC_SHA1", "TLS_DHE_PSK_ARCFOUR_128_SHA1", "TLS_DHE_PSK_3DES_EDE_CBC_SHA1", "TLS_DHE_PSK_AES_128_CBC_SHA1", "TLS_DHE_PSK_AES_256_CBC_SHA1", "TLS_RSA_PSK_ARCFOUR_128_SHA1", "TLS_RSA_PSK_3DES_EDE_CBC_SHA1", "TLS_RSA_PSK_AES_128_CBC_SHA1", "TLS_RSA_PSK_AES_256_CBC_SHA1", "TLS_RSA_AES_128_GCM_SHA256", "TLS_RSA_AES_256_GCM_SHA384", "TLS_DHE_DSS_AES_128_GCM_SHA256", "TLS_DHE_DSS_AES_256_GCM_SHA384", "TLS_DH_ANON_AES_128_GCM_SHA256", "TLS_DH_ANON_AES_256_GCM_SHA384", "TLS_PSK_AES_128_GCM_SHA256", "TLS_PSK_AES_256_GCM_SHA384", "TLS_RSA_PSK_AES_128_GCM_SHA256", "TLS_RSA_PSK_AES_256_GCM_SHA384", "TLS_PSK_AES_128_CBC_SHA256", "TLS_PSK_AES_256_CBC_SHA384", "TLS_PSK_NULL_SHA256", "TLS_PSK_NULL_SHA384", "TLS_DHE_PSK_AES_128_CBC_SHA256", "TLS_DHE_PSK_AES_256_CBC_SHA384", "TLS_DHE_PSK_NULL_SHA256", "TLS_DHE_PSK_NULL_SHA384", "TLS_RSA_PSK_AES_128_CBC_SHA256", "TLS_RSA_PSK_AES_256_CBC_SHA384", "TLS_RSA_PSK_NULL_SHA256", "TLS_RSA_PSK_NULL_SHA384", "TLS_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA256", "TLS_ECDHE_ECDSA_NULL_SHA1", "TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1", "TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA1", "TLS_ECDHE_RSA_NULL_SHA1", "TLS_ECDHE_RSA_ARCFOUR_128_SHA1", "TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_RSA_AES_128_CBC_SHA1", "TLS_ECDHE_RSA_AES_256_CBC_SHA1", "TLS_ECDH_ANON_NULL_SHA1", "TLS_ECDH_ANON_ARCFOUR_128_SHA1", "TLS_ECDH_ANON_3DES_EDE_CBC_SHA1", "TLS_ECDH_ANON_AES_128_CBC_SHA1", "TLS_ECDH_ANON_AES_256_CBC_SHA1", "TLS_SRP_SHA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_AES_128_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_128_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_128_CBC_SHA1", "TLS_SRP_SHA_AES_256_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_256_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_256_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_ARCFOUR_128_SHA1", "TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA1", "TLS_ECDHE_PSK_AES_256_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_NULL_SHA1", "TLS_ECDHE_PSK_NULL_SHA256", "TLS_ECDHE_PSK_NULL_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384", "TLS_RSA_CAMELLIA_128_GCM_SHA256", "TLS_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384", "TLS_DH_ANON_CAMELLIA_128_GCM_SHA256", "TLS_DH_ANON_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_GCM_SHA256", "TLS_PSK_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_CBC_SHA256", "TLS_PSK_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_AES_128_CCM", "TLS_RSA_AES_256_CCM", "TLS_RSA_AES_128_CCM_8", "TLS_RSA_AES_256_CCM_8", "TLS_DHE_RSA_AES_128_CCM_8", "TLS_DHE_RSA_AES_256_CCM_8", "TLS_PSK_AES_128_CCM", "TLS_PSK_AES_256_CCM", "TLS_PSK_AES_128_CCM_8", "TLS_PSK_AES_256_CCM_8", "TLS_DHE_PSK_AES_128_CCM_8", "TLS_DHE_PSK_AES_256_CCM_8", "TLS_ECDHE_ECDSA_AES_128_CCM", "TLS_ECDHE_ECDSA_AES_256_CCM", "TLS_ECDHE_ECDSA_AES_128_CCM_8", "TLS_ECDHE_ECDSA_AES_256_CCM_8", "TLS_PSK_CHACHA20_POLY1305", "TLS_RSA_PSK_CHACHA20_POLY1305"} + weak_ciphers_GnuTLS_Format[_] == aux +} + diff --git a/assets/libraries/crossplane.rego b/assets/libraries/crossplane.rego new file mode 100644 index 00000000000..c77750f032a --- /dev/null +++ b/assets/libraries/crossplane.rego @@ -0,0 +1,13 @@ +package generic.crossplane + +import data.generic.common as common_lib + +getPath(path) = result { + count(path) > 0 + path_string := common_lib.concat_path(path) + out := array.concat([path_string], ["."]) + result := concat("", out) +} else = result { + count(path) == 0 + result := "" +} diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json index f3a3336b5de..d659fb5cc31 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd", - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true", + "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "1bfc2dfd", diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 38fc58455d2..45d5f284ccf 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -1,11 +1,11 @@ [ { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 2 }, { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 62 } diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json index 75ce24abc8e..a909c6446ea 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json @@ -1,6 +1,6 @@ { "id": "22c80725-e390-4055-8d14-a872230f6607", - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service", diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index 5e8a9b52819..05a5d641e4e 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "line": 2 } diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json index 4a6113f18e6..eb259b24bed 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json @@ -3,7 +3,7 @@ "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "category": "Encryption", - "descriptionText": "The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').", + "descriptionText": "AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html", "platform": "Ansible", "descriptionID": "575cc1f4", diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego b/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego index 4924af16639..8a9067735c2 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego @@ -47,7 +47,7 @@ CxPolicy[result] { elb := task[modules[m]] ansLib.checkState(elb) - weakCipher(elb.listeners[j].SslPolicy) + common_lib.weakCipher(elb.listeners[j].SslPolicy) result := { "documentId": id, @@ -59,29 +59,3 @@ CxPolicy[result] { "keyActualValue": sprintf("%s.listeners.SslPolicy is a weak cipher", [modules[m]]), } } - -# IANA -weakCipher(aux) { - weak_ciphers_IANA_Format = { - "TLS_NULL_WITH_NULL_NULL", "TLS_RSA_WITH_NULL_MD5", "TLS_RSA_WITH_NULL_SHA", "TLS_RSA_EXPORT_WITH_RC4_40_MD5", "TLS_RSA_WITH_RC4_128_MD5", "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_RSA_WITH_IDEA_CBC_SHA", "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_RSA_WITH_DES_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_DSS_WITH_DES_CBC_SHA", "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_RSA_WITH_DES_CBC_SHA", "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_DSS_WITH_DES_CBC_SHA", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_RSA_WITH_DES_CBC_SHA", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", "TLS_DH_anon_WITH_RC4_128_MD5", "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_anon_WITH_DES_CBC_SHA", "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_SHA", "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_RC4_128_SHA", "TLS_KRB5_WITH_IDEA_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_MD5", "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "TLS_KRB5_WITH_RC4_128_MD5", "TLS_KRB5_WITH_IDEA_CBC_MD5", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "TLS_PSK_WITH_NULL_SHA", "TLS_DHE_PSK_WITH_NULL_SHA", "TLS_RSA_PSK_WITH_NULL_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_DH_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_anon_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA", "TLS_DH_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_anon_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "TLS_DH_anon_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", "TLS_PSK_WITH_RC4_128_SHA", "TLS_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_PSK_WITH_AES_128_CBC_SHA", "TLS_PSK_WITH_AES_256_CBC_SHA", "TLS_DHE_PSK_WITH_RC4_128_SHA", "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_PSK_WITH_RC4_128_SHA", "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_SEED_CBC_SHA", "TLS_DH_DSS_WITH_SEED_CBC_SHA", "TLS_DH_RSA_WITH_SEED_CBC_SHA", "TLS_DHE_DSS_WITH_SEED_CBC_SHA", "TLS_DHE_RSA_WITH_SEED_CBC_SHA", "TLS_DH_anon_WITH_SEED_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_anon_WITH_AES_128_GCM_SHA256", "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_GCM_SHA256", "TLS_PSK_WITH_AES_256_GCM_SHA384", "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_CBC_SHA256", "TLS_PSK_WITH_AES_256_CBC_SHA384", "TLS_PSK_WITH_NULL_SHA256", "TLS_PSK_WITH_NULL_SHA384", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_DHE_PSK_WITH_NULL_SHA256", "TLS_DHE_PSK_WITH_NULL_SHA384", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_NULL_SHA256", "TLS_RSA_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "TLS_SM4_GCM_SM3", "TLS_SM4_CCM_SM3", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_AES_128_CCM_8_SHA256", "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_anon_WITH_NULL_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_RC4_128_SHA", "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_NULL_SHA", "TLS_ECDHE_PSK_WITH_NULL_SHA256", "TLS_ECDHE_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_PSK_DHE_WITH_AES_128_CCM_8", "TLS_PSK_DHE_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", "TLS_SHA256_SHA256", "TLS_SHA384_SHA384", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", - } - - some i - weak_ciphers_IANA_Format[i] == aux -} - -# OpenSSL -weakCipher(aux) { - weak_ciphers_OpenSSL_Format = {"NULL-MD5", "NULL-SHA", "IDEA-CBC-SHA", "DES-CBC3-SHA", "DHE-DSS-DES-CBC3-SHA", "DHE-RSA-DES-CBC3-SHA", "ADH-DES-CBC3-SHA", "PSK-NULL-SHA", "DHE-PSK-NULL-SHA", "RSA-PSK-NULL-SHA", "AES128-SHA", "DHE-DSS-AES128-SHA", "DHE-RSA-AES128-SHA", "ADH-AES128-SHA", "AES256-SHA", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", "ADH-AES256-SHA", "NULL-SHA256", "AES128-SHA256", "AES256-SHA256", "DHE-DSS-AES128-SHA256", "CAMELLIA128-SHA", "DHE-DSS-CAMELLIA128-SHA", "DHE-RSA-CAMELLIA128-SHA", "ADH-CAMELLIA128-SHA", "DHE-RSA-AES128-SHA256", "DHE-DSS-AES256-SHA256", "DHE-RSA-AES256-SHA256", "ADH-AES128-SHA256", "ADH-AES256-SHA256", "CAMELLIA256-SHA", "DHE-DSS-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA256-SHA", "ADH-CAMELLIA256-SHA", "PSK-3DES-EDE-CBC-SHA", "PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA", "DHE-PSK-3DES-EDE-CBC-SHA", "DHE-PSK-AES128-CBC-SHA", "DHE-PSK-AES256-CBC-SHA", "RSA-PSK-3DES-EDE-CBC-SHA", "RSA-PSK-AES128-CBC-SHA", "RSA-PSK-AES256-CBC-SHA", "SEED-SHA", "DHE-DSS-SEED-SHA", "DHE-RSA-SEED-SHA", "ADH-SEED-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES256-GCM-SHA384", "ADH-AES128-GCM-SHA256", "ADH-AES256-GCM-SHA384", "PSK-AES128-GCM-SHA256", "PSK-AES256-GCM-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES256-GCM-SHA384", "PSK-AES128-CBC-SHA256", "PSK-AES256-CBC-SHA384", "PSK-NULL-SHA256", "PSK-NULL-SHA384", "DHE-PSK-AES128-CBC-SHA256", "DHE-PSK-AES256-CBC-SHA384", "DHE-PSK-NULL-SHA256", "DHE-PSK-NULL-SHA384", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-NULL-SHA256", "RSA-PSK-NULL-SHA384", "CAMELLIA128-SHA256", "DHE-DSS-CAMELLIA128-SHA256", "DHE-RSA-CAMELLIA128-SHA256", "ADH-CAMELLIA128-SHA256", "CAMELLIA256-SHA256", "DHE-DSS-CAMELLIA256-SHA256", "DHE-RSA-CAMELLIA256-SHA256", "ADH-CAMELLIA256-SHA256", "ECDHE-ECDSA-NULL-SHA", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-NULL-SHA", "ECDHE-RSA-DES-CBC3-SHA", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AECDH-NULL-SHA", "AECDH-DES-CBC3-SHA", "AECDH-AES128-SHA", "AECDH-AES256-SHA", "SRP-3DES-EDE-CBC-SHA", "SRP-RSA-3DES-EDE-CBC-SHA", "SRP-DSS-3DES-EDE-CBC-SHA", "SRP-AES-128-CBC-SHA", "SRP-RSA-AES-128-CBC-SHA", "SRP-DSS-AES-128-CBC-SHA", "SRP-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-DSS-AES-256-CBC-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-SHA384", "ECDHE-PSK-3DES-EDE-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA", "ECDHE-PSK-AES256-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA256", "ECDHE-PSK-AES256-CBC-SHA384", "ECDHE-PSK-NULL-SHA", "ECDHE-PSK-NULL-SHA256", "ECDHE-PSK-NULL-SHA384", "ECDHE-ECDSA-CAMELLIA128-SHA256", "ECDHE-ECDSA-CAMELLIA256-SHA384", "ECDHE-RSA-CAMELLIA128-SHA256", "ECDHE-RSA-CAMELLIA256-SHA384", "PSK-CAMELLIA128-SHA256", "PSK-CAMELLIA256-SHA384", "DHE-PSK-CAMELLIA128-SHA256", "DHE-PSK-CAMELLIA256-SHA384", "RSA-PSK-CAMELLIA128-SHA256", "RSA-PSK-CAMELLIA256-SHA384", "ECDHE-PSK-CAMELLIA128-SHA256", "ECDHE-PSK-CAMELLIA256-SHA384", "AES128-CCM", "AES256-CCM", "AES128-CCM8", "AES256-CCM8", "DHE-RSA-AES128-CCM8", "DHE-RSA-AES256-CCM8", "PSK-AES128-CCM", "PSK-AES256-CCM", "PSK-AES128-CCM8", "PSK-AES256-CCM8", "DHE-PSK-AES128-CCM8", "DHE-PSK-AES256-CCM8", "ECDHE-ECDSA-AES128-CCM", "ECDHE-ECDSA-AES256-CCM", "ECDHE-ECDSA-AES128-CCM8", "ECDHE-ECDSA-AES256-CCM8", "PSK-CHACHA20-POLY1305", "RSA-PSK-CHACHA20-POLY1305"} - some i - weak_ciphers_OpenSSL_Format[i] == aux -} - -# GnuTLS -weakCipher(aux) { - weak_ciphers_GnuTLS_Format = {"TLS_RSA_NULL_MD5", "TLS_RSA_NULL_SHA1", "TLS_RSA_ARCFOUR_128_MD5", "TLS_RSA_ARCFOUR_128_SHA1", "TLS_RSA_3DES_EDE_CBC_SHA1", "TLS_DHE_DSS_3DES_EDE_CBC_SHA1", "TLS_DHE_RSA_3DES_EDE_CBC_SHA1", "TLS_DH_ANON_ARCFOUR_128_MD5", "TLS_DH_ANON_3DES_EDE_CBC_SHA1", "TLS_PSK_NULL_SHA1", "TLS_DHE_PSK_NULL_SHA1", "TLS_RSA_PSK_NULL_SHA1", "TLS_RSA_AES_128_CBC_SHA1", "TLS_DHE_DSS_AES_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA1", "TLS_DH_ANON_AES_128_CBC_SHA1", "TLS_RSA_AES_256_CBC_SHA1", "TLS_DHE_DSS_AES_256_CBC_SHA1", "TLS_DHE_RSA_AES_256_CBC_SHA1", "TLS_DH_ANON_AES_256_CBC_SHA1", "TLS_RSA_NULL_SHA256", "TLS_RSA_AES_128_CBC_SHA256", "TLS_RSA_AES_256_CBC_SHA256", "TLS_DHE_DSS_AES_128_CBC_SHA256", "TLS_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA256", "TLS_DHE_DSS_AES_256_CBC_SHA256", "TLS_DHE_RSA_AES_256_CBC_SHA256", "TLS_DH_ANON_AES_128_CBC_SHA256", "TLS_DH_ANON_AES_256_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA1", "TLS_PSK_ARCFOUR_128_SHA1", "TLS_PSK_3DES_EDE_CBC_SHA1", "TLS_PSK_AES_128_CBC_SHA1", "TLS_PSK_AES_256_CBC_SHA1", "TLS_DHE_PSK_ARCFOUR_128_SHA1", "TLS_DHE_PSK_3DES_EDE_CBC_SHA1", "TLS_DHE_PSK_AES_128_CBC_SHA1", "TLS_DHE_PSK_AES_256_CBC_SHA1", "TLS_RSA_PSK_ARCFOUR_128_SHA1", "TLS_RSA_PSK_3DES_EDE_CBC_SHA1", "TLS_RSA_PSK_AES_128_CBC_SHA1", "TLS_RSA_PSK_AES_256_CBC_SHA1", "TLS_RSA_AES_128_GCM_SHA256", "TLS_RSA_AES_256_GCM_SHA384", "TLS_DHE_DSS_AES_128_GCM_SHA256", "TLS_DHE_DSS_AES_256_GCM_SHA384", "TLS_DH_ANON_AES_128_GCM_SHA256", "TLS_DH_ANON_AES_256_GCM_SHA384", "TLS_PSK_AES_128_GCM_SHA256", "TLS_PSK_AES_256_GCM_SHA384", "TLS_RSA_PSK_AES_128_GCM_SHA256", "TLS_RSA_PSK_AES_256_GCM_SHA384", "TLS_PSK_AES_128_CBC_SHA256", "TLS_PSK_AES_256_CBC_SHA384", "TLS_PSK_NULL_SHA256", "TLS_PSK_NULL_SHA384", "TLS_DHE_PSK_AES_128_CBC_SHA256", "TLS_DHE_PSK_AES_256_CBC_SHA384", "TLS_DHE_PSK_NULL_SHA256", "TLS_DHE_PSK_NULL_SHA384", "TLS_RSA_PSK_AES_128_CBC_SHA256", "TLS_RSA_PSK_AES_256_CBC_SHA384", "TLS_RSA_PSK_NULL_SHA256", "TLS_RSA_PSK_NULL_SHA384", "TLS_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA256", "TLS_ECDHE_ECDSA_NULL_SHA1", "TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1", "TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA1", "TLS_ECDHE_RSA_NULL_SHA1", "TLS_ECDHE_RSA_ARCFOUR_128_SHA1", "TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_RSA_AES_128_CBC_SHA1", "TLS_ECDHE_RSA_AES_256_CBC_SHA1", "TLS_ECDH_ANON_NULL_SHA1", "TLS_ECDH_ANON_ARCFOUR_128_SHA1", "TLS_ECDH_ANON_3DES_EDE_CBC_SHA1", "TLS_ECDH_ANON_AES_128_CBC_SHA1", "TLS_ECDH_ANON_AES_256_CBC_SHA1", "TLS_SRP_SHA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_AES_128_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_128_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_128_CBC_SHA1", "TLS_SRP_SHA_AES_256_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_256_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_256_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_ARCFOUR_128_SHA1", "TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA1", "TLS_ECDHE_PSK_AES_256_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_NULL_SHA1", "TLS_ECDHE_PSK_NULL_SHA256", "TLS_ECDHE_PSK_NULL_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384", "TLS_RSA_CAMELLIA_128_GCM_SHA256", "TLS_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384", "TLS_DH_ANON_CAMELLIA_128_GCM_SHA256", "TLS_DH_ANON_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_GCM_SHA256", "TLS_PSK_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_CBC_SHA256", "TLS_PSK_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_AES_128_CCM", "TLS_RSA_AES_256_CCM", "TLS_RSA_AES_128_CCM_8", "TLS_RSA_AES_256_CCM_8", "TLS_DHE_RSA_AES_128_CCM_8", "TLS_DHE_RSA_AES_256_CCM_8", "TLS_PSK_AES_128_CCM", "TLS_PSK_AES_256_CCM", "TLS_PSK_AES_128_CCM_8", "TLS_PSK_AES_256_CCM_8", "TLS_DHE_PSK_AES_128_CCM_8", "TLS_DHE_PSK_AES_256_CCM_8", "TLS_ECDHE_ECDSA_AES_128_CCM", "TLS_ECDHE_ECDSA_AES_256_CCM", "TLS_ECDHE_ECDSA_AES_128_CCM_8", "TLS_ECDHE_ECDSA_AES_256_CCM_8", "TLS_PSK_CHACHA20_POLY1305", "TLS_RSA_PSK_CHACHA20_POLY1305"} - some i - weak_ciphers_GnuTLS_Format[i] == aux -} diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json index ce474521842..9fae491214a 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS with SSE disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", + "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module", "platform": "Ansible", "descriptionID": "7825cf30", diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json index 0da79a95d99..61c46390330 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -3,7 +3,7 @@ "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Check if any Redis Cache resource allows non-SSL connections.", + "descriptionText": "Redis Cache resource should not allow non-SSL connections.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html", "platform": "Ansible", "descriptionID": "31e56819", diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index af72983813b..413e63a1bc6 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "HIGH", "category": "Observability", - "descriptionText": "Cloud storage bucket with logging not enabled", + "descriptionText": "Cloud storage bucket should have logging enabled", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging", "platform": "Ansible", "descriptionID": "ba5af65f", diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index c65433416ab..a3ce6845090 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Verifies if Google Container Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.", + "descriptionText": "Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html", "platform": "Ansible", "descriptionID": "14cf26ed", diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json index 29a895ab0bc..810a615afeb 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined", + "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined", "descriptionUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html", "platform": "CloudFormation", "descriptionID": "3254d6d0", diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego index a72a9254aba..2dc6bc7ef00 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego @@ -1,13 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudFront::Distribution" distributionConfig := resource.Properties.DistributionConfig + not cf_lib.isCloudFormationFalse(distributionConfig.Enabled) not common_lib.valid_key(distributionConfig, "Logging") result := { @@ -26,6 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::CloudFront::Distribution" distributionConfig := resource.Properties.DistributionConfig + not cf_lib.isCloudFormationFalse(distributionConfig.Enabled) bucketCorrect := resource.Properties.DistributionConfig.Logging.Bucket endswith(bucketCorrect, ".s3.amazonaws.com") == false diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego index b7c5b14d506..e31c8abfdac 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego @@ -7,6 +7,7 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudFront::Distribution" properties := resource.Properties + not cf_lib.isCloudFormationFalse(properties.DistributionConfig.Enabled) not common_lib.valid_key(properties.DistributionConfig, "ViewerCertificate") result := { @@ -26,6 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::CloudFront::Distribution" properties := resource.Properties protocolVer := properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion + not cf_lib.isCloudFormationFalse(properties.DistributionConfig.Enabled) not common_lib.is_recommended_tls(protocolVer) result := { diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml index 2e143807ac1..6119fd6ef96 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml @@ -4,6 +4,7 @@ Resources: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: + Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value @@ -30,6 +31,7 @@ Resources: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: + Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json index ef007566eb7..7ebf6c0e2f1 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json @@ -5,6 +5,7 @@ "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { + "Enabled": true, "ViewerCertificate": { "IamCertificateId": "String", "MinimumProtocolVersion": "TLSv1.1_2016", @@ -52,6 +53,7 @@ "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { + "Enabled": true, "Origins": [ { "CustomOriginConfig": { diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 3539b753432..962f7b7596d 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,22 +2,22 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "HIGH", - "line": 24 + "line": 25 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "HIGH", - "line": 32 + "line": 33 }, { - "line": 54, + "line": 55, "fileName": "positive2.json", "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "HIGH" }, { "severity": "HIGH", - "line": 10, + "line": 11, "fileName": "positive2.json", "queryName": "CloudFront Without Minimum Protocol TLS 1.2" } diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego index 108fad3c7aa..2ce8eb64775 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego @@ -8,6 +8,7 @@ CxPolicy[result] { resource.Type == "AWS::CloudFront::Distribution" distributionConfig := resource.Properties.DistributionConfig + not cf_lib.isCloudFormationFalse(distributionConfig.Enabled) not common_lib.valid_key(distributionConfig, "WebACLId") result := { diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml index 725bf24a0ba..201ada4fbaa 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml @@ -4,6 +4,7 @@ Resources: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: + Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value @@ -20,4 +21,4 @@ Resources: WebACLId: string-value Tags: - Key: string-value - Value: string-value \ No newline at end of file + Value: string-value diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json index 95d66dcfe0d..684b6865eb8 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json @@ -5,6 +5,7 @@ "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { + "Enabled": true, "CacheBehaviors": [ { "LambdaFunctionAssociations": [ diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml index 0775ddc8b56..3690bea1bd5 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml @@ -4,6 +4,7 @@ Resources: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: + Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value @@ -19,4 +20,4 @@ Resources: OriginReadTimeout: integer-value Tags: - Key: string-value - Value: string-value \ No newline at end of file + Value: string-value diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json index 6393bdf56a1..3e46a54f6bb 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json @@ -11,6 +11,7 @@ } ], "DistributionConfig": { + "Enabled": true, "CacheBehaviors": [ { "LambdaFunctionAssociations": [ diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json index a0a4d802b0e..9cfe308d5dd 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS with SSE disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", + "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid", "platform": "CloudFormation", "descriptionID": "7c3c1b44", diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json new file mode 100644 index 00000000000..95c6594bc50 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7b590235-1ff4-421b-b9ff-5227134be9bb", + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging", + "platform": "Crossplane", + "descriptionID": "48cd0b5a", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego new file mode 100644 index 00000000000..5e7de4806c5 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego @@ -0,0 +1,70 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + destribution_config.logging.enabled == false + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging.enabled", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "CloudFront logging enabled attribute should be set to true", + "keyActualValue": "CloudFront logging enabled attribute is set to false", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "logging", "enabled"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + not common_lib.valid_key(destribution_config.logging, "enabled") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "keyActualValue": "CloudFront enable is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "logging"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + not common_lib.valid_key(destribution_config, "logging") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path),resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "keyActualValue": "CloudFront logging is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig"]), + } +} diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/negative.yaml b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/negative.yaml new file mode 100644 index 00000000000..f3c67a58ecf --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/negative.yaml @@ -0,0 +1,60 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: true + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: true + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive.yaml b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive.yaml new file mode 100644 index 00000000000..d03302601b3 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive.yaml @@ -0,0 +1,60 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: false + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + labels: + cluster: eks + provider: aws + name: cluster-aws +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + distributionConfig: + comment: "Crossplane - auto provisioning" + enabled: true + logging: + bucket: sample.s3.amazonaws.com + enabled: false + include_cookies: false + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + region: us-east-1 + name: sample-cloudfront + writeConnectionSecretsToNamespace: crossplane-system diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive2.yaml b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive2.yaml new file mode 100644 index 00000000000..17251c75478 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive2.yaml @@ -0,0 +1,52 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + labels: + cluster: eks + provider: aws + name: cluster-aws +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + distributionConfig: + comment: "Crossplane - auto provisioning" + enabled: true + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + region: us-east-1 + name: sample-cloudfront + writeConnectionSecretsToNamespace: crossplane-system diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive3.yaml b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive3.yaml new file mode 100644 index 00000000000..1212323d72c --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive3.yaml @@ -0,0 +1,58 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + labels: + cluster: eks + provider: aws + name: cluster-aws +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + distributionConfig: + comment: "Crossplane - auto provisioning" + enabled: true + logging: + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + region: us-east-1 + name: sample-cloudfront + writeConnectionSecretsToNamespace: crossplane-system diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..d22a547d757 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -0,0 +1,38 @@ +[ + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 50, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2.yaml" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 41, + "fileName": "positive2.yaml" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive3.yaml" + }, + { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive3.yaml" + } +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json new file mode 100644 index 00000000000..d1ac056351f --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "255b0fcc-9f82-41fe-9229-01b163e3376b", + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "CloudFront Minimum Protocol version should be at least TLS 1.2", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion", + "platform": "Crossplane", + "descriptionID": "11cca65a", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego new file mode 100644 index 00000000000..b8ed70d1fe1 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego @@ -0,0 +1,71 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + viewerCertificate := destribution_config.viewerCertificate + not common_lib.is_recommended_tls(viewerCertificate.minimumProtocolVersion) + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "keyActualValue": sprintf("'viewerCertificate.minimumProtocolVersion' is %s", [viewerCertificate.minimumProtocolVersion]), + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "viewerCertificate", "minimumProtocolVersion"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + not common_lib.valid_key(destribution_config, "viewerCertificate") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "keyActualValue": "'viewerCertificate' is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + resource.spec.forProvider.distributionConfig.enabled == true + viewerCertificate := resource.spec.forProvider.distributionConfig.viewerCertificate + + not common_lib.valid_key(viewerCertificate, "minimumProtocolVersion") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.viewerCertificate", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "keyActualValue": "'minimumProtocolVersion' is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "viewerCertificate"]), + } +} diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/negative.yaml b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/negative.yaml new file mode 100644 index 00000000000..612837a1146 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/negative.yaml @@ -0,0 +1,60 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive.yaml b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive.yaml new file mode 100644 index 00000000000..2c5a108d817 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive.yaml @@ -0,0 +1,60 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.1_2016 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.1_2016 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.yaml b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.yaml new file mode 100644 index 00000000000..efed111247d --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.yaml @@ -0,0 +1,52 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive3.yaml b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive3.yaml new file mode 100644 index 00000000000..163cdbf2a01 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive3.yaml @@ -0,0 +1,58 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json new file mode 100644 index 00000000000..e184ed6e57a --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -0,0 +1,39 @@ +[ + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 14, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 54, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 8, + "fileName": "positive2.yaml" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 44, + "fileName": "positive2.yaml" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 11, + "fileName": "positive3.yaml" + }, + { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", + "severity": "HIGH", + "line": 50, + "fileName": "positive3.yaml" + } + +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json new file mode 100644 index 00000000000..849196bdd87 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6d19ce0f-b3d8-4128-ac3d-1064e0f00494", + "queryName": "CloudFront Without WAF", + "severity": "LOW", + "category": "Networking and Firewall", + "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID", + "platform": "Crossplane", + "descriptionID": "c5493606", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/query.rego b/assets/queries/crossplane/aws/cloudfront_without_waf/query.rego new file mode 100644 index 00000000000..6ac712b7267 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/query.rego @@ -0,0 +1,26 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudfront.aws.crossplane.io") + resource.kind == "Distribution" + destribution_config := resource.spec.forProvider.distributionConfig + destribution_config.enabled == true + + not common_lib.valid_key(destribution_config, "webACLID") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'webACLID' should be defined", + "keyActualValue": "'webACLID' is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig"]), + } +} diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/negative.yaml b/assets/queries/crossplane/aws/cloudfront_without_waf/test/negative.yaml new file mode 100644 index 00000000000..6a4f271782f --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/negative.yaml @@ -0,0 +1,62 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive.yaml b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive.yaml new file mode 100644 index 00000000000..612837a1146 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive.yaml @@ -0,0 +1,60 @@ +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json new file mode 100644 index 00000000000..3a23c177bbc --- /dev/null +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "CloudFront Without WAF", + "severity": "LOW", + "line": 8, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudFront Without WAF", + "severity": "LOW", + "line": 48, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json new file mode 100644 index 00000000000..20c67c3a750 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "934613fe-b12c-4e5a-95f5-c1dcdffac1ff", + "queryName": "CloudWatch Without Retention Period Specified", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays", + "platform": "Crossplane", + "descriptionID": "9ce0c6f8", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/query.rego b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/query.rego new file mode 100644 index 00000000000..ff903b7e373 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/query.rego @@ -0,0 +1,48 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +validValues = [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudwatchlogs.aws.crossplane.io") + resource.kind == "LogGroup" + retention := resource.spec.forProvider.retentionInDays + + not common_lib.inArray(validValues, retention) + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.retentionInDays", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "retentionInDays should be set to a valid value", + "keyActualValue": "retentionInDays is set to a invalid value", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "retentionInDays"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cloudwatchlogs.aws.crossplane.io") + resource.kind == "LogGroup" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "retentionInDays") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "retentionInDays should be set to a valid value", + "keyActualValue": "retentionInDays is undefined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/negative.yaml b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/negative.yaml new file mode 100644 index 00000000000..ab106448527 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/negative.yaml @@ -0,0 +1,38 @@ +apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 +kind: LogGroup +metadata: + name: lg-1 +spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 1 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 + kind: LogGroup + metadata: + name: lg-2 + spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 1 diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive.yaml b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive.yaml new file mode 100644 index 00000000000..ce2e713e6e0 --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive.yaml @@ -0,0 +1,38 @@ +apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 +kind: LogGroup +metadata: + name: lg-3 +spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 0 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 + kind: LogGroup + metadata: + name: lg-4 + spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 0 diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive2.yaml b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive2.yaml new file mode 100644 index 00000000000..83307083f2b --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive2.yaml @@ -0,0 +1,36 @@ +apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 +kind: LogGroup +metadata: + name: lg-5 +spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 + kind: LogGroup + metadata: + name: lg-6 + spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json new file mode 100644 index 00000000000..e5802a9f8ff --- /dev/null +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "CloudWatch Without Retention Period Specified", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudWatch Without Retention Period Specified", + "severity": "MEDIUM", + "line": 38, + "fileName": "positive.yaml" + }, + { + "queryName": "CloudWatch Without Retention Period Specified", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive2.yaml" + }, + { + "queryName": "CloudWatch Without Retention Period Specified", + "severity": "MEDIUM", + "line": 34, + "fileName": "positive2.yaml" + } +] diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json new file mode 100644 index 00000000000..72cf178dd7f --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "e50eb68a-a4af-4048-8bbe-8ec324421469", + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted", + "platform": "Crossplane", + "descriptionID": "e40c8a7e", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego new file mode 100644 index 00000000000..1a7338606ee --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego @@ -0,0 +1,46 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "storageEncrypted") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%s.metadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "storageEncrypted should be defined and set to true", + "keyActualValue": "storageEncrypted is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" + forProvider := resource.spec.forProvider + + forProvider.storageEncrypted == false + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.storageEncrypted", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "storageEncrypted should be set to true", + "keyActualValue": "storageEncrypted is set to false", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "storageEncrypted"]), + } +} diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/negative.yaml b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/negative.yaml new file mode 100644 index 00000000000..0f4e0a5d70c --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/negative.yaml @@ -0,0 +1,64 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: rds1 +spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: true + storageType: gp2 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: database.aws.crossplane.io/v1beta1 + kind: RDSInstance + metadata: + name: rds2 + spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: true + storageType: gp2 diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive.yaml b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive.yaml new file mode 100644 index 00000000000..4e6f6d8967a --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive.yaml @@ -0,0 +1,64 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: rds3 +spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: false + storageType: gp2 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: database.aws.crossplane.io/v1beta1 + kind: RDSInstance + metadata: + name: rds4 + spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: false + storageType: gp2 diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive2.yaml b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive2.yaml new file mode 100644 index 00000000000..950fbabc156 --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive2.yaml @@ -0,0 +1,62 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: rds5 +spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageType: gp2 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: database.aws.crossplane.io/v1beta1 + kind: RDSInstance + metadata: + name: rds6 + spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageType: gp2 diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json new file mode 100644 index 00000000000..0496d93bb96 --- /dev/null +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 21, + "fileName": "positive.yaml" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 63, + "fileName": "positive.yaml" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 6, + "fileName": "positive2.yaml" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 47, + "fileName": "positive2.yaml" + } +] diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json new file mode 100644 index 00000000000..2fea48396d3 --- /dev/null +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "dd667399-8d9d-4a8d-bbb4-e49ab53b2f52", + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "The CIDR IP should not be a public interface", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp", + "platform": "Crossplane", + "descriptionID": "c26de1ff", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/query.rego b/assets/queries/crossplane/aws/db_security_group_has_public_interface/query.rego new file mode 100644 index 00000000000..56adad16004 --- /dev/null +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/query.rego @@ -0,0 +1,27 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + resource.kind == "SecurityGroup" + ingressRules := resource.spec.forProvider.ingress + + startswith(resource.apiVersion, "ec2.aws.crossplane.io") + ingressRule := ingressRules[j] + ipRange := ingressRule.ipRanges[z] + ipRange.cidrIp == "0.0.0.0/0" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.ingress.ipRanges.cidrIp={{%s}}", [cp_lib.getPath(path), resource.metadata.name, ipRange.cidrIp]), + "issueType": "IncorrectValue", + "keyExpectedValue": "ingress rule should not contain '0.0.0.0/0'", + "keyActualValue": "ingress rule contains '0.0.0.0/0'", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "ingress", j, "ipRanges", z, "cidrIp"]), + } +} diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/negative.yaml b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/negative.yaml new file mode 100644 index 00000000000..88f509216d0 --- /dev/null +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/negative.yaml @@ -0,0 +1,56 @@ +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: SecurityGroup +metadata: + name: ec2-rule1 +spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 10.0.0.0/8 + description: sample +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: ec2.aws.crossplane.io/v1beta1 + kind: SecurityGroup + metadata: + name: ec2-rule + spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 10.0.0.0/8 + description: sample diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive.yaml b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive.yaml new file mode 100644 index 00000000000..4ee4d8afcc4 --- /dev/null +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive.yaml @@ -0,0 +1,56 @@ +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: SecurityGroup +metadata: + name: ec2-rule2 +spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 0.0.0.0/0 + description: Everywhere +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: ec2.aws.crossplane.io/v1beta1 + kind: SecurityGroup + metadata: + name: ec2-rule5 + spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 0.0.0.0/0 + description: Everywhere diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json new file mode 100644 index 00000000000..388655a694f --- /dev/null +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 17, + "fileName": "positive.yaml" + }, + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 55, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json new file mode 100644 index 00000000000..c8e6975af7b --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "72840c35-3876-48be-900d-f21b2f0c2ea1", + "queryName": "EFS Not Encrypted", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "Elastic File System (EFS) must be encrypted", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted", + "platform": "Crossplane", + "descriptionID": "de7bf263", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/query.rego b/assets/queries/crossplane/aws/efs_not_encrypted/query.rego new file mode 100644 index 00000000000..fec529c0725 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/query.rego @@ -0,0 +1,46 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "efs.aws.crossplane.io") + resource.kind == "FileSystem" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "encrypted") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "encrypted should be defined and set to true", + "keyActualValue": "encrypted is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "efs.aws.crossplane.io") + resource.kind == "FileSystem" + forProvider := resource.spec.forProvider + + forProvider.encrypted == false + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.encrypted", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "encrypted should be set to true", + "keyActualValue": "encrypted is set to false", + "searchLine": common_lib.build_search_line(path ,["spec", "forProvider","encrypted"]), + } +} diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/negative.yaml b/assets/queries/crossplane/aws/efs_not_encrypted/test/negative.yaml new file mode 100644 index 00000000000..2f3a4783862 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/negative.yaml @@ -0,0 +1,40 @@ +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example +spec: + forProvider: + region: us-east-1 + encrypted: true + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example2 + spec: + forProvider: + region: us-east-1 + encrypted: true + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive.yaml b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive.yaml new file mode 100644 index 00000000000..52cd8087317 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive.yaml @@ -0,0 +1,40 @@ +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example3 +spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example4 + spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive2.yaml b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive2.yaml new file mode 100644 index 00000000000..28a5c91b78b --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive2.yaml @@ -0,0 +1,38 @@ +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example5 +spec: + forProvider: + region: us-east-1 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example6 + spec: + forProvider: + region: us-east-1 + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json new file mode 100644 index 00000000000..b566c873588 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "EFS Not Encrypted", + "severity": "HIGH", + "line": 8, + "fileName": "positive.yaml" + }, + { + "queryName": "EFS Not Encrypted", + "severity": "HIGH", + "line": 38, + "fileName": "positive.yaml" + }, + { + "queryName": "EFS Not Encrypted", + "severity": "HIGH", + "line": 6, + "fileName": "positive2.yaml" + }, + { + "queryName": "EFS Not Encrypted", + "severity": "HIGH", + "line": 35, + "fileName": "positive2.yaml" + } +] diff --git a/assets/queries/crossplane/aws/efs_without_kms/metadata.json b/assets/queries/crossplane/aws/efs_without_kms/metadata.json new file mode 100644 index 00000000000..9cab7aaa885 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_without_kms/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "bdecd6db-2600-47dd-a10c-72c97cf17ae9", + "queryName": "EFS Without KMS", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID", + "platform": "Crossplane", + "descriptionID": "2643a873", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/efs_without_kms/query.rego b/assets/queries/crossplane/aws/efs_without_kms/query.rego new file mode 100644 index 00000000000..11f8372529a --- /dev/null +++ b/assets/queries/crossplane/aws/efs_without_kms/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "efs.aws.crossplane.io") + resource.kind == "FileSystem" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "kmsKeyID") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "kmsKeyID should be defined", + "keyActualValue": "kmsKeyID is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/negative.yaml b/assets/queries/crossplane/aws/efs_without_kms/test/negative.yaml new file mode 100644 index 00000000000..87beddac036 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_without_kms/test/negative.yaml @@ -0,0 +1,42 @@ +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example +spec: + forProvider: + region: us-east-1 + kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab + encrypted: true + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example2 + spec: + forProvider: + region: us-east-1 + kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab + encrypted: true + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive.yaml b/assets/queries/crossplane/aws/efs_without_kms/test/positive.yaml new file mode 100644 index 00000000000..52cd8087317 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive.yaml @@ -0,0 +1,40 @@ +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example3 +spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example4 + spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json new file mode 100644 index 00000000000..ed13bfab430 --- /dev/null +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "EFS Without KMS", + "severity": "HIGH", + "line": 6, + "fileName": "positive.yaml" + }, + { + "queryName": "EFS Without KMS", + "severity": "HIGH", + "line": 36, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json new file mode 100644 index 00000000000..e03460f4aa8 --- /dev/null +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "a507daa5-0795-4380-960b-dd7bb7c56661", + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy", + "platform": "Crossplane", + "descriptionID": "53318133", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/query.rego b/assets/queries/crossplane/aws/elb_using_weak_ciphers/query.rego new file mode 100644 index 00000000000..f23f8ec360b --- /dev/null +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/query.rego @@ -0,0 +1,47 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "elbv2.aws.crossplane.io") + resource.kind == "Listener" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "sslPolicy") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "sslPolicy should be defined with a secure protocol or cipher", + "keyActualValue": "sslPolicy is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "elbv2.aws.crossplane.io") + resource.kind == "Listener" + forProvider := resource.spec.forProvider + + policy := forProvider.sslPolicy + common_lib.weakCipher(policy) + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.sslPolicy", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "sslPolicy should use a secure protocol or cipher", + "keyActualValue": "sslPolicy is using a weak cipher", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "sslPolicy"]), + } +} diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/negative.yaml b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/negative.yaml new file mode 100644 index 00000000000..26d9feeb74e --- /dev/null +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/negative.yaml @@ -0,0 +1,60 @@ +apiVersion: elbv2.aws.crossplane.io/v1alpha1 +kind: Listener +metadata: + name: test-listener +spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: ELBSecurityPolicy-2015-05 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: elbv2.aws.crossplane.io/v1alpha1 + kind: Listener + metadata: + name: test-listener2 + spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: ELBSecurityPolicy-2015-05 + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive.yaml b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive.yaml new file mode 100644 index 00000000000..7cb5e0b3a40 --- /dev/null +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive.yaml @@ -0,0 +1,60 @@ +apiVersion: elbv2.aws.crossplane.io/v1alpha1 +kind: Listener +metadata: + name: test-listener +spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: TLS_NULL_WITH_NULL_NULL + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: elbv2.aws.crossplane.io/v1alpha1 + kind: Listener + metadata: + name: test-listener2 + spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: TLS_NULL_WITH_NULL_NULL + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json new file mode 100644 index 00000000000..9839c2318a3 --- /dev/null +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 18, + "fileName": "positive.yaml" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 58, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json new file mode 100644 index 00000000000..0af17b56f4c --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "83bf5aca-138a-498e-b9cd-ad5bc5e117b4", + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "Neptune database cluster storage should have encryption enabled", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted", + "platform": "Crossplane", + "descriptionID": "f7998100", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/query.rego b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/query.rego new file mode 100644 index 00000000000..bfb4f914b9f --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/query.rego @@ -0,0 +1,46 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "neptune.aws.crossplane.io") + resource.kind == "DBCluster" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "storageEncrypted") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "storageEncrypted should be defined and set to true", + "keyActualValue": "storageEncrypted is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "neptune.aws.crossplane.io") + resource.kind == "DBCluster" + forProvider := resource.spec.forProvider + + forProvider.storageEncrypted == false + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.storageEncrypted", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "storageEncrypted should be defined and set to true", + "keyActualValue": "storageEncrypted is set to false", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "storageEncrypted"]), + } +} diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/negative.yaml b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/negative.yaml new file mode 100644 index 00000000000..44dcd4923b0 --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/negative.yaml @@ -0,0 +1,50 @@ +apiVersion: neptune.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: sample-cluster +spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: neptune.aws.crossplane.io/v1alpha1 + kind: DBCluster + metadata: + name: sample-cluster2 + spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: true diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive.yaml b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive.yaml new file mode 100644 index 00000000000..cba3546603a --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive.yaml @@ -0,0 +1,48 @@ +apiVersion: neptune.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: sample-cluster3 +spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: neptune.aws.crossplane.io/v1alpha1 + kind: DBCluster + metadata: + name: sample-cluster4 + spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive2.yaml b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive2.yaml new file mode 100644 index 00000000000..86370d27cd2 --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive2.yaml @@ -0,0 +1,50 @@ +apiVersion: neptune.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: sample-cluster3 +spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: false +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: neptune.aws.crossplane.io/v1alpha1 + kind: DBCluster + metadata: + name: sample-cluster4 + spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: false diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..8a81e6421d4 --- /dev/null +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml" + }, + { + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "MEDIUM", + "line": 40, + "fileName": "positive.yaml" + }, + { + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive2.yaml" + }, + { + "queryName": "Neptune Database Cluster Encryption Disabled", + "severity": "MEDIUM", + "line": 50, + "fileName": "positive2.yaml" + } +] diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json new file mode 100644 index 00000000000..d43cc1dc3cc --- /dev/null +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9296f1cc-7a40-45de-bd41-f31745488a0e", + "queryName": "SQS with SSE disabled", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId", + "platform": "Crossplane", + "descriptionID": "ed3868e0", + "cloudProvider": "aws" +} diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/query.rego b/assets/queries/crossplane/aws/sqs_with_sse_disabled/query.rego new file mode 100644 index 00000000000..42a9546b218 --- /dev/null +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "sqs.aws.crossplane.io") + resource.kind == "Queue" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "kmsMasterKeyId") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "kmsMasterKeyId should be defined", + "keyActualValue": "kmsMasterKeyId is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/negative.yaml b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/negative.yaml new file mode 100644 index 00000000000..c5a906f39aa --- /dev/null +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/negative.yaml @@ -0,0 +1,50 @@ +apiVersion: sqs.aws.crossplane.io/v1beta1 +kind: Queue +metadata: + name: test-queue +spec: + forProvider: + region: us-east-1 + kmsMasterKeyId: KMS-KEY-ARN + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: sqs.aws.crossplane.io/v1beta1 + kind: Queue + metadata: + name: test-queue2 + spec: + forProvider: + region: us-east-1 + kmsMasterKeyId: KMS-KEY-ARN + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive.yaml b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive.yaml new file mode 100644 index 00000000000..e3833d39d26 --- /dev/null +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive.yaml @@ -0,0 +1,48 @@ +apiVersion: sqs.aws.crossplane.io/v1beta1 +kind: Queue +metadata: + name: test-queue3 +spec: + forProvider: + region: us-east-1 + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: sqs.aws.crossplane.io/v1beta1 + kind: Queue + metadata: + name: test-queue4 + spec: + forProvider: + region: us-east-1 + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..7608ce4f674 --- /dev/null +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "SQS with SSE disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml" + }, + { + "queryName": "SQS with SSE disabled", + "severity": "MEDIUM", + "line": 40, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json new file mode 100644 index 00000000000..ece8c2ca661 --- /dev/null +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b2418936-cd47-4ea2-8346-623c0bdb87bd", + "queryName": "AKS RBAC Disabled", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/v1alpha3@v0.19.0#spec-disableRBAC", + "platform": "Crossplane", + "descriptionID": "b9f4440e", + "cloudProvider": "azure" +} diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/query.rego b/assets/queries/crossplane/azure/aks_rbac_disabled/query.rego new file mode 100644 index 00000000000..93cf205bd59 --- /dev/null +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "compute.azure.crossplane.io") + resource.kind == "AKSCluster" + spec := resource.spec + + spec.disableRBAC == true + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.disableRBAC", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "disableRBAC should be set to false", + "keyActualValue": "disableRBAC is set to true", + "searchLine": common_lib.build_search_line(path, ["spec", "disableRBAC"]), + } +} diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/negative.yaml b/assets/queries/crossplane/azure/aks_rbac_disabled/test/negative.yaml new file mode 100644 index 00000000000..ceb54a57f0e --- /dev/null +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/negative.yaml @@ -0,0 +1,39 @@ +apiVersion: compute.azure.crossplane.io/v1alpha3 +kind: AKSCluster +metadata: + name: anais-crossplane-demo +spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: false +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: aks.multik8s.platformref.crossplane.io + labels: + provider: AZURE +spec: + compositeTypeRef: + apiVersion: multik8s.platformref.crossplane.io/v1alpha1 + kind: AKS + resources: + - name: sample-ec2 + base: + apiVersion: compute.azure.crossplane.io/v1alpha3 + kind: AKSCluster + metadata: + name: anais-crossplane-demo + spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive.yaml b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive.yaml new file mode 100644 index 00000000000..e5d084530e3 --- /dev/null +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive.yaml @@ -0,0 +1,40 @@ +apiVersion: compute.azure.crossplane.io/v1alpha3 +kind: AKSCluster +metadata: + name: anais-crossplane-demo +spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: aks.multik8s.platformref.crossplane.io + labels: + provider: AZURE +spec: + compositeTypeRef: + apiVersion: multik8s.platformref.crossplane.io/v1alpha1 + kind: AKS + resources: + - name: sample-ec2 + base: + apiVersion: compute.azure.crossplane.io/v1alpha3 + kind: AKSCluster + metadata: + name: anais-crossplane-demo + spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: true diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..1c265a231ce --- /dev/null +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "AKS RBAC Disabled", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive.yaml" + }, + { + "queryName": "AKS RBAC Disabled", + "severity": "MEDIUM", + "line": 40, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json new file mode 100644 index 00000000000..a0fa3173e8f --- /dev/null +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6c7cfec3-c686-4ed2-bf58-a1ec054b63fc", + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "Redis Cache resource should not allow non-SSL connections.", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/v1beta1@v0.19.0#spec-forProvider-enableNonSslPort", + "platform": "Crossplane", + "descriptionID": "d7cbff51", + "cloudProvider": "azure" +} diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/query.rego new file mode 100644 index 00000000000..70e04ac164e --- /dev/null +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "cache.azure.crossplane.io") + resource.kind == "Redis" + forProvider := resource.spec.forProvider + + forProvider.enableNonSslPort == true + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.enableNonSslPort", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "enableNonSslPort should be set to false or undefined", + "keyActualValue": "enableNonSslPort is set to true", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "enableNonSslPort"]), + } +} diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml new file mode 100644 index 00000000000..47f47b68baf --- /dev/null +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/negative.yaml @@ -0,0 +1,29 @@ +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + enableNonSslPort: false +--- +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis2 +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml new file mode 100644 index 00000000000..bb0276b94ec --- /dev/null +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive.yaml @@ -0,0 +1,14 @@ +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis3 +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + enableNonSslPort: true diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json new file mode 100644 index 00000000000..794ace29ea3 --- /dev/null +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json new file mode 100644 index 00000000000..3113aecef89 --- /dev/null +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6c2d627c-de0f-45fb-b33d-dad9bffbb421", + "queryName": "Cloud Storage Bucket Logging Not Enabled", + "severity": "HIGH", + "category": "Observability", + "descriptionText": "Cloud storage bucket should have logging enabled", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging", + "platform": "Crossplane", + "descriptionID": "49295adb", + "cloudProvider": "gcp" +} diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/query.rego b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/query.rego new file mode 100644 index 00000000000..169ccf62462 --- /dev/null +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "storage.gcp.crossplane.io") + resource.kind == "Bucket" + spec := resource.spec + + not common_lib.valid_key(spec, "logging") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "Bucket logging should be defined", + "keyActualValue": "Bucket logging is not defined", + "searchLine": common_lib.build_search_line(path, ["spec"]), + } +} diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/negative.yaml b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/negative.yaml new file mode 100644 index 00000000000..a33ba12260b --- /dev/null +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/negative.yaml @@ -0,0 +1,14 @@ +apiVersion: storage.gcp.crossplane.io/v1alpha3 +kind: Bucket +metadata: + name: bucketSample +spec: + location: EU + logging: + logBucket: example-logs-bucket + storageClass: MULTI_REGIONAL + providerConfigRef: + name: crossplane-gcp + labels: + made-by: crossplane + deletionPolicy: Delete diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive.yaml b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive.yaml new file mode 100644 index 00000000000..90bb50d331d --- /dev/null +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive.yaml @@ -0,0 +1,12 @@ +apiVersion: storage.gcp.crossplane.io/v1alpha3 +kind: Bucket +metadata: + name: bucketSample +spec: + location: EU + storageClass: MULTI_REGIONAL + providerConfigRef: + name: crossplane-gcp + labels: + made-by: crossplane + deletionPolicy: Delete diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json new file mode 100644 index 00000000000..ed241dccf3e --- /dev/null +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Cloud Storage Bucket Logging Not Enabled", + "severity": "HIGH", + "line": 5, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json new file mode 100644 index 00000000000..befe46586e3 --- /dev/null +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b4f65d13-a609-4dc1-af7c-63d2e08bffe9", + "queryName": "Google Container Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair", + "platform": "Crossplane", + "descriptionID": "bc1c198b", + "cloudProvider": "gcp" +} diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego new file mode 100644 index 00000000000..c00ba2cc874 --- /dev/null +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego @@ -0,0 +1,69 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "container.gcp.crossplane.io") + resource.kind == "NodePool" + forProvider := resource.spec.forProvider + + not common_lib.valid_key(forProvider, "management") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "management should be defined with autoRepair set to true", + "keyActualValue": "management is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "container.gcp.crossplane.io") + resource.kind == "NodePool" + forProvider := resource.spec.forProvider + + management := forProvider.management + not common_lib.valid_key(management, "autoRepair") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.management", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "autoRepair should be defined and set to true", + "keyActualValue": "autoRepair is not defined", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider","management"]), + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "container.gcp.crossplane.io") + resource.kind == "NodePool" + forProvider := resource.spec.forProvider + + management := forProvider.management + management.autoRepair == false + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": resource.metadata.name, + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.management.autoRepair", [cp_lib.getPath(path), resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "autoRepair should be set to true", + "keyActualValue": "autoRepair is set to false", + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider","management", "autoRepair"]), + } +} diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/negative.yaml b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/negative.yaml new file mode 100644 index 00000000000..f56257ab884 --- /dev/null +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/negative.yaml @@ -0,0 +1,20 @@ +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + management: + autoRepair: true + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive.yaml b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive.yaml new file mode 100644 index 00000000000..6929f825896 --- /dev/null +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive.yaml @@ -0,0 +1,39 @@ +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" +--- +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + management: + autoRepair: false + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..1c81ab5ef46 --- /dev/null +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Google Container Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml" + }, + { + "queryName": "Google Container Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 27, + "fileName": "positive.yaml" + } +] diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json index f6ad7a6297a..58304e1b335 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "94690d79-b3b0-43de-b656-84ebef5753e5", - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging_config' must be defined", + "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'logging_config' must be defined", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "9cf96455", diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/query.rego b/assets/queries/terraform/aws/cloudfront_logging_disabled/query.rego index 06837184b08..9025a03a9b1 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/query.rego @@ -6,6 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource cloudfront := resource.aws_cloudfront_distribution[name] + cloudfront.enabled == true not common_lib.valid_key(cloudfront, "logging_config") result := { diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 330b86be310..0e8947653f8 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 1 } diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego index 17f1445b82c..b918d5e2270 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego @@ -6,6 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { document := input.document[i] resource := document.resource.aws_cloudfront_distribution[name] + resource.enabled == true not common_lib.valid_key(resource, "viewer_certificate") @@ -26,6 +27,7 @@ CxPolicy[result] { CxPolicy[result] { document := input.document[i] resource := document.resource.aws_cloudfront_distribution[name] + resource.enabled == true resource.viewer_certificate.cloudfront_default_certificate == true @@ -49,6 +51,7 @@ CxPolicy[result] { CxPolicy[result] { document := input.document[i] resource := document.resource.aws_cloudfront_distribution[name] + resource.enabled == true resource.viewer_certificate.cloudfront_default_certificate == false protocol_version := resource.viewer_certificate.minimum_protocol_version @@ -75,6 +78,7 @@ CxPolicy[result] { CxPolicy[result] { document := input.document[i] resource := document.resource.aws_cloudfront_distribution[name] + resource.enabled == true resource.viewer_certificate.cloudfront_default_certificate == false not common_lib.valid_key(resource.viewer_certificate, "minimum_protocol_version") diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json index ad395639ce3..e24a1dee196 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json @@ -1,6 +1,6 @@ { "id": "1419b4c6-6d5c-4534-9cf6-6a5266085333", - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service", diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/query.rego b/assets/queries/terraform/aws/cloudfront_without_waf/query.rego index f0f236cbe7a..78a3c221828 100644 --- a/assets/queries/terraform/aws/cloudfront_without_waf/query.rego +++ b/assets/queries/terraform/aws/cloudfront_without_waf/query.rego @@ -4,6 +4,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_cloudfront_distribution[name] + resource.enabled == true not resource.web_acl_id result := { diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 79cef031f04..23fdae79ae5 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "line": 15 } diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json index b7133b84e24..dc359792c32 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/metadata.json @@ -3,7 +3,7 @@ "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "category": "Encryption", - "descriptionText": "The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').", + "descriptionText": "AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted", "platform": "Terraform", "descriptionID": "88ca11bc", diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego b/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego index ad8c2b3591f..48d0eebfea7 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego @@ -1,12 +1,13 @@ package Cx import data.generic.terraform as tf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].resource.aws_load_balancer_policy[name] protocol := resource.policy_attribute.name - weakCipher(protocol) + common_lib.weakCipher(protocol) result := { "documentId": input.document[i].id, @@ -24,7 +25,7 @@ CxPolicy[result] { some j protocol := policy.policy_attribute[j].name - weakCipher(protocol) + common_lib.weakCipher(protocol) result := { "documentId": input.document[i].id, @@ -36,29 +37,3 @@ CxPolicy[result] { "keyActualValue": sprintf("'aws_load_balancer_policy[%s].policy_attribute[%s].name' is a weak cipher", [name, protocol]), } } - -# IANA -weakCipher(aux) { - weak_ciphers_IANA_Format := { - "TLS_NULL_WITH_NULL_NULL", "TLS_RSA_WITH_NULL_MD5", "TLS_RSA_WITH_NULL_SHA", "TLS_RSA_EXPORT_WITH_RC4_40_MD5", "TLS_RSA_WITH_RC4_128_MD5", "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_RSA_WITH_IDEA_CBC_SHA", "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_RSA_WITH_DES_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_DSS_WITH_DES_CBC_SHA", "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_RSA_WITH_DES_CBC_SHA", "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_DSS_WITH_DES_CBC_SHA", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "TLS_DHE_RSA_WITH_DES_CBC_SHA", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", "TLS_DH_anon_WITH_RC4_128_MD5", "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "TLS_DH_anon_WITH_DES_CBC_SHA", "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_SHA", "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "TLS_KRB5_WITH_RC4_128_SHA", "TLS_KRB5_WITH_IDEA_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_MD5", "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "TLS_KRB5_WITH_RC4_128_MD5", "TLS_KRB5_WITH_IDEA_CBC_MD5", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "TLS_PSK_WITH_NULL_SHA", "TLS_DHE_PSK_WITH_NULL_SHA", "TLS_RSA_PSK_WITH_NULL_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_DH_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_anon_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA", "TLS_DH_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_anon_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "TLS_DH_anon_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", "TLS_PSK_WITH_RC4_128_SHA", "TLS_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_PSK_WITH_AES_128_CBC_SHA", "TLS_PSK_WITH_AES_256_CBC_SHA", "TLS_DHE_PSK_WITH_RC4_128_SHA", "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_PSK_WITH_RC4_128_SHA", "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_SEED_CBC_SHA", "TLS_DH_DSS_WITH_SEED_CBC_SHA", "TLS_DH_RSA_WITH_SEED_CBC_SHA", "TLS_DHE_DSS_WITH_SEED_CBC_SHA", "TLS_DHE_RSA_WITH_SEED_CBC_SHA", "TLS_DH_anon_WITH_SEED_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", "TLS_DH_anon_WITH_AES_128_GCM_SHA256", "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_GCM_SHA256", "TLS_PSK_WITH_AES_256_GCM_SHA384", "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", "TLS_PSK_WITH_AES_128_CBC_SHA256", "TLS_PSK_WITH_AES_256_CBC_SHA384", "TLS_PSK_WITH_NULL_SHA256", "TLS_PSK_WITH_NULL_SHA384", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_DHE_PSK_WITH_NULL_SHA256", "TLS_DHE_PSK_WITH_NULL_SHA384", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_NULL_SHA256", "TLS_RSA_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "TLS_SM4_GCM_SM3", "TLS_SM4_CCM_SM3", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_AES_128_CCM_8_SHA256", "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_anon_WITH_NULL_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_RC4_128_SHA", "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_NULL_SHA", "TLS_ECDHE_PSK_WITH_NULL_SHA256", "TLS_ECDHE_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_PSK_DHE_WITH_AES_128_CCM_8", "TLS_PSK_DHE_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", "TLS_SHA256_SHA256", "TLS_SHA384_SHA384", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", - } - - some i - weak_ciphers_IANA_Format[i] == aux -} - -# OpenSSL -weakCipher(aux) { - weak_ciphers_OpenSSL_Format := {"NULL-MD5", "NULL-SHA", "IDEA-CBC-SHA", "DES-CBC3-SHA", "DHE-DSS-DES-CBC3-SHA", "DHE-RSA-DES-CBC3-SHA", "ADH-DES-CBC3-SHA", "PSK-NULL-SHA", "DHE-PSK-NULL-SHA", "RSA-PSK-NULL-SHA", "AES128-SHA", "DHE-DSS-AES128-SHA", "DHE-RSA-AES128-SHA", "ADH-AES128-SHA", "AES256-SHA", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", "ADH-AES256-SHA", "NULL-SHA256", "AES128-SHA256", "AES256-SHA256", "DHE-DSS-AES128-SHA256", "CAMELLIA128-SHA", "DHE-DSS-CAMELLIA128-SHA", "DHE-RSA-CAMELLIA128-SHA", "ADH-CAMELLIA128-SHA", "DHE-RSA-AES128-SHA256", "DHE-DSS-AES256-SHA256", "DHE-RSA-AES256-SHA256", "ADH-AES128-SHA256", "ADH-AES256-SHA256", "CAMELLIA256-SHA", "DHE-DSS-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA256-SHA", "ADH-CAMELLIA256-SHA", "PSK-3DES-EDE-CBC-SHA", "PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA", "DHE-PSK-3DES-EDE-CBC-SHA", "DHE-PSK-AES128-CBC-SHA", "DHE-PSK-AES256-CBC-SHA", "RSA-PSK-3DES-EDE-CBC-SHA", "RSA-PSK-AES128-CBC-SHA", "RSA-PSK-AES256-CBC-SHA", "SEED-SHA", "DHE-DSS-SEED-SHA", "DHE-RSA-SEED-SHA", "ADH-SEED-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES256-GCM-SHA384", "ADH-AES128-GCM-SHA256", "ADH-AES256-GCM-SHA384", "PSK-AES128-GCM-SHA256", "PSK-AES256-GCM-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES256-GCM-SHA384", "PSK-AES128-CBC-SHA256", "PSK-AES256-CBC-SHA384", "PSK-NULL-SHA256", "PSK-NULL-SHA384", "DHE-PSK-AES128-CBC-SHA256", "DHE-PSK-AES256-CBC-SHA384", "DHE-PSK-NULL-SHA256", "DHE-PSK-NULL-SHA384", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-NULL-SHA256", "RSA-PSK-NULL-SHA384", "CAMELLIA128-SHA256", "DHE-DSS-CAMELLIA128-SHA256", "DHE-RSA-CAMELLIA128-SHA256", "ADH-CAMELLIA128-SHA256", "CAMELLIA256-SHA256", "DHE-DSS-CAMELLIA256-SHA256", "DHE-RSA-CAMELLIA256-SHA256", "ADH-CAMELLIA256-SHA256", "ECDHE-ECDSA-NULL-SHA", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-NULL-SHA", "ECDHE-RSA-DES-CBC3-SHA", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AECDH-NULL-SHA", "AECDH-DES-CBC3-SHA", "AECDH-AES128-SHA", "AECDH-AES256-SHA", "SRP-3DES-EDE-CBC-SHA", "SRP-RSA-3DES-EDE-CBC-SHA", "SRP-DSS-3DES-EDE-CBC-SHA", "SRP-AES-128-CBC-SHA", "SRP-RSA-AES-128-CBC-SHA", "SRP-DSS-AES-128-CBC-SHA", "SRP-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-DSS-AES-256-CBC-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-SHA384", "ECDHE-PSK-3DES-EDE-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA", "ECDHE-PSK-AES256-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA256", "ECDHE-PSK-AES256-CBC-SHA384", "ECDHE-PSK-NULL-SHA", "ECDHE-PSK-NULL-SHA256", "ECDHE-PSK-NULL-SHA384", "ECDHE-ECDSA-CAMELLIA128-SHA256", "ECDHE-ECDSA-CAMELLIA256-SHA384", "ECDHE-RSA-CAMELLIA128-SHA256", "ECDHE-RSA-CAMELLIA256-SHA384", "PSK-CAMELLIA128-SHA256", "PSK-CAMELLIA256-SHA384", "DHE-PSK-CAMELLIA128-SHA256", "DHE-PSK-CAMELLIA256-SHA384", "RSA-PSK-CAMELLIA128-SHA256", "RSA-PSK-CAMELLIA256-SHA384", "ECDHE-PSK-CAMELLIA128-SHA256", "ECDHE-PSK-CAMELLIA256-SHA384", "AES128-CCM", "AES256-CCM", "AES128-CCM8", "AES256-CCM8", "DHE-RSA-AES128-CCM8", "DHE-RSA-AES256-CCM8", "PSK-AES128-CCM", "PSK-AES256-CCM", "PSK-AES128-CCM8", "PSK-AES256-CCM8", "DHE-PSK-AES128-CCM8", "DHE-PSK-AES256-CCM8", "ECDHE-ECDSA-AES128-CCM", "ECDHE-ECDSA-AES256-CCM", "ECDHE-ECDSA-AES128-CCM8", "ECDHE-ECDSA-AES256-CCM8", "PSK-CHACHA20-POLY1305", "RSA-PSK-CHACHA20-POLY1305"} - some i - weak_ciphers_OpenSSL_Format[i] == aux -} - -# GnuTLS -weakCipher(aux) { - weak_ciphers_GnuTLS_Format := {"TLS_RSA_NULL_MD5", "TLS_RSA_NULL_SHA1", "TLS_RSA_ARCFOUR_128_MD5", "TLS_RSA_ARCFOUR_128_SHA1", "TLS_RSA_3DES_EDE_CBC_SHA1", "TLS_DHE_DSS_3DES_EDE_CBC_SHA1", "TLS_DHE_RSA_3DES_EDE_CBC_SHA1", "TLS_DH_ANON_ARCFOUR_128_MD5", "TLS_DH_ANON_3DES_EDE_CBC_SHA1", "TLS_PSK_NULL_SHA1", "TLS_DHE_PSK_NULL_SHA1", "TLS_RSA_PSK_NULL_SHA1", "TLS_RSA_AES_128_CBC_SHA1", "TLS_DHE_DSS_AES_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA1", "TLS_DH_ANON_AES_128_CBC_SHA1", "TLS_RSA_AES_256_CBC_SHA1", "TLS_DHE_DSS_AES_256_CBC_SHA1", "TLS_DHE_RSA_AES_256_CBC_SHA1", "TLS_DH_ANON_AES_256_CBC_SHA1", "TLS_RSA_NULL_SHA256", "TLS_RSA_AES_128_CBC_SHA256", "TLS_RSA_AES_256_CBC_SHA256", "TLS_DHE_DSS_AES_128_CBC_SHA256", "TLS_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA256", "TLS_DHE_DSS_AES_256_CBC_SHA256", "TLS_DHE_RSA_AES_256_CBC_SHA256", "TLS_DH_ANON_AES_128_CBC_SHA256", "TLS_DH_ANON_AES_256_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA1", "TLS_PSK_ARCFOUR_128_SHA1", "TLS_PSK_3DES_EDE_CBC_SHA1", "TLS_PSK_AES_128_CBC_SHA1", "TLS_PSK_AES_256_CBC_SHA1", "TLS_DHE_PSK_ARCFOUR_128_SHA1", "TLS_DHE_PSK_3DES_EDE_CBC_SHA1", "TLS_DHE_PSK_AES_128_CBC_SHA1", "TLS_DHE_PSK_AES_256_CBC_SHA1", "TLS_RSA_PSK_ARCFOUR_128_SHA1", "TLS_RSA_PSK_3DES_EDE_CBC_SHA1", "TLS_RSA_PSK_AES_128_CBC_SHA1", "TLS_RSA_PSK_AES_256_CBC_SHA1", "TLS_RSA_AES_128_GCM_SHA256", "TLS_RSA_AES_256_GCM_SHA384", "TLS_DHE_DSS_AES_128_GCM_SHA256", "TLS_DHE_DSS_AES_256_GCM_SHA384", "TLS_DH_ANON_AES_128_GCM_SHA256", "TLS_DH_ANON_AES_256_GCM_SHA384", "TLS_PSK_AES_128_GCM_SHA256", "TLS_PSK_AES_256_GCM_SHA384", "TLS_RSA_PSK_AES_128_GCM_SHA256", "TLS_RSA_PSK_AES_256_GCM_SHA384", "TLS_PSK_AES_128_CBC_SHA256", "TLS_PSK_AES_256_CBC_SHA384", "TLS_PSK_NULL_SHA256", "TLS_PSK_NULL_SHA384", "TLS_DHE_PSK_AES_128_CBC_SHA256", "TLS_DHE_PSK_AES_256_CBC_SHA384", "TLS_DHE_PSK_NULL_SHA256", "TLS_DHE_PSK_NULL_SHA384", "TLS_RSA_PSK_AES_128_CBC_SHA256", "TLS_RSA_PSK_AES_256_CBC_SHA384", "TLS_RSA_PSK_NULL_SHA256", "TLS_RSA_PSK_NULL_SHA384", "TLS_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA256", "TLS_ECDHE_ECDSA_NULL_SHA1", "TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1", "TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA1", "TLS_ECDHE_RSA_NULL_SHA1", "TLS_ECDHE_RSA_ARCFOUR_128_SHA1", "TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_RSA_AES_128_CBC_SHA1", "TLS_ECDHE_RSA_AES_256_CBC_SHA1", "TLS_ECDH_ANON_NULL_SHA1", "TLS_ECDH_ANON_ARCFOUR_128_SHA1", "TLS_ECDH_ANON_3DES_EDE_CBC_SHA1", "TLS_ECDH_ANON_AES_128_CBC_SHA1", "TLS_ECDH_ANON_AES_256_CBC_SHA1", "TLS_SRP_SHA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_AES_128_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_128_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_128_CBC_SHA1", "TLS_SRP_SHA_AES_256_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_256_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_256_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_ARCFOUR_128_SHA1", "TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA1", "TLS_ECDHE_PSK_AES_256_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_NULL_SHA1", "TLS_ECDHE_PSK_NULL_SHA256", "TLS_ECDHE_PSK_NULL_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384", "TLS_RSA_CAMELLIA_128_GCM_SHA256", "TLS_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384", "TLS_DH_ANON_CAMELLIA_128_GCM_SHA256", "TLS_DH_ANON_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_GCM_SHA256", "TLS_PSK_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_CBC_SHA256", "TLS_PSK_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_AES_128_CCM", "TLS_RSA_AES_256_CCM", "TLS_RSA_AES_128_CCM_8", "TLS_RSA_AES_256_CCM_8", "TLS_DHE_RSA_AES_128_CCM_8", "TLS_DHE_RSA_AES_256_CCM_8", "TLS_PSK_AES_128_CCM", "TLS_PSK_AES_256_CCM", "TLS_PSK_AES_128_CCM_8", "TLS_PSK_AES_256_CCM_8", "TLS_DHE_PSK_AES_128_CCM_8", "TLS_DHE_PSK_AES_256_CCM_8", "TLS_ECDHE_ECDSA_AES_128_CCM", "TLS_ECDHE_ECDSA_AES_256_CCM", "TLS_ECDHE_ECDSA_AES_128_CCM_8", "TLS_ECDHE_ECDSA_AES_256_CCM_8", "TLS_PSK_CHACHA20_POLY1305", "TLS_RSA_PSK_CHACHA20_POLY1305"} - some i - weak_ciphers_GnuTLS_Format[i] == aux -} diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json index f8479f348cd..8b86e608c30 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", + "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue", "platform": "Terraform", "descriptionID": "e478b54b", diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json index 94485edd4b4..2b4ea786850 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -3,7 +3,7 @@ "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Check if any Redis Cache resource allows non-SSL connections.", + "descriptionText": "Redis Cache resource should not allow non-SSL connections.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache", "platform": "Terraform", "descriptionID": "b7160c8c", diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json index e94ce4ba49f..e8d0e8dabb5 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "HIGH", "category": "Observability", - "descriptionText": "Cloud storage bucket with logging not enabled", + "descriptionText": "Cloud storage bucket should have logging enabled", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket", "platform": "Terraform", "descriptionID": "9e9984aa", diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json index 949f47a9237..accef8e9077 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Verifies if Google Container Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.", + "descriptionText": "Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool", "platform": "Terraform", "descriptionID": "39487293", diff --git a/docs/commands.md b/docs/commands.md index d43b2eadcd2..c60857d5d90 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -92,7 +92,7 @@ Flags: -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform) + (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform) Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 44225ddf021..efa8f067f8d 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -102,7 +102,7 @@ Flags: -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform) + (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform) Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/docs/platforms.md b/docs/platforms.md index af763a06811..208f2723003 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -54,6 +54,10 @@ docker run -t -v $PWD/cfn-stack.yaml:/path/cfn-stack.yaml -it checkmarx/kics:lat KICS supports scanning CloudFormation templates with `.json` or `.yaml` extension. +## Crossplane + +KICS supports scanning Crossplane manifests with `.yaml` extension. + ## Azure Blueprints KICS supports scanning Azure Blueprints files, including Azure Blueprints Policy Assignment Artifacts, Azure Blueprints Role Assignment Artifacts, and Azure Blueprints Template Artifacts with `.json` extension. @@ -93,6 +97,10 @@ Platform: Kubernetes ``` +## Knative + +KICS supports scanning Knative manifests with `.yaml` extension. + ## Kubernetes KICS supports scanning Kubernetes manifests with `.yaml` extension. diff --git a/e2e/fixtures/E2E_CLI_010 b/e2e/fixtures/E2E_CLI_010 index c15148f4588..9a81c961927 100644 --- a/e2e/fixtures/E2E_CLI_010 +++ b/e2e/fixtures/E2E_CLI_010 @@ -4,10 +4,12 @@ valid arguments: AzureResourceManager Buildah CloudFormation + Crossplane DockerCompose Dockerfile GRPC GoogleDeploymentManager + Knative Kubernetes OpenAPI Terraform diff --git a/e2e/fixtures/E2E_CLI_013 b/e2e/fixtures/E2E_CLI_013 index e807d5bd93b..64257458626 100644 --- a/e2e/fixtures/E2E_CLI_013 +++ b/e2e/fixtures/E2E_CLI_013 @@ -2,10 +2,12 @@ Ansible AzureResourceManager Buildah CloudFormation +Crossplane DockerCompose Dockerfile GRPC GoogleDeploymentManager +Knative Kubernetes OpenAPI Terraform diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 0ec3c867a67..b14ce35f359 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -51,7 +51,7 @@ Flags: -r, --secrets-regexes-path string path to secrets regex rules configuration file --timeout int number of seconds the query has to execute before being canceled (default 60) -t, --type strings case insensitive list of platform types to scan - (Ansible, AzureResourceManager, Buildah, CloudFormation, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform) + (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform) Global Flags: --ci display only log messages to CLI output (mutually exclusive with silent) diff --git a/e2e/fixtures/schemas/result.json b/e2e/fixtures/schemas/result.json index a21dbdab85f..447685ea486 100644 --- a/e2e/fixtures/schemas/result.json +++ b/e2e/fixtures/schemas/result.json @@ -93,11 +93,13 @@ "AzureResourceManager", "Buildah", "CloudFormation", + "CrossPlane", "Common", "Dockerfile", "DockerCompose", "GRPC", "GoogleDeploymentManager", + "Knative", "Kubernetes", "OpenAPI", "Terraform" diff --git a/e2e/fixtures/schemas/resultBoM.json b/e2e/fixtures/schemas/resultBoM.json index b178b1218e9..520cf8c6927 100644 --- a/e2e/fixtures/schemas/resultBoM.json +++ b/e2e/fixtures/schemas/resultBoM.json @@ -46,11 +46,13 @@ "AzureResourceManager", "Buildah", "CloudFormation", + "CrossPlane", "Common", "Dockerfile", "DockerCompose", "GRPC", "GoogleDeploymentManager", + "Knative", "Kubernetes", "OpenAPI", "Terraform" diff --git a/internal/constants/constants.go b/internal/constants/constants.go index c21a270ef23..7ee44bf95a5 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -42,8 +42,10 @@ var ( AvailablePlatforms = map[string]string{ "Ansible": "ansible", "CloudFormation": "cloudFormation", + "Crossplane": "crossplane", "Dockerfile": "dockerfile", "DockerCompose": "dockerCompose", + "Knative": "knative", "Kubernetes": "k8s", "OpenAPI": "openAPI", "Terraform": "terraform", diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index cd2939e7f26..deaa3e84e2a 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -55,6 +55,8 @@ var ( buildahRegex = regexp.MustCompile(`\s*buildah\s*from\s*\w+`) dockerComposeVersionRegex = regexp.MustCompile(`\s*version\s*:`) dockerComposeServicesRegex = regexp.MustCompile(`\s*services\s*:`) + crossPlaneRegex = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+crossplane\.io/v\w+\s*`) + knativeRegex = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+knative\.dev/v\w+\s*`) ) var ( @@ -78,7 +80,9 @@ var ( "azureresourcemanager": append(armRegexTypes, arm), "buildah": {"buildah"}, "cloudformation": {"cloudformation"}, + "crossplane": {"crossplane"}, "dockercompose": {"dockercompose"}, + "knative": {"knative"}, "kubernetes": {"kubernetes"}, "openapi": {"openapi"}, "terraform": {"terraform", "cdkTf"}, @@ -97,6 +101,8 @@ const ( ansible = "ansible" grpc = "grpc" dockerfile = "dockerfile" + crossplane = "crossplane" + knative = "knative" ) // regexSlice is a struct to contain a slice of regex @@ -124,6 +130,18 @@ var types = map[string]regexSlice{ k8sRegexKind, }, }, + "crossplane": { + regex: []*regexp.Regexp{ + crossPlaneRegex, + k8sRegexKind, + }, + }, + "knative": { + regex: []*regexp.Regexp{ + knativeRegex, + k8sRegexKind, + }, + }, "cloudformation": { regex: []*regexp.Regexp{ cloudRegex, @@ -332,6 +350,8 @@ func isDockerfile(path string) bool { func needsOverride(check bool, returnType, key, ext string) bool { if check && returnType == kubernetes && key == arm && ext == json { return true + } else if check && returnType == kubernetes && (key == knative || key == crossplane) && ext == yaml { + return true } return false } diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 4e0e6fc7390..25b271a4fd2 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -19,7 +19,7 @@ func TestAnalyzer_Analyze(t *testing.T) { { name: "analyze_test_dir_single_path", paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test")}, - wantTypes: []string{"dockerfile", "googledeploymentmanager", "cloudformation", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose"}, + wantTypes: []string{"dockerfile", "googledeploymentmanager", "cloudformation", "crossplane", "knative", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose"}, wantExclude: []string{}, wantErr: false, }, diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index d18fdac0a00..8a165719894 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -414,10 +414,14 @@ func getPlatform(metadataPlatform string) string { return "cloudFormation" case "Common": return "common" + case "Crossplane": + return "crossplane" case "Dockerfile": return "dockerfile" case "DockerCompose": return "dockerCompose" + case "Knative": + return "knative" case "Kubernetes": return "k8s" case "OpenAPI": diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go index a7a80bed353..61f23fa9dcb 100644 --- a/pkg/engine/source/filesystem_test.go +++ b/pkg/engine/source/filesystem_test.go @@ -637,10 +637,12 @@ func TestListSupportedPlatforms(t *testing.T) { "AzureResourceManager", "Buildah", "CloudFormation", + "Crossplane", "Dockerfile", "DockerCompose", "GRPC", "GoogleDeploymentManager", + "Knative", "Kubernetes", "OpenAPI", "Terraform", diff --git a/pkg/parser/yaml/parser.go b/pkg/parser/yaml/parser.go index 972776ca644..0597fc1a8f4 100644 --- a/pkg/parser/yaml/parser.go +++ b/pkg/parser/yaml/parser.go @@ -102,6 +102,8 @@ func (p *Parser) SupportedTypes() map[string]bool { "ansible": true, "cloudformation": true, "kubernetes": true, + "crossplane": true, + "knative": true, "openapi": true, "googledeploymentmanager": true, "dockercompose": true, diff --git a/pkg/parser/yaml/parser_test.go b/pkg/parser/yaml/parser_test.go index f4bd330fbdd..b8af20318b7 100644 --- a/pkg/parser/yaml/parser_test.go +++ b/pkg/parser/yaml/parser_test.go @@ -29,7 +29,9 @@ func TestParser_SupportedTypes(t *testing.T) { require.Equal(t, map[string]bool{ "ansible": true, "cloudformation": true, + "crossplane": true, "kubernetes": true, + "knative": true, "openapi": true, "googledeploymentmanager": true, "dockercompose": true, diff --git a/res/demoKnative.yaml b/res/demoKnative.yaml new file mode 100644 index 00000000000..2cf3a9a63f9 --- /dev/null +++ b/res/demoKnative.yaml @@ -0,0 +1,15 @@ +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: autoscale-go + namespace: default +spec: + template: + metadata: + annotations: + # Standard Kubernetes CPU-based autoscaling. + autoscaling.knative.dev/class: hpa.autoscaling.knative.dev + autoscaling.knative.dev/metric: cpu + spec: + containers: + - image: gcr.io/knative-samples/autoscale-go:0.1 diff --git a/test/fixtures/analyzer_test/crossplane.yaml b/test/fixtures/analyzer_test/crossplane.yaml new file mode 100644 index 00000000000..d6ddba9d05d --- /dev/null +++ b/test/fixtures/analyzer_test/crossplane.yaml @@ -0,0 +1,10 @@ +apiVersion: aws.stacks.crossplane.io/v1alpha1 +kind: AWSSample +metadata: + name: test +spec: + region: us-west-2 + credentialsSecretRef: + name: aws-account-creds + namespace: crossplane-system + key: credentials diff --git a/test/fixtures/analyzer_test/knative.yaml b/test/fixtures/analyzer_test/knative.yaml new file mode 100644 index 00000000000..2cf3a9a63f9 --- /dev/null +++ b/test/fixtures/analyzer_test/knative.yaml @@ -0,0 +1,15 @@ +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: autoscale-go + namespace: default +spec: + template: + metadata: + annotations: + # Standard Kubernetes CPU-based autoscaling. + autoscaling.knative.dev/class: hpa.autoscaling.knative.dev + autoscaling.knative.dev/metric: cpu + spec: + containers: + - image: gcr.io/knative-samples/autoscale-go:0.1 diff --git a/test/main_test.go b/test/main_test.go index 50f23899b6b..c213093a3d0 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -27,14 +27,18 @@ import ( var ( queriesPaths = map[string]model.QueryConfig{ - "../assets/queries/terraform/aws_bom": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/aws": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/azure": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/gcp": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/github": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/kubernetes": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/general": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, - "../assets/queries/terraform/alicloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/aws_bom": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/aws": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/azure": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/gcp": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/github": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/kubernetes": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/general": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/terraform/alicloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"}, + "../assets/queries/crossplane/aws": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, + "../assets/queries/crossplane/azure": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, + "../assets/queries/crossplane/gcp": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"}, + //"../assets/queries/knative": {FileKind: []model.FileKind{model.KindYAML}, Platform: "knative"}, "../assets/queries/k8s": {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "k8s"}, "../assets/queries/cloudFormation/aws": {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "cloudFormation"}, "../assets/queries/cloudFormation/aws_bom": {FileKind: []model.FileKind{model.KindYAML, model.KindJSON}, Platform: "cloudFormation"},