From fe8785dff9a47f51da6d00849325fac4ac192b61 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 13:39:41 +0100 Subject: [PATCH 1/6] feat: Add initial Containers support --- ql/lib/codeql/bicep/Frameworks.qll | 1 + .../bicep/frameworks/Microsoft/Containers.qll | 198 ++++++++++++++++++ .../bicep/frameworks/Microsoft/Network.qll | 57 ++--- 3 files changed, 228 insertions(+), 28 deletions(-) create mode 100644 ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll diff --git a/ql/lib/codeql/bicep/Frameworks.qll b/ql/lib/codeql/bicep/Frameworks.qll index 932d795..9f3b65b 100644 --- a/ql/lib/codeql/bicep/Frameworks.qll +++ b/ql/lib/codeql/bicep/Frameworks.qll @@ -1,5 +1,6 @@ import frameworks.Microsoft.Cache import frameworks.Microsoft.Compute +import frameworks.Microsoft.Containers import frameworks.Microsoft.General import frameworks.Microsoft.Network import frameworks.Microsoft.Storage diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll new file mode 100644 index 0000000..62103ca --- /dev/null +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll @@ -0,0 +1,198 @@ +private import bicep + +module Containers { + /** + * Represents a Microsoft.ContainerApp/containerApps resource. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.app/containerapps + */ + class ContainerResource extends Resource { + /** + * Constructs a ContainerResource for Microsoft.App/containerApps resources. + */ + ContainerResource() { this.getResourceType().regexpMatch("^Microsoft.App/containerApps@.*") } + + /** + * Returns the properties object for the container app resource. + */ + ContainerProperties::Properties getProperties() { result = this.getProperty("properties") } + + ContainerProperties::ContainerConfiguration getConfiguration() { + result = this.getProperties().getConfiguration() + } + + ContainerProperties::ContainerTemplate getTemplate() { + result = this.getProperties().getTemplate() + } + + ContainerProperties::ContainerApp getContainers() { + result = this.getTemplate().getContainers() + } + + ContainerProperties::ContainerApp getContainer(int index) { + result = this.getTemplate().getContainer(index) + } + + /** + * Returns a string representation of the container app resource. + */ + override string toString() { result = "ContainerResource" } + } + + module ContainerProperties { + /** + * Represents the properties object for a container app resource. + */ + class Properties extends Object { + private ContainerResource containerResource; + + /** + * Constructs a Properties object for the given container app resource. + */ + Properties() { this = containerResource.getProperty("properties") } + + /** + * Returns the parent ContainerResource. + */ + ContainerResource getContainerResource() { result = containerResource } + + /** + * Returns the configuration property. + */ + ContainerConfiguration getConfiguration() { result = this.getProperty("configuration") } + + ContainerTemplate getTemplate() { result = this.getProperty("template") } + + string toString() { result = "ContainerProperties" } + } + + class ContainerConfiguration extends Object { + private Properties properties; + + /** + * Constructs a Configuration object for the given properties. + */ + ContainerConfiguration() { this = properties.getProperty("configuration") } + + Network::Ingress getNetworkIngress() { result = this.getProperty("ingress") } + + ContainerSecret getSecrets() { result = this.getProperty("secrets").(Array).getElements() } + + StringLiteral getActiveRevisionsMode() { result = this.getProperty("activeRevisionsMode") } + + string activeRevisionsMode() { result = this.getActiveRevisionsMode().getValue() } + + /** + * Returns the template property. + */ + Expr getTemplate() { result = this.getProperty("template") } + + string toString() { result = "ContainerConfiguration" } + } + + class ContainerSecret extends Object { + private ContainerConfiguration configuration; + + /** + * Constructs a ContainerSecret for the given configuration. + */ + ContainerSecret() { this = configuration.getProperty("secrets").(Array).getElements() } + + /** + * Returns the name of the secret. + */ + StringLiteral getName() { result = this.getProperty("name") } + + /** + * Returns the value of the secret. + */ + StringLiteral getValue() { result = this.getProperty("value") } + + string toString() { result = "ContainerSecret" } + } + + class ContainerTemplate extends Object { + private Properties properties; + + /** + * Constructs a ContainerTemplate for the given properties. + */ + ContainerTemplate() { this = properties.getProperty("template") } + + /** + * Returns the container app template. + */ + Expr getContainerAppTemplate() { result = this.getProperty("containerAppTemplate") } + + /** + * Returns the container app template's containers. + */ + ContainerApp getContainers() { result = this.getProperty("containers").(Array).getElements() } + + ContainerApp getContainer(int index) { + result = this.getProperty("containers").(Array).getElement(index) + } + + string toString() { result = "ContainerTemplate" } + } + + class ContainerApp extends Object { + private ContainerTemplate template; + + ContainerApp() { this = template.getProperty("containers").(Array).getElements() } + + ContainerTemplate getContainerTemplate() { result = template } + + StringLiteral getName() { result = this.getProperty("name") } + + StringLiteral getImage() { result = this.getProperty("image") } + + ContainerResources getResources() { result = this.getProperty("resources") } + + ContainerEnv getEnvs() { result = this.getProperty("env").(Array).getElements() } + + ContainerEnv getEnv(string name) { + exists(ContainerEnv env | + env = this.getEnvs() and + env.getName().getValue() = name + | + result = env + ) + } + + string toString() { result = "ContainerProperty" } + } + + class ContainerResources extends Object { + private ContainerApp container; + + ContainerResources() { this = container.getProperty("resources") } + + /** + * Returns the properties object for the container resource. + */ + ContainerProperties::Properties getContainerProperties() { + result = this.getProperty("properties") + } + + Literals getCpu() { result = this.getProperty("cpu") } + + StringLiteral getMemory() { result = this.getProperty("memory") } + + string toString() { result = "ContainerResourceProperties" } + } + + class ContainerEnv extends Object { + private ContainerApp container; + + ContainerEnv() { this = container.getProperty("env").(Array).getElements() } + + ContainerApp getContainer() { result = container } + + StringLiteral getName() { result = this.getProperty("name") } + + StringLiteral getValue() { result = this.getProperty("value") } + + string toString() { result = "ContainerEnv" } + } + } +} diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll index 01f1522..5d9d57f 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll @@ -112,7 +112,6 @@ module Network { } } - class NetworkAcl extends Object { private Resource resource; @@ -125,47 +124,49 @@ module Network { Resource getResource() { result = resource } - StringLiteral getBypass() { - result = this.getProperty("bypass") - } + StringLiteral getBypass() { result = this.getProperty("bypass") } - string bypass() { - result = this.getBypass().getValue() - } + string bypass() { result = this.getBypass().getValue() } - StringLiteral getDefaultAction() { - result = this.getProperty("defaultAction") - } + StringLiteral getDefaultAction() { result = this.getProperty("defaultAction") } - string defaultAction() { - result = this.getDefaultAction().getValue() - } + string defaultAction() { result = this.getDefaultAction().getValue() } - IpRule getIpRules() { - result = this.getProperty("ipRules").(Array).getElements() - } + IpRule getIpRules() { result = this.getProperty("ipRules").(Array).getElements() } - string toString() { - result = "Network ACL" - } + string toString() { result = "Network ACL" } } class IpRule extends Object { private NetworkAcl acl; - IpRule() { - this = acl.getProperty("ipRules").(Array).getElements() - } + IpRule() { this = acl.getProperty("ipRules").(Array).getElements() } NetworkAcl getNetworkAcl() { result = acl } - StringLiteral getValue() { - result = this.getProperty("value") - } + StringLiteral getValue() { result = this.getProperty("value") } - string toString() { - result = "IP Rule" - } + string toString() { result = "IP Rule" } + } + + class Ingress extends Object { + private Object properties; + + Ingress() { this = properties.getProperty("ingress") } + + Boolean getExternal() { result = this.getProperty("external") } + + boolean external() { result = this.getExternal().(Boolean).getBool() } + + Number getTargetPort() { result = this.getProperty("targetPort") } + + int targetPort() { result = this.getTargetPort().getValue() } + + StringLiteral getTransport() { result = this.getProperty("transport") } + + string transport() { result = this.getTransport().getValue() } + + string toString() { result = "NetworkIngress" } } module VirtualNetworkProperties { From 9528d2116a7b9bfe9b84ec28b8ea6572f4765551 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 13:39:52 +0100 Subject: [PATCH 2/6] feat(test): Add container tests --- .../frameworks/containers/Containers.expected | 1 + .../frameworks/containers/Containers.ql | 3 + .../frameworks/containers/app.bicep | 58 +++++++++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 ql/test/library-tests/frameworks/containers/Containers.expected create mode 100644 ql/test/library-tests/frameworks/containers/Containers.ql create mode 100644 ql/test/library-tests/frameworks/containers/app.bicep diff --git a/ql/test/library-tests/frameworks/containers/Containers.expected b/ql/test/library-tests/frameworks/containers/Containers.expected new file mode 100644 index 0000000..6d1fa39 --- /dev/null +++ b/ql/test/library-tests/frameworks/containers/Containers.expected @@ -0,0 +1 @@ +| app.bicep:2:1:58:1 | ContainerResource | diff --git a/ql/test/library-tests/frameworks/containers/Containers.ql b/ql/test/library-tests/frameworks/containers/Containers.ql new file mode 100644 index 0000000..2c28362 --- /dev/null +++ b/ql/test/library-tests/frameworks/containers/Containers.ql @@ -0,0 +1,3 @@ +import bicep + +query predicate containers(Containers::ContainerResource container) { any() } diff --git a/ql/test/library-tests/frameworks/containers/app.bicep b/ql/test/library-tests/frameworks/containers/app.bicep new file mode 100644 index 0000000..8d2ffd2 --- /dev/null +++ b/ql/test/library-tests/frameworks/containers/app.bicep @@ -0,0 +1,58 @@ +// Example Bicep file for a Container App with various settings +resource myContainerApp 'Microsoft.App/containerApps@2022-03-01' = { + name: 'my-container-app' + location: 'eastus' + properties: { + managedEnvironmentId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.App/managedEnvironments/my-env' + configuration: { + ingress: { + external: true + targetPort: 80 + transport: 'auto' + } + secrets: [ + { + name: 'my-secret' + value: 'supersecretvalue' + } + ] + activeRevisionsMode: 'Multiple' + } + template: { + containers: [ + { + name: 'myapp' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + cpu: 0.5 + memory: '1.0Gi' + } + env: [ + { + name: 'ENV_VAR_1' + value: 'value1' + } + { + name: 'ENV_VAR_2' + secretRef: 'my-secret' + } + ] + } + ] + scale: { + minReplicas: 1 + maxReplicas: 5 + rules: [ + { + name: 'http-scaling' + http: { + metadata: { + concurrentRequests: '50' + } + } + } + ] + } + } + } +} From 4688c1d8e425111bbdbab0001e0c35a236e2c716 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 14:05:44 +0100 Subject: [PATCH 3/6] feat(docs): Update the docs --- .../bicep/frameworks/Microsoft/Containers.qll | 92 ++++++++++++++++++- 1 file changed, 91 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll index 62103ca..d24a7bb 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll @@ -16,18 +16,30 @@ module Containers { */ ContainerProperties::Properties getProperties() { result = this.getProperty("properties") } + /** + * Returns the configuration object for the container app resource. + */ ContainerProperties::ContainerConfiguration getConfiguration() { result = this.getProperties().getConfiguration() } + /** + * Returns the template object for the container app resource. + */ ContainerProperties::ContainerTemplate getTemplate() { result = this.getProperties().getTemplate() } + /** + * Returns the containers defined in the template. + */ ContainerProperties::ContainerApp getContainers() { result = this.getTemplate().getContainers() } + /** + * Returns a specific container by index from the template. + */ ContainerProperties::ContainerApp getContainer(int index) { result = this.getTemplate().getContainer(index) } @@ -60,11 +72,17 @@ module Containers { */ ContainerConfiguration getConfiguration() { result = this.getProperty("configuration") } + /** + * Returns the template property. + */ ContainerTemplate getTemplate() { result = this.getProperty("template") } string toString() { result = "ContainerProperties" } } + /** + * Represents the configuration object for a container app resource. + */ class ContainerConfiguration extends Object { private Properties properties; @@ -73,12 +91,24 @@ module Containers { */ ContainerConfiguration() { this = properties.getProperty("configuration") } + /** + * Returns the network ingress configuration. + */ Network::Ingress getNetworkIngress() { result = this.getProperty("ingress") } + /** + * Returns the secrets defined in the configuration. + */ ContainerSecret getSecrets() { result = this.getProperty("secrets").(Array).getElements() } + /** + * Returns the active revisions mode as a StringLiteral. + */ StringLiteral getActiveRevisionsMode() { result = this.getProperty("activeRevisionsMode") } + /** + * Returns the active revisions mode as a string. + */ string activeRevisionsMode() { result = this.getActiveRevisionsMode().getValue() } /** @@ -89,6 +119,9 @@ module Containers { string toString() { result = "ContainerConfiguration" } } + /** + * Represents a secret defined in the container app configuration. + */ class ContainerSecret extends Object { private ContainerConfiguration configuration; @@ -110,6 +143,9 @@ module Containers { string toString() { result = "ContainerSecret" } } + /** + * Represents the template object for a container app resource. + */ class ContainerTemplate extends Object { private Properties properties; @@ -124,10 +160,13 @@ module Containers { Expr getContainerAppTemplate() { result = this.getProperty("containerAppTemplate") } /** - * Returns the container app template's containers. + * Returns the containers defined in the template. */ ContainerApp getContainers() { result = this.getProperty("containers").(Array).getElements() } + /** + * Returns a specific container by index from the template. + */ ContainerApp getContainer(int index) { result = this.getProperty("containers").(Array).getElement(index) } @@ -135,21 +174,45 @@ module Containers { string toString() { result = "ContainerTemplate" } } + /** + * Represents a container defined in the container app template. + */ class ContainerApp extends Object { private ContainerTemplate template; + /** + * Constructs a ContainerApp for the given template. + */ ContainerApp() { this = template.getProperty("containers").(Array).getElements() } + /** + * Returns the parent ContainerTemplate. + */ ContainerTemplate getContainerTemplate() { result = template } + /** + * Returns the name of the container. + */ StringLiteral getName() { result = this.getProperty("name") } + /** + * Returns the image of the container. + */ StringLiteral getImage() { result = this.getProperty("image") } + /** + * Returns the resources object for the container. + */ ContainerResources getResources() { result = this.getProperty("resources") } + /** + * Returns the environment variables defined for the container. + */ ContainerEnv getEnvs() { result = this.getProperty("env").(Array).getElements() } + /** + * Returns a specific environment variable by name. + */ ContainerEnv getEnv(string name) { exists(ContainerEnv env | env = this.getEnvs() and @@ -162,9 +225,15 @@ module Containers { string toString() { result = "ContainerProperty" } } + /** + * Represents the resources object for a container. + */ class ContainerResources extends Object { private ContainerApp container; + /** + * Constructs a ContainerResources object for the given container. + */ ContainerResources() { this = container.getProperty("resources") } /** @@ -174,22 +243,43 @@ module Containers { result = this.getProperty("properties") } + /** + * Returns the CPU resource allocation. + */ Literals getCpu() { result = this.getProperty("cpu") } + /** + * Returns the memory resource allocation. + */ StringLiteral getMemory() { result = this.getProperty("memory") } string toString() { result = "ContainerResourceProperties" } } + /** + * Represents an environment variable defined for a container. + */ class ContainerEnv extends Object { private ContainerApp container; + /** + * Constructs a ContainerEnv for the given container. + */ ContainerEnv() { this = container.getProperty("env").(Array).getElements() } + /** + * Returns the parent ContainerApp. + */ ContainerApp getContainer() { result = container } + /** + * Returns the name of the environment variable. + */ StringLiteral getName() { result = this.getProperty("name") } + /** + * Returns the value of the environment variable. + */ StringLiteral getValue() { result = this.getProperty("value") } string toString() { result = "ContainerEnv" } From c428ab5015e4190d8342a41fa0d8a494f653e193 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 14:35:25 +0100 Subject: [PATCH 4/6] feat: Add Network CORS --- .../bicep/frameworks/Microsoft/Network.qll | 38 +++++++++++++++++++ .../frameworks/containers/app.bicep | 20 ++++++++++ 2 files changed, 58 insertions(+) diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll index 5d9d57f..e7fab42 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll @@ -166,9 +166,47 @@ module Network { string transport() { result = this.getTransport().getValue() } + CorsPolicy getCorsPolicy() { result = this.getProperty("corsPolicy") } + + Boolean getAllowInsecure() { result = this.getProperty("allowInsecure") } + + boolean allowInsecure() { result = this.getAllowInsecure().getBool() } + string toString() { result = "NetworkIngress" } } + class CorsPolicy extends Object { + private Object properties; + + CorsPolicy() { this = properties.getProperty("corsPolicy") } + + Boolean getAllowCredentials() { + result = this.getProperty("allowCredentials") + } + + boolean allowCredentials() { result = this.getAllowCredentials().getBool() } + + Array getAllowedOrigins() { + result = this.getProperty("allowedOrigins") + } + + Array getAllowedMethods() { + result = this.getProperty("allowedMethods") + } + + Array getAllowedHeaders() { + result = this.getProperty("allowedHeaders") + } + + Array getExposedHeaders() { + result = this.getProperty("exposedHeaders") + } + + Number getMaxAge() { result = this.getProperty("maxAge") } + + string toString() { result = "CorsPolicy" } + } + module VirtualNetworkProperties { /** * The properties object for the Microsoft.Network/virtualNetworks/subnets type. diff --git a/ql/test/library-tests/frameworks/containers/app.bicep b/ql/test/library-tests/frameworks/containers/app.bicep index 8d2ffd2..c7a7e30 100644 --- a/ql/test/library-tests/frameworks/containers/app.bicep +++ b/ql/test/library-tests/frameworks/containers/app.bicep @@ -9,6 +9,26 @@ resource myContainerApp 'Microsoft.App/containerApps@2022-03-01' = { external: true targetPort: 80 transport: 'auto' + corsPolicy: { + allowCredentials: true + allowedOrigins: [ + 'https://example.com' + 'https://another.com' + ] + allowedMethods: [ + 'GET' + 'POST' + 'OPTIONS' + ] + allowedHeaders: [ + 'Authorization' + 'Content-Type' + ] + exposeHeaders: [ + 'X-Custom-Header' + ] + maxAge: 3600 + } } secrets: [ { From ef730462b7f7356a78606c6fc9335716e6dc4e3b Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 14:36:32 +0100 Subject: [PATCH 5/6] feat(docs): Update docs --- .../bicep/frameworks/Microsoft/Network.qll | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll index e7fab42..85e2d58 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll @@ -149,59 +149,121 @@ module Network { string toString() { result = "IP Rule" } } + /** + * Represents the ingress configuration for a resource (e.g., container app). + * Provides access to ingress properties such as external, targetPort, transport, CORS policy, and allowInsecure. + */ class Ingress extends Object { private Object properties; + /** + * Constructs an Ingress object for the given properties. + */ Ingress() { this = properties.getProperty("ingress") } + /** + * Returns the 'external' property as a Boolean. + */ Boolean getExternal() { result = this.getProperty("external") } + /** + * Returns the 'external' property as a boolean. + */ boolean external() { result = this.getExternal().(Boolean).getBool() } + /** + * Returns the 'targetPort' property as a Number. + */ Number getTargetPort() { result = this.getProperty("targetPort") } + /** + * Returns the 'targetPort' property as an int. + */ int targetPort() { result = this.getTargetPort().getValue() } + /** + * Returns the 'transport' property as a StringLiteral. + */ StringLiteral getTransport() { result = this.getProperty("transport") } + /** + * Returns the 'transport' property as a string. + */ string transport() { result = this.getTransport().getValue() } + /** + * Returns the 'corsPolicy' property as a CorsPolicy object. + */ CorsPolicy getCorsPolicy() { result = this.getProperty("corsPolicy") } + /** + * Returns the 'allowInsecure' property as a Boolean. + */ Boolean getAllowInsecure() { result = this.getProperty("allowInsecure") } + /** + * Returns the 'allowInsecure' property as a boolean. + */ boolean allowInsecure() { result = this.getAllowInsecure().getBool() } string toString() { result = "NetworkIngress" } } + /** + * Represents a CORS policy for ingress. + * Provides access to CORS-related properties such as allowCredentials, allowedOrigins, allowedMethods, allowedHeaders, exposedHeaders, and maxAge. + */ class CorsPolicy extends Object { private Object properties; + /** + * Constructs a CorsPolicy object for the given properties. + */ CorsPolicy() { this = properties.getProperty("corsPolicy") } + /** + * Returns the 'allowCredentials' property as a Boolean. + */ Boolean getAllowCredentials() { result = this.getProperty("allowCredentials") } + /** + * Returns the 'allowCredentials' property as a boolean. + */ boolean allowCredentials() { result = this.getAllowCredentials().getBool() } + /** + * Returns the 'allowedOrigins' property as an array of StringLiterals. + */ Array getAllowedOrigins() { result = this.getProperty("allowedOrigins") } + /** + * Returns the 'allowedMethods' property as an array of StringLiterals. + */ Array getAllowedMethods() { result = this.getProperty("allowedMethods") } + /** + * Returns the 'allowedHeaders' property as an array of StringLiterals. + */ Array getAllowedHeaders() { result = this.getProperty("allowedHeaders") } + /** + * Returns the 'exposedHeaders' property as an array of StringLiterals. + */ Array getExposedHeaders() { result = this.getProperty("exposedHeaders") } + /** + * Returns the 'maxAge' property as a Number. + */ Number getMaxAge() { result = this.getProperty("maxAge") } string toString() { result = "CorsPolicy" } From fae45de38005444c223f25c44c21ce458563d379 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 15:49:02 +0100 Subject: [PATCH 6/6] feat: Update Containers --- ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll | 8 ++++++++ .../frameworks/containers/Containers.expected | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll index d24a7bb..3c89e35 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll @@ -44,6 +44,14 @@ module Containers { result = this.getTemplate().getContainer(index) } + Network::Ingress getNetworkIngress() { + result = this.getConfiguration().getNetworkIngress() + } + + Network::CorsPolicy getCorsPolicy() { + result = this.getNetworkIngress().getCorsPolicy() + } + /** * Returns a string representation of the container app resource. */ diff --git a/ql/test/library-tests/frameworks/containers/Containers.expected b/ql/test/library-tests/frameworks/containers/Containers.expected index 6d1fa39..1d65732 100644 --- a/ql/test/library-tests/frameworks/containers/Containers.expected +++ b/ql/test/library-tests/frameworks/containers/Containers.expected @@ -1 +1 @@ -| app.bicep:2:1:58:1 | ContainerResource | +| app.bicep:2:1:78:1 | ContainerResource |