Merge pull request #34 from niamccash/adding-contrib-checks-into-scoped-app

Adding contrib checks into scoped app

Author: earlduque

Update set description should not be empty

@@ -1 +1 @@
-PYWlzL3phWC3TxAkkqZGhFLHO8eR23fT2C80-qZIVh29O9G7xv31P52Hfu3B7OFy5imHwEwPrXUyc4Q-JhEwngWKv5Yo7ypMfXQw_5bU9xJqAtA-9JxAhaxsQN-7OknEjTvLM50REdUiemr-OrICrDfFARf3ewCNvnmeG64_eMqM3pJPmw8aMukmEoiztnYs07N1sFwqShlZutUFme6YoGnK2dk8eKxUreM9CgSIqqhldUU9h1yaghPLWiSBp6I3haCv8qHJ_BF6MuJ5HpvKKAl2r-JnSSuLs8-t6eHwQ5BC5MYbDGtbVoA578dk7UfZnGx3ZE3QldnciCtCDUNTLmkimdYcZ6tcHbreQ6rA_eJeWl7VE7Je7KJpvaJ8NE_plaY-QHG1cu1P2S4a3hntImTAM6wDmJUpG0OWFl8XjnyDyFyiYZZOyg1EHBfQRgZdgEx0tCxK42mbh51XsXQSwVE_jPKwc5X8Vv6GFBF1gHpPx_ATE8A7m5Tt_5FvGtUnY25TFwEs6b_gMHgtANE9iEZyioWLOu54wG17ZUHa-aplP9N30mHznR0s8wdWaB0LnwumsPiInmtDGMl9FPvv_ss5IICNb3UbjeVCEX5v3yLgs9A5TUGVgTdET2SunV3sH0PNk1hpwY_PkU2gzi_-qcVuBQgRTSd2j1DDcTUB39o
+aQgfvSnhfC1wVpuKQWhyhUbVCWpldAIXeFWQKJua_aMBJoo85rtlMi5xn9KG5nidXKThCkM8feBrcyFJeo-VtULwIXM7nd5AhwRgHc-VCp5tkNM4hsqpmD28YvfJ-rPIJYR_mUqcUwW_ID_GEKPARpUmsJXWMf-jmcc-ObkNNXJvYdzC2bWesQhNmYZP8gmjejTCkz-ID2_yOqqtcrxakfHtzadbAlixtE6-Ips8WZJwkFKogWjfXbeRFkkt2Q38ElCebT3gI8d3EFmdRZLHW20jpzYWgOR4HbGWM4zWyWoOlfcPGgYwheLugrwtDHodWMf6VDAvnmLqHCORandvFfF8o2Ci794mag0lIWxXsQ3Jzl5gZMb4Hu2I9wFSw0sJzwfYUnD1DB-gLlKaRN-0rWcW2b8ik8yt26GVcMXoqUdX514AFoPk4RO-Q-QpoEaBJ5RskOvepYP62AZ8zMb3wDqJUTJRfy3_uQQXMOmIHTI8HSVUL54ddI2uRrfEtvBlYldjHECjFOu716btBVX9WW828DhvbDtGE2VA4cKz4O4LRWQenhRdbhdWcPKAcAYSMLyliNLMkABTEd6OfpJD_GPA5AGlgb12DZtneAqIUEFFzpuS1fQMZLOd8ceXGo4o1bk-W6fH8PiNGkK2Xtyb93W2UXBvDNRxKlNWVeaIEVY

Update set should not have more than 1000 updates

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_script_only_check">
+    <scan_script_only_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <attributes/>
+        <category>manageability</category>
+        <description>Update set should not have more than 1000 updates as it makes it difficult for the release team to analyze, also could potentially bring in environment slowness while committing</description>
+        <documentation_url/>
+        <finding_type>scan_finding</finding_type>
+        <name>Update set should not have more than 1000 updates</name>
+        <priority>3</priority>
+        <resolution_details>Rework story so they are more granular or split the updates into multiple updates sets</resolution_details>
+        <run_condition/>
+        <score_max>100</score_max>
+        <score_min>0</score_min>
+        <score_scale>1</score_scale>
+        <script><![CDATA[(function(engine) {
+
+    var updateSetConfigCount;
+    var checkConfisCount = new GlideAggregate('sys_update_xml');
+	checkConfisCount.addEncodedQuery('update_set.state!=ignore');
+    checkConfisCount.addAggregate('COUNT', 'update_set');
+    checkConfisCount.orderBy('update_set');
+    checkConfisCount.query();
+    while (checkConfisCount.next()) {
+        updateSetConfigCount = checkConfisCount.getAggregate('COUNT', 'update_set');
+        if (updateSetConfigCount >= 1000) {
+			finding.setCurrentSource(checkConfisCount);
+            engine.finding.increment();
+        }
+    }
+
+})(engine);]]></script>
+        <short_description>Update set should not have more than 1000 updates</short_description>
+        <sys_class_name>scan_script_only_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-09 18:01:53</sys_created_on>
+        <sys_id>0dfff25a2f83301002f0ffecf699b649</sys_id>
+        <sys_name>Update set should not have more than 1000 updates</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_script_only_check_0dfff25a2f83301002f0ffecf699b649</sys_update_name>
+    </scan_script_only_check>
+</record_update>

ca8467c41b9abc10ce0f62c3b24bcbaa/checksum.txt

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_script_only_check">
+    <scan_script_only_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <attributes display_value="">906611642f2330100b40bea62799b6b7</attributes>
+        <category>security</category>
+        <description>It is worthy to check all reports that are with role public - as they can expose data to unauthenticated users via:
+ https : / / &lt;instance&gt;.service-now.com/sys_report_display.do?sysparm_report_id=&lt;sysID&gt;</description>
+        <documentation_url/>
+        <finding_type/>
+        <name>Public reports to be verified </name>
+        <priority>2</priority>
+        <resolution_details/>
+        <run_condition/>
+        <score_max/>
+        <score_min/>
+        <score_scale/>
+        <script><![CDATA[(function(finding) {
+
+    var grSysReport = new GlideRecord('sys_report');
+    grSysReport.addEncodedQuery("roles=public");
+    grSysReport.query();
+    while (grSysReport.next()) {
+        finding.setCurrentSource(grSysReport);
+        finding.increment();
+    }
+
+})(finding);]]></script>
+        <short_description>Candidates of publicly available reports (without needs to authorize) that shoul</short_description>
+        <sys_class_name>scan_script_only_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-28 18:46:02</sys_created_on>
+        <sys_id>1e7511642f2330100b40bea62799b6f1</sys_id>
+        <sys_name>Public reports to be verified </sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_script_only_check_1e7511642f2330100b40bea62799b6f1</sys_update_name>
+    </scan_script_only_check>
+</record_update>

ca8467c41b9abc10ce0f62c3b24bcbaa/update/scan_script_only_check_0dfff25a2f83301002f0ffecf699b649.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_script_only_check">
+    <scan_script_only_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <attributes display_value="">125fc7742f2330100b40bea62799b6fb</attributes>
+        <category>security</category>
+        <description/>
+        <documentation_url/>
+        <finding_type/>
+        <name>Locked out user for Scheduled Job</name>
+        <priority>2</priority>
+        <resolution_details/>
+        <run_condition/>
+        <score_max/>
+        <score_min/>
+        <score_scale/>
+        <script><![CDATA[(function(finding) {
+
+    var grSysauto = new GlideRecord('sysauto');
+    grSysauto.addEncodedQuery("run_as.locked_out=true");
+    grSysauto.query();
+    while (grSysauto.next()) {
+        finding.setCurrentSource(grSysauto);
+        finding.increment();
+    }
+
+})(finding);
+]]></script>
+        <short_description>Locked out user detection in Run as for Scheduled Jobs</short_description>
+        <sys_class_name>scan_script_only_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-29 22:13:02</sys_created_on>
+        <sys_id>718e43b42f2330100b40bea62799b67f</sys_id>
+        <sys_name>Locked out user for Scheduled Job</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_script_only_check_718e43b42f2330100b40bea62799b67f</sys_update_name>
+    </scan_script_only_check>
+</record_update>

ca8467c41b9abc10ce0f62c3b24bcbaa/update/scan_script_only_check_1e7511642f2330100b40bea62799b6f1.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_table_check">
+    <scan_table_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <advanced>false</advanced>
+        <attributes/>
+        <category>manageability</category>
+        <conditions table="sys_update_set">descriptionISEMPTY^state!=ignore^EQ<item endquery="false" field="description" goto="false" newquery="false" operator="ISEMPTY" or="false" value=""/>
+            <item display_value="Ignore" endquery="false" field="state" goto="false" newquery="false" operator="!=" or="false" value="ignore"/>
+            <item endquery="true" field="" goto="false" newquery="false" operator="=" or="false" value=""/>
+        </conditions>
+        <description>Update set description provides the release management team to better understand what's getting pushed</description>
+        <documentation_url/>
+        <finding_type>scan_finding</finding_type>
+        <name>Update Set Description Empty</name>
+        <priority>4</priority>
+        <resolution_details>The description should not be empty</resolution_details>
+        <run_condition/>
+        <score_max>100</score_max>
+        <score_min>0</score_min>
+        <score_scale>1</score_scale>
+        <script><![CDATA[(function (engine) {
+
+    // Add your code here
+
+})(engine);]]></script>
+        <short_description>Update set descriptions should not be left empty </short_description>
+        <sys_class_name>scan_table_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-09 16:31:59</sys_created_on>
+        <sys_id>003db2922f43301002f0ffecf699b617</sys_id>
+        <sys_name>Update Set Description Empty</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_table_check_003db2922f43301002f0ffecf699b617</sys_update_name>
+        <table>sys_update_set</table>
+        <use_manifest>false</use_manifest>
+    </scan_table_check>
+</record_update>

ca8467c41b9abc10ce0f62c3b24bcbaa/update/scan_script_only_check_718e43b42f2330100b40bea62799b67f.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_table_check">
+    <scan_table_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <advanced>false</advanced>
+        <attributes/>
+        <category>security</category>
+        <conditions table="sys_user">locked_out=false^roles=admin^last_login_timeRELATIVELT@month@ago@1^ORlast_login_timeISEMPTY^EQ<item endquery="false" field="locked_out" goto="false" newquery="false" operator="=" or="false" value="false"/>
+            <item endquery="false" field="roles" goto="false" newquery="false" operator="=" or="false" value="admin"/>
+            <item endquery="false" field="last_login_time" goto="false" newquery="false" operator="RELATIVE" or="false" value="LT@month@ago@1"/>
+            <item endquery="false" field="last_login_time" goto="false" newquery="false" operator="ISEMPTY" or="true" value=""/>
+            <item endquery="true" field="" goto="false" newquery="false" operator="=" or="false" value=""/>
+        </conditions>
+        <description/>
+        <documentation_url/>
+        <finding_type>scan_finding</finding_type>
+        <name>Admins not logged in for 1 month</name>
+        <priority>2</priority>
+        <resolution_details/>
+        <run_condition/>
+        <score_max>100</score_max>
+        <score_min>0</score_min>
+        <score_scale>1</score_scale>
+        <script><![CDATA[(function (engine) {
+
+    // Add your code here
+
+})(engine);]]></script>
+        <short_description>List users with admin role that were inactive for at least 1 month</short_description>
+        <sys_class_name>scan_table_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-19 21:45:37</sys_created_on>
+        <sys_id>22a8ebad2fd3301036c51e282799b6b4</sys_id>
+        <sys_name>Admins not logged in for 1 month</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_table_check_22a8ebad2fd3301036c51e282799b6b4</sys_update_name>
+        <table>sys_user</table>
+        <use_manifest>false</use_manifest>
+    </scan_table_check>
+</record_update>

ca8467c41b9abc10ce0f62c3b24bcbaa/update/scan_table_check_003db2922f43301002f0ffecf699b617.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_table_check">
+    <scan_table_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <advanced>true</advanced>
+        <attributes display_value="">a49d119e2f9b30100b40bea62799b627</attributes>
+        <category>security</category>
+        <conditions table="sys_user_grmember">group.active=false^EQ<item endquery="false" field="group.active" goto="false" newquery="false" operator="=" or="false" value="false"/>
+            <item endquery="true" field="" goto="false" newquery="false" operator="=" or="false" value=""/>
+        </conditions>
+        <description/>
+        <documentation_url/>
+        <finding_type/>
+        <name>Users belongs to inactive Group</name>
+        <priority>3</priority>
+        <resolution_details/>
+        <run_condition/>
+        <score_max/>
+        <score_min/>
+        <score_scale/>
+        <script><![CDATA[(function(finding, current) {
+
+	var grGroup = new GlideRecord("sys_user_group");
+	grGroup.get(current.group);
+
+	finding.setCurrentSource(grGroup);
+	finding.increment();
+
+
+})(finding, current);]]></script>
+        <short_description>List users that still belongs to already inactivated groups</short_description>
+        <sys_class_name>scan_table_check</sys_class_name>
+        <sys_created_by>admin</sys_created_by>
+        <sys_created_on>2021-10-21 19:31:07</sys_created_on>
+        <sys_id>5adc555e2f9b30100b40bea62799b6e3</sys_id>
+        <sys_name>Users belongs to inactive Group</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_table_check_5adc555e2f9b30100b40bea62799b6e3</sys_update_name>
+        <table>sys_user_grmember</table>
+        <use_manifest>false</use_manifest>
+    </scan_table_check>
+</record_update>