diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego index e2be8902dee..e82d266e471 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego @@ -8,56 +8,47 @@ CxPolicy[result] { value.type == "Microsoft.Web/sites" - not common_lib.valid_key(value, "identity") + res := get_res(value, path) result := { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", - "searchLine": common_lib.build_search_line(path, ["name"]), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } -CxPolicy[result] { - doc := input.document[i] - [path, value] = walk(doc) - - value.type == "Microsoft.Web/sites" +get_res(value, path) = res { + not common_lib.valid_key(value, "identity") + res := { + "sk": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]), + "it": "MissingAttribute", + "kev": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "sl": common_lib.build_search_line(path, ["name"]) + } +} else = res { not common_lib.valid_key(value.identity, "type") - - result := { - "documentId": input.document[i].id, - "resourceType": value.type, - "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "searchLine": common_lib.build_search_line(path, ["identity"]), + res := { + "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), + "it": "MissingAttribute", + "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "sl": common_lib.build_search_line(path, ["identity"]) } -} - -CxPolicy[result] { - doc := input.document[i] - [path, value] = walk(doc) - - value.type == "Microsoft.Web/sites" +} else = res { common_lib.valid_key(value.identity, "type") not is_valid_identity(value.identity) - - result := { - "documentId": input.document[i].id, - "resourceType": value.type, - "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to %s", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to %s", - "searchLine": common_lib.build_search_line(path, ["identity"]), + res := { + "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), + "it": "IncorrectValue", + "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "sl": common_lib.build_search_line(path, ["identity"]) } } diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep new file mode 100644 index 00000000000..42fb8b522e0 --- /dev/null +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep @@ -0,0 +1,12 @@ +resource webSitePositive7 'Microsoft.Web/sites@2020-12-01' = { + name: 'webSitePositive7' + location: 'location1' + tags: {} + identity: { + type: 'UserAssigned' + } + properties: { + enabled: true + httpsOnly: true + } +} diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json new file mode 100644 index 00000000000..8433fd94106 --- /dev/null +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.39.26.7824", + "templateHash": "623030832249271008" + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "webSitePositive7", + "location": "location1", + "tags": {}, + "identity": { + "type": "UserAssigned" + }, + "properties": { + "enabled": true, + "httpsOnly": true + } + } + ] +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index 294c2c55972..a4f6d28793d 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -35,6 +35,12 @@ "line": 17, "fileName": "positive6.json" }, + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 18, + "fileName": "positive7.json" + }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", @@ -70,5 +76,11 @@ "severity": "LOW", "line": 5, "fileName": "positive6.bicep" + }, + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 5, + "fileName": "positive7.bicep" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego index 1552a1b43ac..a1f49a92fbc 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego @@ -10,58 +10,45 @@ CxPolicy[result] { resource.Type == "AWS::ApiGateway::RestApi" properties := resource.Properties - properties.MinimumCompressionSize < 0 + res := get_res(properties, name, path) result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", - "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } -CxPolicy[result] { - docs := input.document[i] - [path, Resources] := walk(docs) - resource := Resources[name] - resource.Type == "AWS::ApiGateway::RestApi" - properties := resource.Properties - +get_res(properties, name, path) = res { + properties.MinimumCompressionSize < 0 + res := { + "sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + } +} else = res { properties.MinimumCompressionSize > 10485759 - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", - "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + res := { + "sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), } -} - -CxPolicy[result] { - docs := input.document[i] - [path, Resources] := walk(docs) - resource := Resources[name] - resource.Type == "AWS::ApiGateway::RestApi" - properties := resource.Properties - +} else = res { not common_lib.valid_key(properties, "MinimumCompressionSize") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]), - "searchLine": common_lib.build_search_line(path, [name, "Properties"]), + res := { + "sk": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), + "it": "MissingAttribute", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties"]), } -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego index 7365b716973..81c44b1f1e6 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego @@ -9,43 +9,42 @@ CxPolicy[result] { resource.Type == "AWS::Serverless::Api" properties := resource.Properties - unrecommended_minimum_compression_size(properties.MinimumCompressionSize) + res := get_res(properties, name) result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::Serverless::Api" - properties := resource.Properties - +get_res(properties, name) = res { + unrecommended_minimum_compression_size(properties.MinimumCompressionSize) + res := { + "sk": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", [name]), + "sl": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []), + } +} else = res { not common_lib.valid_key(properties, "MinimumCompressionSize") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []), + res := { + "sk": sprintf("Resources.%s.Properties", [name]), + "it": "MissingAttribute", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]), + "sl": common_lib.build_search_line(["Resources", name, "Properties"], []), } } - unrecommended_minimum_compression_size(value) { value < 0 } else { value > 10485759 -} +} \ No newline at end of file diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego index e68cad6f295..76ae001ba1d 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego @@ -13,8 +13,8 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_alb_listener[%s].listener_protocol", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", - "keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", + "keyExpectedValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", [name]), + "keyActualValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []), "remediation": json.marshal({ "before": "HTTP", diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego index b57520d3242..f6d3042c8f9 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego @@ -90,7 +90,7 @@ CxPolicy[result] { "searchKey": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level should not be set to OFF", [name]), - "keyActualValue": "aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF", + "keyActualValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF", [name]), "searchLine": common_lib.build_search_line(["resource", "aws_apigatewayv2_stage", name], ["default_route_settings", "logging_level"]), } } @@ -224,7 +224,7 @@ CxPolicy[result] { "searchKey": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level", [settingsId]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level should not be set to OFF", [settingsId]), - "keyActualValue": "aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF", + "keyActualValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF", [settingsId]), "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", settingsId], ["settings", "logging_level"]), } }