Feat.(query): Added Alicloud Oss Bucket Public Access Enabled Query f…

…or Terraform (Checkmarx#4931) * Added Alicloud oss bucket cant be public access * Changed per review suggestions
Dipesh-Reen · Mar 9, 2022 · 91c62e8 · 91c62e8
1 parent c3a407a
commit 91c62e8
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 0 deletions.
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "62232513-b16f-4010-83d7-51d0e1d45426",
+  "queryName": "OSS Bucket Public Access Enabled",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "OSS Bucket should have public access disabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl",
+  "platform": "Terraform",
+  "descriptionID": "d8096622",
+  "cloudProvider": "alicloud"
+}
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego
@@ -0,0 +1,20 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	some i
+	resource := input.document[i].resource.alicloud_oss_bucket[name]
+
+    possibilities:={"public-read", "public-read-write"}
+    resource.acl == possibilities[p]
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("alicloud_oss_bucket[%s].acl", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'acl' is set to private or not set",
+		"keyActualValue": sprintf("'acl' is %s", [possibilities[p]]),
+        "searchline":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []),
+	}
+}
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/negative1.tf b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/negative1.tf
@@ -0,0 +1,4 @@
+resource "alicloud_oss_bucket" "bucket_public_access_enabled1" {
+  bucket = "bucket-170309-acl"
+  acl    = "private"
+}
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/negative2.tf b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/negative2.tf
@@ -0,0 +1,3 @@
+resource "alicloud_oss_bucket" "bucket_public_access_enabled4" {
+  bucket = "bucket-170309-acl"
+}
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive1.tf b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive1.tf
@@ -0,0 +1,4 @@
+resource "alicloud_oss_bucket" "bucket_public_access_enabled2" {
+  bucket = "bucket-170309-acl"
+  acl    = "public-read"
+}
diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive2.tf b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive2.tf
@@ -0,0 +1,13 @@
+resource "alicloud_oss_bucket" "bucket_public_access_enabled3" {
+  bucket = "bucket-170309-acl"
+  acl    = "public-read-write"
+}
+
+resource "alicloud_oss_bucket" "bucket-logging" {
+  bucket = "bucket-170309-logging"
+
+  logging {
+    target_bucket = alicloud_oss_bucket.bucket-target.id
+    target_prefix = "log/"
+  }
+}
diff --git a/...es/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json b/...es/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "OSS Bucket Public Access Enabled",
+    "severity": "HIGH",
+    "line": 3,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "OSS Bucket Public Access Enabled",
+    "severity": "HIGH",
+    "line": 3,
+    "fileName": "positive2.tf"
+  }
+]