Merge pull request Checkmarx#6540 from Checkmarx/kics-922

fix(query): Split One Query Policy
baruchiro · Jul 26, 2023 · ccb11d8 · ccb11d8
2 parents 6bf7aac + dc7f5c2
commit ccb11d8
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/...s/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego b/...s/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego
@@ -8,8 +8,9 @@ CxPolicy[result] {
 	functions := document.functions
 	function := functions[fname]
 
+	common_lib.valid_key(function, "environment")
 	not common_lib.valid_key(function, "kmsKeyArn")
-	not hasKMSarnAtProvider(document)
+
 
 	result := {
 		"documentId": input.document[i].id,
@@ -23,6 +24,23 @@ CxPolicy[result] {
 	}
 }
 
+CxPolicy[result] {
+	document := input.document[i]
+
+	common_lib.valid_key(document.provider, "environment")
+	not hasKMSarnAtProvider(document)
+
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": "provider",
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'kmsKeyArn' should be defined inside the provider",
+		"keyActualValue": "'kmsKeyArn' is not defined",
+		"searchLine": common_lib.build_search_line(["provider"], []),
+	}
+}
+
 hasKMSarnAtProvider(doc){
 	common_lib.valid_key(doc.provider, "kmsKeyArn")
 }
diff --git a/...s/serverlessFW/serverless_function_environment_variables_not_encrypted/test/negative1.yml b/...s/serverlessFW/serverless_function_environment_variables_not_encrypted/test/negative1.yml
@@ -5,6 +5,7 @@ service:
 
 provider:
   name: aws
+  kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
   environment:
     TABLE_NAME: tableName1
 

diff --git a/...s/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive2.yml b/...s/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive2.yml
@@ -0,0 +1,19 @@
+frameworkVersion: '2'
+service:
+  name: service-name
+  awsKmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
+
+provider:
+  name: aws
+  environment:
+    TABLE_NAME: tableName1
+
+functions:
+  hello: # this function will OVERWRITE the service level environment config above
+    handler: handler.hello
+    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
+    environment:
+      TABLE_NAME: tableName2
+  goodbye: # this function will INHERIT the service level environment config above
+    handler: handler.goodbye
+    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
diff --git a/...erverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/...erverless_function_environment_variables_not_encrypted/test/positive_expected_result.json
@@ -1,8 +1,20 @@
 [
+  {
+    "queryName": "Serverless Function Environment Variables Not Encrypted",
+    "severity": "HIGH",
+    "line": 6,
+    "fileName": "positive1.yml"
+  },
   {
     "queryName": "Serverless Function Environment Variables Not Encrypted",
     "severity": "HIGH",
     "line": 12,
     "fileName": "positive1.yml"
+  },
+  {
+    "queryName": "Serverless Function Environment Variables Not Encrypted",
+    "severity": "HIGH",
+    "line": 6,
+    "fileName": "positive2.yml"
   }
 ]