merge

cast-and-crew · Aug 26, 2022 · 6fce2af · 6fce2af
1 parent 588d177
commit 6fce2af
Show file tree

Hide file tree

Showing 207 changed files with 1,584 additions and 535 deletions.
diff --git a/assets/libraries/cloudformation.rego b/assets/libraries/cloudformation.rego
@@ -247,3 +247,13 @@ get_resource_name(resource, resourceDefinitionName) = name {
 } else = name {
 	name := resourceDefinitionName
 }
+
+getPath(path) = result {
+	count(path) > 0
+	path_string := common_lib.concat_path(path)
+	out := array.concat([path_string], ["."])
+	result := concat("", out)
+} else = result {
+	count(path) == 0
+	result := ""
+}
diff --git a/assets/libraries/serverlessfw.rego b/assets/libraries/serverlessfw.rego
@@ -0,0 +1,37 @@
+package generic.serverlessfw
+
+import data.generic.common as common_lib
+
+resourceTypeMapping(resourceType, provider)= resourceTypeVal{
+    resourceTypeVal :=resourcesMap[provider][resourceType]
+}
+
+resourcesMap = {
+    "aws": {
+        "function": "AWS::Lambda",
+        "api": "AWS::ApiGateway",
+        "iam": "AWS::IAM"        
+    },
+    "azure":{
+        "function": "Azure:Function",
+        "api": "Azure:APIManagement",
+        "iam": "Azure:Role"
+    },
+    "google":{
+        "function": "Google:Cloudfunctions",
+        "api": "Google:ApiGateway",
+        "iam": "Google:IAM"
+    },
+    "aliyun":{
+        "function": "Aliyun:FunctionCompute",
+        "api": "Aliyun:ApiGateway",
+        "iam": "Aliyun:RAM"
+    }
+}
+
+get_service_name(document) = name{
+    name := document.service.name
+} else = name {
+    is_string(document.service)
+    name := document.service
+}
diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego
@@ -1,10 +1,12 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 
 	not common_lib.valid_key(resource.Properties, "EndpointConfiguration")
@@ -13,15 +15,17 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("'Resources.%s.EndpointConfiguration' should be defined", [name]),
 		"keyActualValue": sprintf("'Resources.%s.EndpointConfiguration' is undefined", [name]),
 	}
 }
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 	endpointConfig := resource.Properties.EndpointConfiguration
 
@@ -31,15 +35,17 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.EndpointConfiguration", [name]),
+		"searchKey": sprintf("%s%s.Properties.EndpointConfiguration", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("'Resources.%s.EndpointConfiguration.Types' should be defined", [name]),
 		"keyActualValue": sprintf("'Resources.%s.EndpointConfiguration.Types' is undefined", [name]),
 	}
 }
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 	endpointConfig := resource.Properties.EndpointConfiguration
 
@@ -49,7 +55,7 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.EndpointConfiguration.Types", [name]),
+		"searchKey": sprintf("%s%s.Properties.EndpointConfiguration.Types", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'Resources.%s.EndpointConfiguration.Types' should contain 'PRIVATE'", [name]),
 		"keyActualValue": sprintf("'Resources.%s.EndpointConfiguration.Types' does not contain 'PRIVATE'", [name]),

diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego
@@ -1,11 +1,12 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 	properties := resource.Properties
 
@@ -15,17 +16,18 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
+		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0",
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0",
+		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
 	}
 }
 
 CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 	properties := resource.Properties
 
@@ -35,17 +37,18 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
+		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but greater than 10485759",
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759",
+		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
 	}
 }
 
 CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::ApiGateway::RestApi"
 	properties := resource.Properties
 
@@ -55,10 +58,10 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+		"searchLine": common_lib.build_search_line(path, [name, "Properties"]),
 	}
 }
diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/query.rego b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/query.rego
@@ -1,34 +1,38 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::RDS::DBInstance"
 	not common_lib.valid_key(resource.Properties, "AutoMinorVersionUpgrade")
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("'Resources.%s.Properties.AutoMinorVersionUpgrade' should be defined", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Properties.AutoMinorVersionUpgrade' is undefined", [name]),
 	}
 }
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::RDS::DBInstance"
 	resource.Properties.AutoMinorVersionUpgrade == false
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.AutoMinorVersionUpgrade", [name]),
+		"searchKey": sprintf("%s%s.Properties.AutoMinorVersionUpgrade", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'Resources.%s.Properties.AutoMinorVersionUpgrade' should be true", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Properties.AutoMinorVersionUpgrade' is false", [name]),

diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/query.rego b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/query.rego
@@ -1,40 +1,42 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
-	document := input.document[i]
-	resource := document.Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 	distributionConfig := resource.Properties.DistributionConfig
 
 	isFalse(distributionConfig.Enabled)
 
 	result := {
-		"documentId": document.id,
+		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.DistributionConfig.Enabled", [name]),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig.Enabled", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.Enabled should be 'true'", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.Enabled is configured as 'false'", [name]),
 	}
 }
 
 CxPolicy[result] {
-	document := input.document[i]
-	resource := document.Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 	properties := resource.Properties.DistributionConfig
 
 	not common_lib.valid_key(properties, "Origins")
 
 	result := {
-		"documentId": document.id,
+		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.DistributionConfig", [name]),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig should contain an 'Origins' object", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig does not contain an 'Origins' object configured", [name]),

diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego
@@ -4,7 +4,9 @@ import data.generic.cloudformation as cf_lib
 import data.generic.common as common_lib
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 
 	distributionConfig := resource.Properties.DistributionConfig
@@ -15,15 +17,17 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.Logging should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.Logging is undefined", [name]),
 	}
 }
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 
 	distributionConfig := resource.Properties.DistributionConfig
@@ -36,7 +40,7 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.DistributionConfig.Logging.Bucket", [name]),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig.Logging.Bucket", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", [name]),

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego
@@ -1,10 +1,12 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 	properties := resource.Properties
 	not cf_lib.isCloudFormationFalse(properties.DistributionConfig.Enabled)
@@ -14,16 +16,18 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.DistributionConfig", [name]),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig", [cf_lib.getPath(path), name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.ViewerCertificate' should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.ViewerCertificate' is undefined", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "DistributionConfig"], []),
+		"searchLine": common_lib.build_search_line(path, [name, "Properties", "DistributionConfig"]),
 	}
 }
 
 CxPolicy[result] {
-	resource := input.document[i].Resources[name]
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 	properties := resource.Properties
 	protocolVer := properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion
@@ -34,10 +38,10 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", [name]),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", [cf_lib.getPath(path), name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is %s", [name, protocolVer]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "DistributionConfig", "ViewerCertificate", "MinimumProtocolVersion"], []),
+		"searchLine": common_lib.build_search_line(path, [name, "Properties", "DistributionConfig", "ViewerCertificate", "MinimumProtocolVersion"]),
 	}
 }