feat(query): Added modules to 'Network ACL With Unrestricted Access …

…To SSH' query Checkmarx#4289 Signed-off-by: Felipe Avelar <[email protected]>
cluetrust · Sep 28, 2021 · 9f1b3e4 · 9f1b3e4
1 parent d69239b
commit 9f1b3e4
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 1 deletion.
diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego
@@ -1,5 +1,6 @@
 package Cx
 
+import data.generic.common as common_lib
 import data.generic.terraform as terra_lib
 
 CxPolicy[result] {
@@ -15,6 +16,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is not public", [name, idx]),
 		"keyActualValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is public", [name, idx]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_network_acl", name, "ingress", idx], []),
 	}
 }
 
@@ -32,6 +34,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("aws_network_acl[%s] 'SSH' (TCP:22) is not public", [netAclRuleName]),
 		"keyActualValue": sprintf("aws_network_acl[%s] 'SSH' (TCP:22) is public", [netAclRuleName]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_network_acl_rule", netAclRuleName], []),
 	}
 }
 
@@ -48,5 +51,24 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("aws_network_acl[%s].ingress 'SSH' (TCP:22) is not public", [name]),
 		"keyActualValue": sprintf("aws_network_acl[%s].ingress 'SSH' (TCP:22) is public", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_network_acl", name, "ingress"], []),
+	}
+}
+
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_default_vpc", "default_network_acl_ingress")
+	common_lib.valid_key(module, keyToCheck)
+	rule := module[keyToCheck][idx]
+
+	terra_lib.openPort(rule, 22)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("module[%s].%s", [name, keyToCheck]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is not public", [name, idx]),
+		"keyActualValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is public", [name, idx]),
+		"searchLine": common_lib.build_search_line(["module", name, keyToCheck, idx], []),
 	}
 }
diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative4.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative4.tf
@@ -0,0 +1,19 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.7.0"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative5.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative5.tf
@@ -0,0 +1,38 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.7.0"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  default_network_acl_ingress = [
+    {
+      "action" : "allow",
+      "cidr_block" : "0.0.0.0/0",
+      "from_port" : 0,
+      "protocol" : "-1",
+      "rule_no" : 100,
+      "to_port" : 0
+    },
+    {
+      "action" : "allow",
+      "cidr_block" : "10.3.0.0/18",
+      "from_port" : 0,
+      "protocol" : "-1",
+      "rule_no" : 22,
+      "to_port" : 0
+    }
+  ]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive4.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive4.tf
@@ -0,0 +1,30 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.7.0"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  default_network_acl_ingress = [
+    {
+      "action" : "allow",
+      "cidr_block" : "0.0.0.0/0",
+      "from_port" : 0,
+      "protocol" : "tcp",
+      "rule_no" : 22,
+      "to_port" : 0
+    }
+  ]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
diff --git a/...raform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/...raform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json
@@ -2,7 +2,7 @@
   {
     "queryName": "Network ACL With Unrestricted Access To SSH",
     "severity": "HIGH",
-    "line": 28,
+    "line": 30,
     "fileName": "positive1.tf"
   },
   {
@@ -16,5 +16,11 @@
     "severity": "HIGH",
     "line": 26,
     "fileName": "positive3.tf"
+  },
+  {
+    "queryName": "Network ACL With Unrestricted Access To SSH",
+    "severity": "HIGH",
+    "line": 14,
+    "fileName": "positive4.tf"
   }
 ]