fix(query): 'cloudwatch_metrics_disabled' check correct resource and …

…field (Checkmarx#4184)

Signed-off-by: Felipe Avelar <[email protected]>

assets/queries/cloudFormation/cloudwatch_metrics_disabled/query.rego

@@ -5,17 +5,56 @@ import data.generic.common as common_lib
 CxPolicy[result] {
 	document := input.document[i]
 	resource := document.Resources[key]
-	resource.Type == "AWS::CloudWatch::Alarm"
+	resource.Type == "AWS::ApiGateway::Stage"
 
 	properties := resource.Properties
 
-	not common_lib.valid_key(properties, "Metrics")
+	not common_lib.valid_key(properties, "MethodSettings")
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("Resources.%s.Properties", [key]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.Metrics should be defined", [key]),
-		"keyActualValue": sprintf("Resources.%s.Properties.Metrics is undefined", [key]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings should be defined", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings is undefined", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties"], []),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	methods := resource.Properties.MethodSettings
+	method := methods[idx]
+	not common_lib.valid_key(method, "MetricsEnabled")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].MetricsEnabled should be set to true", [key, idx]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].MetricsEnabled is undefined", [key, idx]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "MethodSettings"], [idx]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	methods := resource.Properties.MethodSettings
+	method := methods[idx]
+	method.MetricsEnabled == "false"
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].MetricsEnabled should be set to true", [key, idx]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].MetricsEnabled is set to false", [key, idx]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "MethodSettings", idx], ["MetricsEnabled"]),
 	}
 }

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/negative1.yaml

@@ -1,29 +1,29 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Creating ECS service
+Description: Creating TestDeployment
 Resources:
-  LambdaInvocationsAnomalyDetector:
-    Type: AWS::CloudWatch::AnomalyDetector
+  Prod:
+    Type: AWS::ApiGateway::Stage
     Properties:
-      MetricName: Invocations
-      Namespace: AWS/Lambda
-      Stat: Sum
-
-  LambdaInvocationsAlarm:
-    Type: AWS::CloudWatch::Alarm
-    Properties:
-      AlarmDescription: Lambda invocations
-      AlarmName: LambdaInvocationsAlarm
-      ComparisonOperator: LessThanLowerOrGreaterThanUpperThreshold
-      EvaluationPeriods: 1
-      Metrics:
-      - Expression: ANOMALY_DETECTION_BAND(m1, 2)
-        Id: ad1
-      - Id: m1
-        MetricStat:
-          Metric:
-            MetricName: Invocations
-            Namespace: AWS/Lambda
-          Period: !!int 86400
-          Stat: Sum
-      ThresholdMetricId: ad1
-      TreatMissingData: breaching
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      Variables:
+        Stack: Prod
+      MethodSettings:
+        - ResourcePath: /
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+        - ResourcePath: /stack
+          HttpMethod: POST
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '999'
+        - ResourcePath: /stack
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '555'

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/negative2.json

@@ -1,39 +1,47 @@
 {
   "Resources": {
-    "LambdaInvocationsAnomalyDetector2": {
-      "Type": "AWS::CloudWatch::AnomalyDetector",
+    "Prod": {
+      "Type": "AWS::ApiGateway::Stage",
       "Properties": {
-        "MetricName": "Invocations",
-        "Namespace": "AWS/Lambda",
-        "Statistic": "Sum"
-      }
-    },
-    "LambdaInvocationsAlarm2": {
-      "Type": "AWS::CloudWatch::Alarm",
-      "Properties": {
-        "AlarmDescription": "Lambda invocations",
-        "AlarmName": "LambdaInvocationsAlarm",
-        "ComparisonOperator": "LessThanLowerOrGreaterThanUpperThreshold",
-        "EvaluationPeriods": 1,
-        "Metrics": [
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "RestApiId": {
+          "Ref": "MyRestApi"
+        },
+        "DeploymentId": {
+          "Ref": "TestDeployment"
+        },
+        "DocumentationVersion": {
+          "Ref": "MyDocumentationVersion"
+        },
+        "ClientCertificateId": {
+          "Ref": "ClientCertificate"
+        },
+        "Variables": {
+          "Stack": "Prod"
+        },
+        "MethodSettings": [
+          {
+            "ResourcePath": "/",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false"
+          },
           {
-            "Expression": "ANOMALY_DETECTION_BAND(m1, 2)",
-            "Id": "ad1"
+            "ResourcePath": "/stack",
+            "HttpMethod": "POST",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "999"
           },
           {
-            "Id": "m1",
-            "MetricStat": {
-              "Metric": {
-                "MetricName": "Invocations",
-                "Namespace": "AWS/Lambda"
-              },
-              "Period": 86400,
-              "Stat": "Sum"
-            }
+            "ResourcePath": "/stack",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "555"
           }
-        ],
-        "ThresholdMetricId": "ad1",
-        "TreatMissingData": "breaching"
+        ]
       }
     }
   }

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/positive1.yaml

@@ -1,19 +1,28 @@
-AWSTemplateFormatVersion: "2010-09-09"
-Description: Creating ECS service
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creating TestDeployment
 Resources:
-  LambdaInvocationsAnomalyDetector3:
-    Type: AWS::CloudWatch::AnomalyDetector
+  Prod:
+    Type: AWS::ApiGateway::Stage
     Properties:
-      MetricName: Invocations
-      Namespace: AWS/Lambda
-      Stat: Sum
-
-  LambdaInvocationsAlarm3:
-    Type: AWS::CloudWatch::Alarm
-    Properties:
-      AlarmDescription: Lambda invocations
-      AlarmName: LambdaInvocationsAlarm
-      ComparisonOperator: LessThanLowerOrGreaterThanUpperThreshold
-      EvaluationPeriods: 1
-      ThresholdMetricId: ad1
-      TreatMissingData: breaching
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      Variables:
+        Stack: Prod
+      MethodSettings:
+        - ResourcePath: /
+          HttpMethod: GET
+          MetricsEnabled: 'false'
+          DataTraceEnabled: 'false'
+        - ResourcePath: /stack
+          HttpMethod: POST
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '999'
+        - ResourcePath: /stack
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '555'

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/positive2.json

@@ -1,22 +1,46 @@
 {
   "Resources": {
-    "LambdaInvocationsAnomalyDetector4": {
-      "Type": "AWS::CloudWatch::AnomalyDetector",
+    "Prod": {
+      "Type": "AWS::ApiGateway::Stage",
       "Properties": {
-        "MetricName": "Invocations",
-        "Namespace": "AWS/Lambda",
-        "Statistic": "Sum"
-      }
-    },
-    "LambdaInvocationsAlarm4": {
-      "Type": "AWS::CloudWatch::Alarm",
-      "Properties": {
-        "AlarmDescription": "Lambda invocations",
-        "AlarmName": "LambdaInvocationsAlarm",
-        "ComparisonOperator": "LessThanLowerOrGreaterThanUpperThreshold",
-        "EvaluationPeriods": 1,
-        "ThresholdMetricId": "ad1",
-        "TreatMissingData": "breaching"
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "RestApiId": {
+          "Ref": "MyRestApi"
+        },
+        "DeploymentId": {
+          "Ref": "TestDeployment"
+        },
+        "DocumentationVersion": {
+          "Ref": "MyDocumentationVersion"
+        },
+        "ClientCertificateId": {
+          "Ref": "ClientCertificate"
+        },
+        "Variables": {
+          "Stack": "Prod"
+        },
+        "MethodSettings": [
+          {
+            "ResourcePath": "/",
+            "HttpMethod": "GET",
+            "DataTraceEnabled": "false"
+          },
+          {
+            "ResourcePath": "/stack",
+            "HttpMethod": "POST",
+            "MetricsEnabled": "false",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "999"
+          },
+          {
+            "ResourcePath": "/stack",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "555"
+          }
+        ]
       }
     }
   }

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/positive3.yaml

@@ -0,0 +1,14 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creating TestDeployment
+Resources:
+  Prod:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      Variables:
+        Stack: Prod

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/positive4.json

@@ -0,0 +1,26 @@
+{
+  "Resources": {
+    "Prod": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "RestApiId": {
+          "Ref": "MyRestApi"
+        },
+        "DeploymentId": {
+          "Ref": "TestDeployment"
+        },
+        "DocumentationVersion": {
+          "Ref": "MyDocumentationVersion"
+        },
+        "ClientCertificateId": {
+          "Ref": "ClientCertificate"
+        },
+        "Variables": {
+          "Stack": "Prod"
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/cloudwatch_metrics_disabled/test/positive_expected_result.json

@@ -2,13 +2,37 @@
   {
     "queryName": "CloudWatch Metrics Disabled",
     "severity": "MEDIUM",
-    "line": 13,
+    "line": 18,
     "fileName": "positive1.yaml"
   },
   {
-    "line": 13,
-    "fileName": "positive2.json",
     "queryName": "CloudWatch Metrics Disabled",
-    "severity": "MEDIUM"
+    "severity": "MEDIUM",
+    "line": 20,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "CloudWatch Metrics Disabled",
+    "severity": "MEDIUM",
+    "line": 25,
+    "fileName": "positive2.json"
+  },
+  {
+    "queryName": "CloudWatch Metrics Disabled",
+    "severity": "MEDIUM",
+    "line": 32,
+    "fileName": "positive2.json"
+  },
+  {
+    "queryName": "CloudWatch Metrics Disabled",
+    "severity": "MEDIUM",
+    "line": 6,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "CloudWatch Metrics Disabled",
+    "severity": "MEDIUM",
+    "line": 5,
+    "fileName": "positive4.json"
   }
 ]