Merge branch 'master' into Feature/Add_Query_Documentation_Generator

LICENSE

@@ -198,14 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
-
-It is clarified that the Apache License 2.0 shall not apply to any content
-generated by KICS which is marked as being “Proprietary to CIS” (the “CIS 
-Proprietary Content”). The CIS Proprietary Content is exclusively owned by 
-the Center for Internet Security, Inc. and you are granted a limited, 
-non-exclusively,  non-transferable, non-sublicensable license to view the 
-CIS Proprietary Content in connection with your use of KICS. You may not, 
-and may not permit others to modify, create derivative works of, reproduce, 
-publish, distribute, transfer, publicly display, resell, rent, lease, 
-sublicense, loan, or lend the CIS Proprietary Content to any third party.
+   limitations under the License.

assets/queries/common/passwords_and_secrets/regex_rules.json

@@ -215,6 +215,12 @@
       "name": "Twilio API Key",
       "regex": "SK[0-9a-fA-F]{32}"
     },
+    {
+      "id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
+      "name": "Generic Access Key",
+      "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
+      "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
+    },
     {
       "id": "2f665079-c383-4b33-896e-88268c1fa258",
       "name": "Generic Private Key",

assets/queries/common/passwords_and_secrets/test/negative54.tf

@@ -0,0 +1,10 @@
+data "terraform_remote_state" "intnet" {
+  backend = "azurerm"
+  config = {
+    storage_account_name = "asdsadas"
+    container_name       = "dp-prasdasdase-001"
+    key                  = "infrastructure.tfstate"
+    access_key           = file(var.access_key_path)
+  }
+  workspace = terraform.workspace
+}

assets/queries/common/passwords_and_secrets/test/positive42.tf

@@ -0,0 +1,10 @@
+data "terraform_remote_state" "intnet" {
+  backend = "azurerm"
+  config = {
+    storage_account_name = "asdsadas"
+    container_name       = "dp-prasdasdase-001"
+    key                  = "infrastructure.tfstate"
+    access_key           = "sdsaljasbdasddsadsa"
+  }
+  workspace = terraform.workspace
+}

assets/queries/common/passwords_and_secrets/test/positive_expected_result.json

@@ -352,5 +352,11 @@
     "severity": "HIGH",
     "line": 7,
     "fileName": "positive41.tf"
+  },
+  {
+    "queryName": "Passwords And Secrets - Generic Access Key",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive42.tf"
   }
 ]

assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json

@@ -3,7 +3,7 @@
     "queryName": "Restart Policy On Failure Not Set To 5",
     "severity": "MEDIUM",
     "category": "Build Process",
-    "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.",
+    "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.",
     "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy",
     "platform": "DockerCompose",
     "descriptionID": "d21fff2e"

assets/queries/openAPI/general/pattern_undefined/query.rego

@@ -1,6 +1,7 @@
 package Cx
 
 import data.generic.openapi as openapi_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
 	doc := input.document[i]
@@ -15,6 +16,7 @@ CxPolicy[result] {
 	result := {
 		"documentId": doc.id,
 		"searchKey": sprintf("%s.type", [openapi_lib.concat_path(path)]),
+		"searchLine": common_lib.build_search_line(path, ["type"]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'pattern' should be defined",
 		"keyActualValue": "'pattern' is undefined",
@@ -34,9 +36,10 @@ CxPolicy[result] {
 	result := {
 		"documentId": doc.id,
 		"searchKey": sprintf("%s.type", [openapi_lib.concat_path(path)]),
+		"searchLine": common_lib.build_search_line(path, ["type"]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'pattern' should be defined",
 		"keyActualValue": "'pattern' is undefined",
 		"overrideKey": version,
 	}
-}
+}

assets/queries/openAPI/general/response_code_missing/query.rego

@@ -21,6 +21,8 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("%s response should be set", [wantedResponses]),
 		"keyActualValue": sprintf("%s response is undefined", [wantedResponses]),
 		"overrideKey": version,
+		"searchValue": sprintf("%s response", [wantedResponses]),
+		"searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]),
 	}
 }
 
@@ -41,6 +43,8 @@ CxPolicy[result] {
 		"keyExpectedValue": "415 response should be set",
 		"keyActualValue": "415 response is undefined",
 		"overrideKey": version,
+		"searchValue": "415 response",
+		"searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]),
 	}
 }
 
@@ -61,6 +65,8 @@ CxPolicy[result] {
 		"keyExpectedValue": "404 response should be set",
 		"keyActualValue": "404 response is undefined",
 		"overrideKey": version,
+		"searchValue": "404 response",
+		"searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]),
 	}
 }
 
@@ -80,6 +86,8 @@ CxPolicy[result] {
 		"keyExpectedValue": "200 response should be set",
 		"keyActualValue": "200 response is undefined",
 		"overrideKey": version,
+		"searchValue": "200 response",
+		"searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]),
 	}
 }
 
@@ -101,5 +109,7 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("%s response should be set when security field is defined", [wantedResponses]),
 		"keyActualValue": sprintf("%s response is undefined when security field is defined", [wantedResponses]),
 		"overrideKey": version,
+		"searchValue": sprintf("%s response", [wantedResponses]),
+		"searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]),
 	}
-}
+}

docker/Dockerfile.ubi8

@@ -44,7 +44,7 @@ LABEL name="KICS" \
   description="Checkmarx/kics is an opensource project that enable you to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code find more in https://kics.io" \
   maintainer="[email protected]" \
   vendor="Checkmarx" \
-  version="v1.6.14" \
+  version="v1.7.0" \
   release="1" \
   io.k8s.display-name="KICS by Checkmarx" \
   io.openshift.tags="kics checkmarx"

docs/certifications-cis.md

@@ -7,13 +7,13 @@ CIS is an independent, nonprofit organization with a mission to create confidenc
 ## What are the CIS Benchmarks
 CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 100 CIS Benchmarks across 25+ vendor product families, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
 
-## KICS Awarded Certifications
-KICS (from the version 1.4.4 to the latest) has been awarded the following certifications:  
+## KICS Previously Awarded Certifications
+KICS has been awarded the following certifications:  
 
 - CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1  
 - CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 2  
 
-KICS (from the version 1.6.0 to the latest) has been awarded the following certifications:  
+KICS has been awarded the following certifications:  
 
 - CIS Kubernetes Benchmark v1.6.1, Level 1 - Master Node  
 - CIS Kubernetes Benchmark v1.6.1, Level 1 - Worker Node  
@@ -26,5 +26,4 @@ Most CIS Benchmarks include multiple configuration profiles. A profile definitio
 <br> The Level 2 profile is considered to be "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
 
 ## Additional Info
-- https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/
-- https://www.cisecurity.org/partner/checkmarx/
+- https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/

docs/certifications.md

@@ -2,7 +2,7 @@
 
 Here you can find the list of certifications which were awarded to KICS
 
-KICS Certifications
+KICS Previous Certifications
 
 - [CIS Amazon Web Services Foundations Benchmark - Level 1](certifications-cis.md)
 - [CIS Amazon Web Services Foundations Benchmark - Level 2](certifications-cis.md)

docs/changes1_7.md

@@ -0,0 +1,7 @@
+# Changes in v1.7.0
+
+---
+
+### Descriptions API
+
+From May 1st 2023, KICS Descriptions API will return an empty list.

docs/flags.md

@@ -41,7 +41,7 @@ Example of a valid `flags.json` file:
 To mark a flag as hidden use the following configuration:
 ```json
 {
-  "disable-cis-descriptions": {
+  "disable-full-descriptions": {
     "flagType": "bool",
     "shorthandFlag": "",
     "defaultValue": "false",
@@ -55,7 +55,7 @@ If you also want to display a flag deprecation warning you can define it like th
 
 ```json
 {
-  "disable-cis-descriptions": {
+  "disable-full-descriptions": {
     "flagType": "bool",
     "shorthandFlag": "",
     "defaultValue": "false",

docs/index.md

@@ -9,8 +9,8 @@
     </div>
     <div class="col-6 text-center">
         <br/><br/>
-        <h4>Version 1.6.14</h4>
-        <p style="font-size:8pt">2023.04.11<p>
+        <h4>Version 1.7.0</h4>
+        <p style="font-size:8pt">2023.05.03<p>
         <a class="btn btn-outline-success"  href="https://docs.kics.io/latest/CONTRIBUTING">Contribute!</a>
     </div>
 </div>