Merge branch 'master' of https://github.com/Checkmarx/kics into master

assets/queries/ansible/aws/allUsers_gets_read_access/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ansible_allUsers_group_gets_read_access",
+  "queryName": "All Users Group Gets Read Access",
+  "severity": "HIGH",
+  "category": "Identity and Access Management",
+  "descriptionText": "It's not recommended to allow read access for all user groups.",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission"
+}

assets/queries/ansible/aws/allUsers_gets_read_access/query.rego

@@ -0,0 +1,31 @@
+package Cx
+
+CxPolicy [ result ] {
+  document := input.document[i]
+  tasks := getTasks(document)
+  task := tasks[t]
+  s3 := task["amazon.aws.aws_s3"]
+  s3Name := task.name
+
+  hasPublicReadPermission(s3.permission)
+
+  result := {
+                "documentId":       input.document[i].id,
+                "searchKey":        sprintf("name={{%s}}.{{amazon.aws.aws_s3}}.permission", [s3Name]),
+                "issueType":        "WrongValue",
+                "keyExpectedValue": "amazon.aws.aws_s3 should not have read access for all user groups",
+                "keyActualValue":   "amazon.aws.aws_s3 has read access for all user groups"
+              }
+}
+
+hasPublicReadPermission(value){
+	startswith(value, "public-read")
+}
+
+getTasks(document) = result {
+    result := [body | playbook := document.playbooks[0]; body := playbook.tasks]
+    count(result) != 0
+} else = result {
+    result := [body | playbook := document.playbooks[_]; body := playbook ]
+    count(result) != 0
+}

assets/queries/ansible/aws/allUsers_gets_read_access/test/negative.yaml

@@ -0,0 +1,10 @@
+---
+- name: Create an empty bucket
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+    permission: private
+- name: Create an empty bucket2
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create

assets/queries/ansible/aws/allUsers_gets_read_access/test/positive.yaml

@@ -0,0 +1,11 @@
+---
+- name: Create an empty bucket
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+    permission: public-read
+- name: Create an empty bucket2
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+    permission: public-read-write

assets/queries/ansible/aws/allUsers_gets_read_access/test/positive_expected_result.json

@@ -0,0 +1,12 @@
+[
+	{
+		"queryName": "All Users Group Gets Read Access",
+		"severity": "HIGH",
+		"line": 6
+	},
+	{
+		"queryName": "All Users Group Gets Read Access",
+		"severity": "HIGH",
+		"line": 11
+	}
+]

assets/queries/ansible/aws/all_Auth_Users_get_read_access/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ansible_all_Auth_Users_get_read_access",
+  "queryName": "All Auth Users Get Read Access",
+  "severity": "HIGH",
+  "category": "Identity and Access Management",
+  "descriptionText": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission"
+}

assets/queries/ansible/aws/all_Auth_Users_get_read_access/query.rego

@@ -0,0 +1,27 @@
+package Cx
+
+CxPolicy [ result ] {
+  document := input.document[i]
+  tasks := getTasks(document)
+  task := tasks[t]
+  s3 := task["amazon.aws.aws_s3"]
+  s3Name := task.name
+
+  s3.permission == "authenticated-read"
+
+  result := {
+                "documentId":       input.document[i].id,
+                "searchKey":        sprintf("name={{%s}}.{{amazon.aws.aws_s3}}.permission", [s3Name]),
+                "issueType":        "WrongValue",
+                "keyExpectedValue": "amazon.aws.aws_s3 should not have read access for all authenticated users",
+                "keyActualValue":   "amazon.aws.aws_s3 has read access for all authenticated users"
+              }
+}
+
+getTasks(document) = result {
+    result := [body | playbook := document.playbooks[0]; body := playbook.tasks]
+    count(result) != 0
+} else = result {
+    result := [body | playbook := document.playbooks[_]; body := playbook ]
+    count(result) != 0
+}

assets/queries/ansible/aws/all_Auth_Users_get_read_access/test/negative.yaml

@@ -0,0 +1,10 @@
+---
+- name: Create an empty bucket
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+- name: Create an empty bucket2
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+    permission: private

assets/queries/ansible/aws/all_Auth_Users_get_read_access/test/positive.yaml

@@ -0,0 +1,6 @@
+---
+- name: Create an empty bucket2
+  amazon.aws.aws_s3:
+    bucket: mybucket
+    mode: create
+    permission: authenticated-read

assets/queries/ansible/aws/all_Auth_Users_get_read_access/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+	{
+		"queryName": "All Auth Users Get Read Access",
+		"severity": "HIGH",
+		"line": 6
+	}
+]

assets/queries/ansible/aws/default_security_group_does_not_restrict_all_traffic/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ansible_default_security_group_does_not_restrict_all_traffic",
+  "queryName": "Default Security Group Does Not Restrict All Traffic",
+  "severity": "HIGH",
+  "category": "Network Ports Security",
+  "descriptionText": "Check if default security group does not restrict all inbound and outbound traffic.",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html"
+}

assets/queries/ansible/aws/default_security_group_does_not_restrict_all_traffic/query.rego

@@ -0,0 +1,59 @@
+package Cx
+
+CxPolicy [ result ] {
+  document := input.document[i]
+  tasks := getTasks(document)
+  task := tasks[t]
+  group := task["amazon.aws.ec2_group"]
+  groupName := task.name
+  searchKey := getCidrBlock(group)
+
+  splitted := regex.split("{{|}}", searchKey)
+  errorPath := substring(splitted[0], 0, count(splitted[0])-1)
+  errorValue := splitted[1]
+
+  result := {
+                "documentId":       input.document[i].id,
+                "searchKey":        sprintf("name={{%s}}.{{amazon.aws.ec2_group}}.%s", [groupName, searchKey]),
+                "issueType":        "WrongValue",
+                "keyExpectedValue": sprintf("amazon.aws.ec2_group.%s should not contain the value '%s'", [errorPath, errorValue]),
+                "keyActualValue":   sprintf("amazon.aws.ec2_group.%s contains value '%s'", [errorPath, errorValue])
+              }
+}
+
+getTasks(document) = result {
+    result := [body | playbook := document.playbooks[0]; body := playbook.tasks]
+    count(result) != 0
+} else = result {
+    result := [body | playbook := document.playbooks[_]; body := playbook ]
+    count(result) != 0
+}
+
+getCidrBlock(sg) = path {
+    isUnsafeIp(sg.rules[r].cidr_ip)
+    path:="rules.cidr_ip={{0.0.0.0/0}}"
+} else = path {
+	isUnsafeIp(sg.rules[r].cidr_ip[c])
+    path:="rules.cidr_ip.{{0.0.0.0/0}}"
+} else = path {
+    isUnsafeIp(sg.rules_egress[r].cidr_ip)
+    path:="rules_egress.cidr_ip={{0.0.0.0/0}}"
+} else = path {
+	isUnsafeIp(sg.rules_egress[r].cidr_ip[c])
+    path:="rules_egress.cidr_ip.{{0.0.0.0/0}}"
+} else = path {
+    isUnsafeIpv6(sg.rules[r].cidr_ipv6)
+    path:="rules.cidr_ipv6={{::/0}}"
+} else = path {
+	isUnsafeIpv6(sg.rules[r].cidr_ipv6[c])
+    path:="rules.cidr_ipv6.{{::/0}}"
+} else = path {
+    isUnsafeIpv6(sg.rules_egress[r].cidr_ipv6)
+    path:="rules_egress.cidr_ipv6={{::/0}}"
+} else = path {
+	isUnsafeIpv6(sg.rules_egress[r].cidr_ipv6[c])
+    path:="rules_egress.cidr_ipv6.{{::/0}}"
+}
+
+isUnsafeIp("0.0.0.0/0")
+isUnsafeIpv6("::/0")

assets/queries/ansible/aws/default_security_group_does_not_restrict_all_traffic/test/negative.yaml

@@ -0,0 +1,27 @@
+
+---
+- name: example ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules:
+      - proto: all
+        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
+        # traffic on all ports is allowed, regardless of any ports you specify
+        from_port: 10050 # this value is ignored
+        to_port: 10050 # this value is ignored
+        cidr_ip: 10.1.0.0/16
+        cidr_ipv6: 64:ff9b::/96
+    rules_egress:
+      - proto: tcp
+        from_port: 80
+        to_port: 80
+        cidr_ip: 10.1.0.0/16
+        cidr_ipv6: 64:ff9b::/96
+        group_name: example-other
+        # description to use if example-other needs to be created
+        group_desc: other example EC2 group

assets/queries/ansible/aws/default_security_group_does_not_restrict_all_traffic/test/positive.yaml

@@ -0,0 +1,86 @@
+---
+- name: example ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules:
+      - proto: all
+        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
+        # traffic on all ports is allowed, regardless of any ports you specify
+        from_port: 10050 # this value is ignored
+        to_port: 10050 # this value is ignored
+        cidr_ip:
+          - 0.0.0.0/0
+- name: example2 ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules_egress:
+      - proto: tcp
+        from_port: 80
+        to_port: 80
+        cidr_ip: 0.0.0.0/0
+        group_name: example-other
+        # description to use if example-other needs to be created
+        group_desc: other example EC2 group
+- name: example3 ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules:
+      - proto: all
+        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
+        # traffic on all ports is allowed, regardless of any ports you specify
+        from_port: 10050 # this value is ignored
+        to_port: 10050 # this value is ignored
+        cidr_ipv6: ::/0
+- name: example4 ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules_egress:
+      - proto: tcp
+        from_port: 80
+        to_port: 80
+        cidr_ipv6: ::/0
+        group_name: example-other
+        # description to use if example-other needs to be created
+        group_desc: other example EC2 group
+- name: example5 ec2 group
+  amazon.aws.ec2_group:
+    name: example
+    description: an example EC2 group
+    vpc_id: 12345
+    region: eu-west-1
+    aws_secret_key: SECRET
+    aws_access_key: ACCESS
+    rules:
+      # 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port).
+      - proto: tcp
+        ports: 22
+        group_name: example-vpn
+    rules_egress:
+      - proto: tcp
+        from_port: 80
+        to_port: 80
+        cidr_ipv6:
+          - ::/0
+        group_name: example-other
+        # description to use if example-other needs to be created
+        group_desc: other example EC2 group

assets/queries/ansible/aws/default_security_group_does_not_restrict_all_traffic/test/positive_expected_result.json

@@ -0,0 +1,27 @@
+[
+	{
+		"queryName": "Default Security Group Does Not Restrict All Traffic",
+		"severity": "HIGH",
+		"line": 17
+	},
+	{
+		"queryName": "Default Security Group Does Not Restrict All Traffic",
+		"severity": "HIGH",
+		"line": 30
+	},
+	{
+		"queryName": "Default Security Group Does Not Restrict All Traffic",
+		"severity": "HIGH",
+		"line": 48
+	},
+	{
+		"queryName": "Default Security Group Does Not Restrict All Traffic",
+		"severity": "HIGH",
+		"line": 61
+	},
+	{
+		"queryName": "Default Security Group Does Not Restrict All Traffic",
+		"severity": "HIGH",
+		"line": 83
+	}
+]

assets/queries/ansible/aws/elasticsearch_encryption_at_rest_enabled/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ElasticSearch_Not_Encrypted_At_Rest",
+  "queryName": "ElasticSearch Not Encrypted At Rest",
+  "severity": "MEDIUM",
+  "category": "Encryption and Key Management",
+  "descriptionText": "Check if ElasticSearch encryption is disabled at Rest",
+  "descriptionUrl": "https://galaxy.ansible.com/fiunchinho/aws-elasticsearch-module"
+}