Merge pull request Checkmarx#7223 from Checkmarx/AST-45014

fix(password): fix missing positive results from Password and Secrets query

assets/queries/common/passwords_and_secrets/test/negative14.tf

@@ -0,0 +1,85 @@
+resource "aws_ecs_task_definition" "webapp" {
+  family        = "tomato-webapp"
+  task_role_arn = data.aws_iam_role.ecs_task_role.arn
+
+  container_definitions = <<EOF
+[
+  {
+    "volumesFrom": [],
+    "extraHosts": null,
+    "dnsServers": null,
+    "disableNetworking": null,
+    "dnsSearchDomains": null,
+    "portMappings": [
+      {
+        "hostPort": 0,
+        "containerPort": 8000,
+        "protocol": "tcp"
+      }
+    ],
+    "hostname": null,
+    "essential": true,
+    "entryPoint": null,
+    "mountPoints": [],
+    "name": "tomato",
+    "ulimits": null,
+    "dockerSecurityOptions": null,
+    "environment": [
+      {
+        "name": "RDS_HOST",
+        "value": "${aws_db_instance.tomato.address}"
+      },
+      {
+        "name": "RDS_NAME",
+        "value": "${aws_db_instance.tomato.name}"
+      },
+      {
+        "name": "RDS_USER",
+        "value": "${aws_db_instance.tomato.username}"
+      },
+      {
+        "name": "RDS_PASSWORD",
+        "value": "${aws_db_instance.tomato.password}"
+      },
+      {
+        "name": "RDS_PORT",
+        "value": "${aws_db_instance.tomato.port}"
+      },
+      {
+        "name": "GOOGLE_MAPS_API_KEY",
+        "value": "${var.google_maps_api_key}"
+      },
+      {
+        "name": "SECRET_KEY",
+        "value": "${var.secret_key}"
+      }
+    ],
+    "workingDirectory": "/code",
+    "readonlyRootFilesystem": null,
+    "image": "${aws_ecr_repository.tomato.repository_url}:latest",
+    "command": [
+      "sh",
+      "-c",
+      "python3 manage.py initialize && uwsgi --ini /code/uwsgi.ini"
+    ],
+    "user": null,
+    "dockerLabels": null,
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${aws_cloudwatch_log_group.tomato_webapp.name}",
+        "awslogs-region": "us-east-1",
+        "awslogs-stream-prefix": "webapp"
+      }
+    },
+    "cpu": 700,
+    "privileged": null,
+    "memoryReservation": 512,
+    "linuxParameters": {
+      "initProcessEnabled": true
+    }
+  }
+]
+EOF
+
+}

assets/queries/common/passwords_and_secrets/test/negative15.tf

@@ -0,0 +1,4 @@
+provider "heroku" {
+  email   = "[email protected]"
+  api_key = var.heroku_api_key
+}

assets/queries/common/passwords_and_secrets/test/negative18.yaml

@@ -0,0 +1,12 @@
+Parameters:
+  PrivateKey1:
+    Type: String
+Resources:
+  PinpointApp:
+    Type: AWS::Pinpoint::App
+    Properties:
+      Name: foobar
+  PinpointAPNSChannel:
+    Type: AWS::Pinpoint::APNSChannel
+    Properties:
+      PrivateKey: !GetAtt PrivateKey1

assets/queries/common/passwords_and_secrets/test/negative21.tf

@@ -1,85 +1,3 @@
-resource "aws_ecs_task_definition" "webapp" {
-  family        = "tomato-webapp"
-  task_role_arn = data.aws_iam_role.ecs_task_role.arn
-
-  container_definitions = <<EOF
-[
-  {
-    "volumesFrom": [],
-    "extraHosts": null,
-    "dnsServers": null,
-    "disableNetworking": null,
-    "dnsSearchDomains": null,
-    "portMappings": [
-      {
-        "hostPort": 0,
-        "containerPort": 8000,
-        "protocol": "tcp"
-      }
-    ],
-    "hostname": null,
-    "essential": true,
-    "entryPoint": null,
-    "mountPoints": [],
-    "name": "tomato",
-    "ulimits": null,
-    "dockerSecurityOptions": null,
-    "environment": [
-      {
-        "name": "RDS_HOST",
-        "value": "${aws_db_instance.tomato.address}"
-      },
-      {
-        "name": "RDS_NAME",
-        "value": "${aws_db_instance.tomato.name}"
-      },
-      {
-        "name": "RDS_USER",
-        "value": "${aws_db_instance.tomato.username}"
-      },
-      {
-        "name": "RDS_PASSWORD",
-        "value": "${aws_db_instance.tomato.password}"
-      },
-      {
-        "name": "RDS_PORT",
-        "value": "${aws_db_instance.tomato.port}"
-      },
-      {
-        "name": "GOOGLE_MAPS_API_KEY",
-        "value": "${var.google_maps_api_key}"
-      },
-      {
-        "name": "SECRET_KEY",
-        "value": "${var.secret_key}"
-      }
-    ],
-    "workingDirectory": "/code",
-    "readonlyRootFilesystem": null,
-    "image": "${aws_ecr_repository.tomato.repository_url}:latest",
-    "command": [
-      "sh",
-      "-c",
-      "python3 manage.py initialize && uwsgi --ini /code/uwsgi.ini"
-    ],
-    "user": null,
-    "dockerLabels": null,
-    "logConfiguration": {
-      "logDriver": "awslogs",
-      "options": {
-        "awslogs-group": "${aws_cloudwatch_log_group.tomato_webapp.name}",
-        "awslogs-region": "us-east-1",
-        "awslogs-stream-prefix": "webapp"
-      }
-    },
-    "cpu": 700,
-    "privileged": null,
-    "memoryReservation": 512,
-    "linuxParameters": {
-      "initProcessEnabled": true
-    }
-  }
-]
-EOF
-
+provider "mailgun" {
+  api_key = "var.mailgun_api_key"
 }

assets/queries/common/passwords_and_secrets/test/negative22.tf

@@ -1,4 +1,3 @@
-provider "heroku" {
-  email   = "[email protected]"
-  api_key = var.heroku_api_key
+provider "stripe" {
+  api_key = var.strip_restricted_api_key
 }

assets/queries/common/passwords_and_secrets/test/negative23.yaml

@@ -0,0 +1,4 @@
+- hosts: all
+  remote_user: root
+  vars:
+    twilio_api_key: '{{ TWILIO_API_KEY }}'

assets/queries/common/passwords_and_secrets/test/negative24.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  remote_user: root
+  vars:
+    paypal_access_token: '{{ PAYPAL_ACCESS_TOKEN }}'
+

assets/queries/common/passwords_and_secrets/test/negative25.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: envar-demo
+  labels:
+    purpose: demonstrate-envars
+spec:
+  containers:
+  - name: envar-demo-container
+    image: gcr.io/google-samples/node-hello:1.0

assets/queries/common/passwords_and_secrets/test/negative26.yaml

@@ -1,12 +1,19 @@
-Parameters:
-  PrivateKey1:
-    Type: String
-Resources:
-  PinpointApp:
-    Type: AWS::Pinpoint::App
-    Properties:
-      Name: foobar
-  PinpointAPNSChannel:
-    Type: AWS::Pinpoint::APNSChannel
-    Properties:
-      PrivateKey: !GetAtt PrivateKey1
+apiVersion: v1
+kind: Config
+users:
+- name: cluster-admin
+  user:
+    auth-provider:
+      config: {}
+      name: gcp
+- name: google-oauth-access-token
+  user:
+    auth-provider:
+      config:
+        access-token: '{.credential.oauth_access_token_}'
+        cmd-args: config config-helper --format=json
+        cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
+        expiry: 2021-10-28T15:12:03.000Z
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp

assets/queries/common/passwords_and_secrets/test/negative29.yaml

@@ -0,0 +1,51 @@
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v4
+
+---
+
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: read
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v4
+
+---
+
+name: Example Workflow
+
+on: workflow_call
+
+jobs:
+  build-deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: none
+
+    runs-on: ubuntu
+
+    steps:
+      - uses: actions/checkout@v4

assets/queries/common/passwords_and_secrets/test/negative30.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context-demo
+spec:
+  automountServiceAccountToken: false
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  volumes:
+    - name: sec-ctx-vol
+      emptyDir: { }
+  containers:
+    - name: sec-ctx-demo
+      image: busybox
+      command: [ "sh", "-c", "sleep 1h" ]
+      volumeMounts:
+        - name: sec-ctx-vol
+          mountPath: /data/demo
+      securityContext:
+        allowPrivilegeEscalation: false

assets/queries/common/passwords_and_secrets/test/negative31.yaml

@@ -1,4 +1,36 @@
-- hosts: all
-  remote_user: root
-  vars:
-    twilio_api_key: '{{ TWILIO_API_KEY }}'
+- name: 'aws_codebuild integration tests'
+  collections:
+    - amazon.aws
+  module_defaults:
+    group/aws:
+      aws_access_key: '{{ aws_access_key }}'
+      aws_secret_key: '{{ aws_secret_key }}'
+      security_token: '{{ security_token | default(omit) }}'
+      region: '{{ aws_region }}'
+  block:
+    - name: idempotence check rerunning same Codebuild task
+      aws_codebuild:
+        name: "{{ resource_prefix }}-test-ansible-codebuild"
+        description: Build project for testing the Ansible aws_codebuild module
+        service_role: "{{ codebuild_iam_role.iam_role.arn }}"
+        timeout_in_minutes: 30
+        source:
+          type: CODEPIPELINE
+          buildspec: ''
+        artifacts:
+          namespace_type: NONE
+          packaging: NONE
+          type: CODEPIPELINE
+          name: test
+        encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3'
+        environment:
+          compute_type: BUILD_GENERAL1_SMALL
+          privileged_mode: true
+          image: 'aws/codebuild/docker:17.09.0'
+          type: LINUX_CONTAINER
+          environment_variables:
+            - { name: 'FOO_ENV', value: 'other' }
+        tags:
+          - { key: 'purpose', value: 'ansible-test' }
+        state: present
+      register: rerun_test_output

assets/queries/common/passwords_and_secrets/test/negative32.yaml

@@ -1,5 +1,5 @@
-- hosts: all
-  remote_user: root
-  vars:
-    paypal_access_token: '{{ PAYPAL_ACCESS_TOKEN }}'
-
+Conditions:
+  HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
+  HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
+  HasPassword: !Not [!Equals [!Ref DBPassword, '']]
+Resources: