Feat(Query): Container Traffic Not Bound to Host Interface (Checkmarx…

…#5140) * no * query container traffic not bound to host * Changed as requested. * Removed debug * validated samples
jaevans · Apr 12, 2022 · ccee139 · ccee139
1 parent 925213c
commit ccee139
Show file tree

Hide file tree

Showing 12 changed files with 209 additions and 0 deletions.
diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "451d79dc-0588-476a-ad03-3c7f0320abb3",
+  "queryName": "Container Traffic Not Bound To Host Interface",
+  "severity": "MEDIUM",
+  "category": "Networking and Firewall",
+  "descriptionText": "Incoming container traffic should be bound to a specific host interface",
+  "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#ports",
+  "platform": "DockerCompose",
+  "descriptionID": "909d1bcd"
+}
diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego
@@ -0,0 +1,30 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+
+	resource := input.document[i]
+	service_parameters := resource.services[name]
+    ports := service_parameters.ports
+    port := ports[v]
+    check_ports(port)
+
+	result := {
+		"documentId": sprintf("%s", [resource.id]),
+		"searchKey": sprintf("services.%s.ports",[name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.",
+		"keyActualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface",
+        "searchLine": common_lib.build_search_line(["services", name, "ports"], []),
+	}
+}
+
+check_ports(port)
+{
+	published := port.published
+    not contains(published,".")
+}else{
+	not common_lib.valid_key(port, "published")
+	not contains(port,".")
+}
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative1.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative1.yaml
@@ -0,0 +1,15 @@
+version: '2.1'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - "127.0.0.1:8000:8001"
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative2.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative2.yaml
@@ -0,0 +1,16 @@
+version: '2.1'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - "127.0.0.1:5000-5010:5000-5010"
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
+
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative3.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative3.yaml
@@ -0,0 +1,15 @@
+version: '2.1'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      -  "127.0.0.1::5000"
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative4.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative4.yaml
@@ -0,0 +1,18 @@
+version: '3.2'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - target: 8000
+        published: 127.0.0.1:8080
+        protocol: tcp
+        mode: host
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative5.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative5.yaml
@@ -0,0 +1,18 @@
+version: '3.2'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - target: 8000
+        published: 127.0.0.1:8080-8090
+        protocol: tcp
+        mode: host
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative6.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/negative6.yaml
@@ -0,0 +1,18 @@
+version: '3.2'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - target: 8000
+        published: 127.0.0.1
+        protocol: tcp
+        mode: host
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive1.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive1.yaml
@@ -0,0 +1,16 @@
+version: '2.1'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - "7000:8000"
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
+
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive2.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive2.yaml
@@ -0,0 +1,15 @@
+version: '2.1'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - "12400-12500:1240"
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive3.yaml b/...s/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive3.yaml
@@ -0,0 +1,18 @@
+version: '3.2'
+
+services:
+  webapp:
+    container_name: webapp
+    build: ./
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=http://0.0.0.0:80
+      - TradeUrl=http://trading.api
+    ports:
+      - target: 8000
+        published: 8080
+        protocol: tcp
+        mode: host
+    cap_drop:
+      - NET_BIND_SERVICE
+    network_mode: "LDC"
diff --git a/...rCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/...rCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json
@@ -0,0 +1,20 @@
+[
+  {
+    "queryName": "Container Traffic Not Bound To Host Interface",
+    "severity": "MEDIUM",
+    "line": 11,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "Container Traffic Not Bound To Host Interface",
+    "severity": "MEDIUM",
+    "line": 11,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "Container Traffic Not Bound To Host Interface",
+    "severity": "MEDIUM",
+    "line": 11,
+    "filename": "positive3.yaml"
+  }
+]