Merge branch 'master' of https://github.com/Checkmarx/kics into kics/892

james-cht · Aug 7, 2023 · 0afd6b7 · 0afd6b7
2 parents c342dc8 + 39557dd
commit 0afd6b7
Show file tree

Hide file tree

Showing 9 changed files with 372 additions and 209 deletions.
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json b/assets/queries/pulumi/aws/docdb_logging_disabled/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "2ca87964-fe7e-4cdc-899c-427f0f3525f8",
+  "queryName": "DocDB Logging Is Disabled",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "DocDB logging should be enabled",
+  "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/docdb/cluster/#enabledcloudwatchlogsexports_yaml",
+  "platform": "Pulumi",
+  "descriptionID": "c5bd58cd",
+  "cloudProvider": "aws"
+}
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego
@@ -0,0 +1,49 @@
+package Cx
+
+import data.generic.common as common_lib
+
+validTypes := {"profiler", "audit"}
+
+validTypeConcat := concat(", ", validTypes)
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "aws:docdb:Cluster"
+	properties := resource.properties
+	not common_lib.valid_key(properties, "enabledCloudwatchLogsExports")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": name,
+		"searchKey": sprintf("resources[%s].properties", [name]),
+		"searchLine": common_lib.build_search_line(["resources", name, "properties"],[]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined",
+		"keyActualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined",
+	}
+}
+
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "aws:docdb:Cluster"
+	properties := resource.properties
+	logs := properties.enabledCloudwatchLogsExports
+
+	logsSet := {log | log := logs[_]}
+	missingTypes := validTypes - logsSet
+
+	count(missingTypes) > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": name,
+		"searchKey": sprintf("resources[%s].properties.enabledCloudwatchLogsExports", [name]),
+		"searchLine": common_lib.build_search_line(["resources", name, "properties", "enabledCloudwatchLogsExports"],[]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: %s", [validTypeConcat]),
+		"keyActualValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: %s", [concat(", ", missingTypes)]),
+	}
+}
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/negative1.yaml b/assets/queries/pulumi/aws/docdb_logging_disabled/test/negative1.yaml
@@ -0,0 +1,20 @@
+name: my-pulumi-project
+runtime: nodejs
+
+config:
+  aws:region: us-east-1
+
+resources:
+  aws:docdb/cluster:
+    type: aws:docdb:Cluster
+    properties:
+      backupRetentionPeriod: 5
+      clusterIdentifier: my-docdb-cluster
+      engine: docdb
+      masterPassword: mustbeeightchars
+      masterUsername: foo
+      preferredBackupWindow: 07:00-09:00
+      skipFinalSnapshot: true
+      enabledCloudwatchLogsExports:
+        - audit
+        - profiler
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive1.yaml b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive1.yaml
@@ -0,0 +1,17 @@
+name: my-pulumi-project
+runtime: nodejs
+
+config:
+  aws:region: us-east-1
+
+resources:
+  aws:docdb/cluster:
+    type: aws:docdb:Cluster
+    properties:
+      backupRetentionPeriod: 5
+      clusterIdentifier: my-docdb-cluster
+      engine: docdb
+      masterPassword: mustbeeightchars
+      masterUsername: foo
+      preferredBackupWindow: 07:00-09:00
+      skipFinalSnapshot: true
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive2.yaml b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive2.yaml
@@ -0,0 +1,18 @@
+name: my-pulumi-project
+runtime: nodejs
+
+config:
+  aws:region: us-east-1
+
+resources:
+  aws:docdb/cluster:
+    type: aws:docdb:Cluster
+    properties:
+      backupRetentionPeriod: 5
+      clusterIdentifier: my-docdb-cluster
+      engine: docdb
+      masterPassword: mustbeeightchars
+      masterUsername: foo
+      preferredBackupWindow: 07:00-09:00
+      skipFinalSnapshot: true
+      enabledCloudwatchLogsExports: []
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive3.yaml b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive3.yaml
@@ -0,0 +1,19 @@
+name: my-pulumi-project
+runtime: nodejs
+
+config:
+  aws:region: us-east-1
+
+resources:
+  aws:docdb/cluster:
+    type: aws:docdb:Cluster
+    properties:
+      backupRetentionPeriod: 5
+      clusterIdentifier: my-docdb-cluster
+      engine: docdb
+      masterPassword: mustbeeightchars
+      masterUsername: foo
+      preferredBackupWindow: 07:00-09:00
+      skipFinalSnapshot: true
+      enabledCloudwatchLogsExports:
+        - audit
diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json
@@ -0,0 +1,20 @@
+[
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 10,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 18,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "DocDB Logging Is Disabled",
+    "severity": "LOW",
+    "line": 18,
+    "filename": "positive3.yaml"
+  }
+]