forked from Checkmarx/kics
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(query): adjusted severity rating and added searchLine in rbac_wil…
…dcard_in_rule k8s rule (Checkmarx#5264) * fix(query): adjusted severity rating and added searchLine in rbac_wildcard_in_rule k8s rule * updated severity to HIGH
- Loading branch information
Showing
3 changed files
with
38 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,60 +1,25 @@ | ||
package Cx | ||
|
||
import data.generic.k8s as k8s | ||
import data.generic.common as common_lib | ||
|
||
CxPolicy[result] { | ||
document := input.document[i] | ||
metadata := document.metadata | ||
kind := document.kind | ||
listKinds := ["Role", "ClusterRole"] | ||
k8s.checkKind(kind, listKinds) | ||
metadata.name | ||
notExpectedKey := "*" | ||
document.rules[r].apiGroups[j] == notExpectedKey | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].apiGroups shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]), | ||
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].apiGroups contains value: '%s'", [metadata.name, r, notExpectedKey]), | ||
} | ||
} | ||
kinds := {"Role", "ClusterRole"} | ||
document.kind == kinds[_] | ||
|
||
CxPolicy[result] { | ||
document := input.document[i] | ||
metadata := document.metadata | ||
kind := document.kind | ||
listKinds := ["Role", "ClusterRole"] | ||
k8s.checkKind(kind, listKinds) | ||
metadata.name | ||
notExpectedKey := "*" | ||
document.rules[r].resources[j] == notExpectedKey | ||
attr := {"apiGroups", "resources", "verbs"} | ||
common_lib.valid_key(document.rules[j], attr[k]) | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].resources shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]), | ||
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].resources contains value: '%s'", [metadata.name, r, notExpectedKey]), | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
document := input.document[i] | ||
metadata := document.metadata | ||
kind := document.kind | ||
listKinds := ["Role", "ClusterRole"] | ||
k8s.checkKind(kind, listKinds) | ||
metadata.name | ||
notExpectedKey := "*" | ||
document.rules[r].verbs[j] == notExpectedKey | ||
document.rules[j][k][_] == "*" | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"documentId": document.id, | ||
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].verbs shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]), | ||
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].verbs contains value: '%s'", [metadata.name, r, notExpectedKey]), | ||
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].%s should list the minimal set of needed objects or actions", [metadata.name, j, k]), | ||
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].%s uses wildcards to specify objects or actions", [metadata.name, j, k]), | ||
"searchLine": common_lib.build_search_line(["rules", j], [k]) | ||
} | ||
} |
52 changes: 26 additions & 26 deletions
52
assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,37 +1,37 @@ | ||
[ | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 6 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 6 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 17 | ||
"severity": "HIGH", | ||
"line": 7 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 17 | ||
"severity": "HIGH", | ||
"line": 9 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 17 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 27 | ||
"severity": "HIGH", | ||
"line": 18 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "LOW", | ||
"line": 27 | ||
} | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "HIGH", | ||
"line": 19 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "HIGH", | ||
"line": 20 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "HIGH", | ||
"line": 29 | ||
}, | ||
{ | ||
"queryName": "RBAC Wildcard In Rule", | ||
"severity": "HIGH", | ||
"line": 31 | ||
} | ||
] |