Skip to content

Commit

Permalink
fix(query): fixed 59cb3da7-f206-4ae6-b827-7abf0a9cab9d and 2ade1579-…
Browse files Browse the repository at this point in the history 
…4b2c-4590-bebb-f99bf597f612 Checkmarx#4435
  • Loading branch information
@rafaela-soares
rafaela-soares authored Nov 2, 2021
1 parent 2f3c7c9 commit bfd4dac
Show file tree
Hide file tree
Showing 20 changed files with 95 additions and 26 deletions.
11 changes: 1 addition & 10 deletions assets/libraries/azureresourcemanager.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,7 @@ package generic.azureresourcemanager

# gets the network security group properties for two types of resource ('Microsoft.Network/networkSecurityGroups' and 'Microsoft.Network/networkSecurityGroups/securityRules')
get_sg_info(value) = typeInfo {
value.type == "Microsoft.Network/networkSecurityGroups"
properties := value.properties.securityRules[x].properties
typeInfo := {
"type": value.type,
"properties": properties,
"path": "resources.type={{Microsoft.Network/networkSecurityGroups}}.properties.securityRules",
"sl": ["properties", "securityRules", x, "properties"]
}
} else = typeInfo {
value.type == "Microsoft.Network/networkSecurityGroups/securityRules"
value.type == "Microsoft.Network/networkSecurityGroups/securityRules"
typeInfo := {
"type": value.type,
"properties": value.properties,
Expand Down
24 changes: 24 additions & 0 deletions ...es/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/query.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,30 @@ package Cx
import data.generic.azureresourcemanager as arm_lib
import data.generic.common as common_lib

CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)

value.type == "Microsoft.Network/networkSecurityGroups"

properties := value.properties.securityRules[x].properties

properties.access == "Allow"
properties.protocol == "Tcp"
properties.direction == "Inbound"
arm_lib.contains_port(properties, 3389)
arm_lib.source_address_prefix_is_open(properties)

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("%s.name={{%s}}.properties.securityRules", [common_lib.concat_path(path), value.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("resource with type '%s' restricts access to RDP", [value.type]),
"keyActualValue": sprintf("resource with type '%s' does not restrict access to RDP", [value.type]),
"searchLine": common_lib.build_search_line(path, ["properties", "securityRules", x, "properties"]),
}
}

CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_rdp/test/negative2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_rdp/test/negative3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_rdp/test/negative5.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_rdp/test/negative6.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
15 changes: 15 additions & 0 deletions ...esourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,21 @@
"direction": "Inbound"
},
"name": "security rule"
},
{
"id": "id2",
"properties": {
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 301,
"direction": "Inbound"
},
"name": "security rule2"
}
]
},
Expand Down
24 changes: 24 additions & 0 deletions ...es/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,30 @@ package Cx
import data.generic.azureresourcemanager as arm_lib
import data.generic.common as common_lib

CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)

value.type == "Microsoft.Network/networkSecurityGroups"

properties := value.properties.securityRules[x].properties

properties.access == "Allow"
properties.protocol == "Tcp"
properties.direction == "Inbound"
arm_lib.contains_port(properties, 22)
arm_lib.source_address_prefix_is_open(properties)

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("%s.name={{%s}}.properties.securityRules", [common_lib.concat_path(path), value.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("resource with type '%s' restricts access to SSH", [value.type]),
"keyActualValue": sprintf("resource with type '%s' does not restrict access to SSH", [value.type]),
"searchLine": common_lib.build_search_line(path, ["properties", "securityRules", x, "properties"]),
}
}

CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
{
"id": "id",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative4.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
{
"id": "id",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative5.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/negative6.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
17 changes: 16 additions & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
{
"id": "id",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
Expand All @@ -28,6 +28,21 @@
"direction": "Inbound"
},
"name": "security rule"
},
{
"id": "id2",
"properties": {
"description": "access to RDP",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 301,
"direction": "Inbound"
},
"name": "security rule2"
}
]
},
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive4.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
{
"id": "id",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive5.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down
2 changes: 1 addition & 1 deletion ...esourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive6.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"type": "securityRules",
"apiVersion": "2020-11-01",
"properties": {
"description": "access to RDP",
"description": "access to SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": [
Expand Down

0 comments on commit bfd4dac

Please sign in to comment.