feat: rewrite passwords and secrets query to use regex based strategy (…

…Checkmarx#4166)

Signed-off-by: Rogério Peixoto <[email protected]>
Co-authored-by: rafaela-soares <[email protected]>
Co-authored-by: João Reigota <[email protected]>

.gitignore

@@ -18,6 +18,7 @@ bin
 
 /.idea/
 /.vscode/
+file:/
 /resources
 /vendor
 /site

assets/assets.go

@@ -2,13 +2,17 @@ package assets
 
 import "embed" // used for embedding KICS libraries
 
-
 //go:embed libraries/*.rego
 var embeddedLibraries embed.FS
 
+//go:embed queries/common/passwords_and_secrets/metadata.json
+var SecretsQueryMetadataJSON string
+
+//go:embed queries/common/passwords_and_secrets/regex_rules.json
+var SecretsQueryRegexRulesJSON string
 
 // GetEmbeddedLibrary returns the embedded library.rego for the platform passed in the argument
-func GetEmbeddedLibrary(platform string) (string, error){
+func GetEmbeddedLibrary(platform string) (string, error) {
 	content, err := embeddedLibraries.ReadFile("libraries/" + platform + ".rego")
 
 	return string(content), err

assets/queries/common/passwords_and_secrets_in_infrastructure_code/metadata.json → assets/queries/common/passwords_and_secrets/metadata.json

@@ -1,6 +1,5 @@
 {
-  "id": "f996f3cb-00fc-480c-8973-8ab04d44a8cc",
-  "queryName": "Passwords And Secrets In Infrastructure Code",
+  "queryName": "Passwords And Secrets",
   "severity": "HIGH",
   "category": "Secret Management",
   "descriptionText": "Query to find passwords and secrets in infrastructure code.",

assets/queries/common/passwords_and_secrets/regex_rules.json

@@ -0,0 +1,269 @@
+{
+  "rules": [
+    {
+      "id": "487f4be7-3fd9-4506-a07a-eae252180c08",
+      "name": "Generic Password",
+      "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?",
+      "allowRules": [
+        {
+          "description": "Avoiding TF resource access",
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+        }
+      ]
+    },
+    {
+      "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
+      "name": "Generic Secret",
+      "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]{10,})['\"]?",
+      "entropies": [
+        {
+          "group": 3,
+          "min": 2.8,
+          "max": 8
+        }
+      ],
+      "allowRules": [
+        {
+          "description": "Avoiding Square OAuth Secret",
+          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+        }
+      ]
+    },
+    {
+      "id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
+      "name": "Asymmetric private key",
+      "regex": "-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----(\\s*([A-Za-z0-9+\\/=\\n\\r]+))+-----END ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----",
+      "multiline": {
+        "detectLineGroup": 5
+      },
+      "entropies": [
+        {
+          "group": 5,
+          "min": 3.7,
+          "max": 12
+        }
+      ]
+    },
+    {
+      "id": "a007a85e-a2a7-4a81-803a-7a2ca0c65abb",
+      "name": "Putty Private Key",
+      "regex": "PuTTY-User-Key-File-2"
+    },
+    {
+      "id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae",
+      "name": "Password in URL",
+      "regex": "[a-zA-Z]{3,10}://[^/\\s:@]*?:[^/\\s:@]*?@[^/\\s:@]*"
+    },
+    {
+      "id": "76c0bcde-903d-456e-ac13-e58c34987852",
+      "name": "AWS Access Key",
+      "regex": "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
+    },
+    {
+      "id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
+      "name": "AWS Secret Key",
+      "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
+      "entropies": [
+        {
+          "group": 3,
+          "min": 4.8,
+          "max": 7
+        }
+      ]
+    },
+    {
+      "id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
+      "name": "K8s Environment Variable Password",
+      "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
+      "multiline": {
+        "detectLineGroup": 7
+      }
+    },
+    {
+      "id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
+      "name": "Google OAuth",
+      "regex": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com"
+    },
+    {
+      "id": "ccde326f-ebc7-4772-8ad5-de66e90a8cc3",
+      "name": "Slack Webhook",
+      "regex": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}"
+    },
+    {
+      "id": "d6214dca-a31b-425f-bcf7-f4faa772a1c0",
+      "name": "MSTeams Webhook",
+      "regex": "https://team_name.webhook.office.com/webhook(b2)?/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}@[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/IncomingWebhook/[a-z0-9]+/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+    },
+    {
+      "id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
+      "name": "Slack Token",
+      "regex": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})"
+    },
+    {
+      "id": "6abcae17-b175-4698-a9a5-b07661974749",
+      "name": "Stripe API Key",
+      "regex": "sk_live_[0-9a-zA-Z]{24}[^0-9a-zA-Z]"
+    },
+    {
+      "id": "0b1b2482-51e7-49d1-893d-522afa4a6bd0",
+      "name": "Square Access Token",
+      "regex": "sq0atp-[0-9A-Za-z\\-_]{22}"
+    },
+    {
+      "id": "6c54f9da-1a11-445a-8568-0d327e6af8be",
+      "name": "MailChimp API Key",
+      "regex": "[0-9a-f]{32}-us[0-9]{1,2}"
+    },
+    {
+      "id": "e9856348-4069-4ac0-bd91-415f6a7b84a4",
+      "name": "Google API Key",
+      "regex": "AIza[0-9A-Za-z\\-_]{35}"
+    },
+    {
+      "id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
+      "name": "Heroku API Key",
+      "regex": "(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b",
+      "multiline": {
+        "detectLineGroup": 3
+      }
+    },
+    {
+      "id": "bb51eb1e-0357-44a2-86d7-dd5350cffd43",
+      "name": "Square OAuth Secret",
+      "regex": "sq0csp-[0-9A-Za-z\\-_]{43}"
+    },
+    {
+      "id": "ac8c8075-6ec0-4367-9e26-30ec8161d258",
+      "name": "Amazon MWS Auth Token",
+      "regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+    },
+    {
+      "id": "41a1ca8d-f466-4084-a8c9-50f8b22200d5",
+      "name": "Google OAuth Access Token",
+      "regex": "ya29\\.[0-9A-Za-z\\-_]+"
+    },
+    {
+      "id": "4919b847-e3da-402a-acf8-6cea8e529993",
+      "name": "PayPal Braintree Access Token",
+      "regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}"
+    },
+    {
+      "id": "54274b18-bfac-47ce-afd1-0f05bc3e3b59",
+      "name": "Stripe Restricted API Key",
+      "regex": "rk_live_[0-9a-zA-Z]{24}"
+    },
+    {
+      "id": "5176e805-0cda-44fa-ac96-c092c646180a",
+      "name": "Facebook Access Token",
+      "regex": "EAACEdEose0cBA[0-9A-Za-z]+"
+    },
+    {
+      "id": "74736dd1-dd11-4139-beb6-41cd43a50317",
+      "name": "Generic API Key",
+      "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
+      "allowRules": [
+        {
+          "description": "Avoiding Twilio API Key",
+          "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
+        }
+      ]
+    },
+    {
+      "id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
+      "name": "Mailgun API Key",
+      "regex": "key-[0-9a-zA-Z]{32}"
+    },
+    {
+      "id": "50cc5f03-e686-4183-97e9-12f9b55d0f97",
+      "name": "Picatic API Key",
+      "regex": "sk_live_[0-9a-z]{32}"
+    },
+    {
+      "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+      "name": "Twilio API Key",
+      "regex": "SK[0-9a-fA-F]{32}"
+    },
+    {
+      "id": "2f665079-c383-4b33-896e-88268c1fa258",
+      "name": "Generic Private Key",
+      "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+    },
+    {
+      "id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
+      "name": "Generic Token",
+      "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+      "allowRules": [
+        {
+          "description": "Avoiding Amazon MWS Auth Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
+        },
+        {
+          "description": "Avoiding Slack Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+        },
+        {
+          "description": "Avoiding Square Access Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
+        },
+        {
+          "description": "Avoiding Google OAuth Access Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
+        },
+        {
+          "description": "Avoiding PayPal Braintree Access Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
+        },
+        {
+          "description": "Avoiding Facebook Access Token",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
+        },
+        {
+          "description": "Avoiding TF resource access",
+          "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+        },
+        {
+          "description": "Avoiding TF creation token",
+          "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+        }
+      ]
+    },
+    {
+      "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+      "name": "CloudFormation Secret Template",
+      "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}"
+    },
+    {
+      "id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
+      "name": "Encryption Key",
+      "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+      "allowRules": [
+        {
+          "description": "Avoiding TF resource access",
+          "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+        }
+      ]
+    }
+  ],
+  "allowRules": [
+    {
+      "description": "Avoiding TF variables",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var.)['\"]?"
+    },
+    {
+      "description": "!Ref is a cloudFormation reference",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
+    },
+    {
+      "description": "Avoiding cloudFormation intrinsic functions",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|Fn::Transform(:)?)\\s+\\.*"
+    },
+    {
+      "description": "Avoiding CF resolve",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
+    },
+    {
+      "description": "Avoiding Boolean's",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
+    }
+  ]
+}

assets/queries/common/passwords_and_secrets/test/negative10.tf

@@ -0,0 +1,30 @@
+resource "aws_db_instance" "default" {
+  name                   = var.dbname
+  engine                 = "mysql"
+  option_group_name      = aws_db_option_group.default.name
+  parameter_group_name   = aws_db_parameter_group.default.name
+  db_subnet_group_name   = aws_db_subnet_group.default.name
+  vpc_security_group_ids = ["${aws_security_group.default.id}"]
+  identifier              = "rds-${local.resource_prefix.value}"
+  engine_version          = "8.0" # Latest major version
+  instance_class          = "db.t3.micro"
+  allocated_storage       = "20"
+  username                = "admin"
+  password                = var.password
+  apply_immediately       = true
+  multi_az                = false
+  backup_retention_period = 0
+  storage_encrypted       = false
+  skip_final_snapshot     = true
+  monitoring_interval     = 0
+  publicly_accessible     = true
+  tags = {
+    Name        = "${local.resource_prefix.value}-rds"
+    Environment = local.resource_prefix.value
+  }
+
+  # Ignore password changes from tf plan diff
+  lifecycle {
+    ignore_changes = ["password"]
+  }
+}

assets/queries/common/passwords_and_secrets/test/negative18.tf

@@ -0,0 +1,11 @@
+resource "auth0_connection" "google_oauth2" {
+  name = "Google-OAuth2-Connection"
+  strategy = "google-oauth2"
+  options {
+    client_id     = var.google_client_id
+    client_secret = var.google_client_secret
+    allowed_audiences = [ "example.com", "api.example.com" ]
+    scopes = [ "email", "profile", "gmail", "youtube" ]
+    set_user_root_attributes = "on_each_login"
+  }
+}

assets/queries/common/passwords_and_secrets/test/negative19.tf

@@ -0,0 +1,3 @@
+provider "slack" {
+  token = var.slack_token
+}

assets/queries/common/passwords_and_secrets_in_infrastructure_code/test/negative2.yaml → assets/queries/common/passwords_and_secrets/test/negative2.yaml

@@ -3,6 +3,7 @@ Resources:
   RDSCluster:
     Type: "AWS::RDS::DBCluster"
     Properties:
+      MasterUserPassword: !Ref PasswordMaster
       DBClusterIdentifier: my-serverless-cluster
       Engine: aurora
       EngineVersion: 5.6.10a

assets/queries/common/passwords_and_secrets/test/negative20.tf

@@ -0,0 +1,3 @@
+provider "stripe" {
+  api_key = var.strip_api_key
+}