Skip to content

Commit

Permalink
Unifiying queries names categories, and severities & fixing typos (Ch…
Browse files Browse the repository at this point in the history 
…eckmarx#2671)
  • Loading branch information
@Ruben-Silva
Ruben-Silva authored Apr 1, 2021
1 parent 4e4ca36 commit 07b528d
Show file tree
Hide file tree
Showing 154 changed files with 370 additions and 370 deletions.
4 changes: 2 additions & 2 deletions ..._volume_encrytpion_disabled/metadata.json → ..._volume_encryption_disabled/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "4b6012e7-7176-46e4-8108-e441785eae57",
"queryName": "EBS Volume Encryption Disabled",
"severity": "HIGH",
"severity": "MEDIUM",
"category": "Encryption",
"descriptionText": "EBS Encryption should be enabled",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted",
"platform": "Ansible"
}
}
0 ...ebs_volume_encrytpion_disabled/query.rego → ...ebs_volume_encryption_disabled/query.rego
View file
File renamed without changes.
0 ...me_encrytpion_disabled/test/negative.yaml → ...me_encryption_disabled/test/negative.yaml
View file
File renamed without changes.
0 ...me_encrytpion_disabled/test/positive.yaml → ...me_encryption_disabled/test/positive.yaml
View file
File renamed without changes.
8 changes: 4 additions & 4 deletions ...sabled/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
[
{
"queryName": "EBS Volume Encryption Disabled",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 5
},
{
"queryName": "EBS Volume Encryption Disabled",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 12
},
{
"queryName": "EBS Volume Encryption Disabled",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 19
},
{
"queryName": "EBS Volume Encryption Disabled",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 24
}
]
2 changes: 1 addition & 1 deletion assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"id": "01aec7c2-3e4d-4274-ae47-2b8fea22fd1f",
"queryName": "ECS Task Definition Network Mode Not Recommended",
"severity": "HIGH",
"category": "Access Control",
"category": "Insecure Configurations",
"descriptionText": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode",
"platform": "Ansible"
Expand Down
14 changes: 7 additions & 7 deletions assets/queries/ansible/aws/efs_without_kms/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "bd77554e-f138-40c5-91b2-2a09f878608e",
"queryName": "EFS Without KMS",
"severity": "HIGH",
"category": "Secret Management",
"descriptionText": "Elastic File System (EFS) must have KMS Key ID",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
"platform": "Ansible"
"id": "bd77554e-f138-40c5-91b2-2a09f878608e",
"queryName": "EFS Without KMS",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "Elastic File System (EFS) must have KMS Key ID",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
"platform": "Ansible"
}
4 changes: 2 additions & 2 deletions assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "e401d614-8026-4f4b-9af9-75d1197461ba",
"queryName": "IAM Policies With Full Privileges",
"severity": "MEDIUM",
"severity": "HIGH",
"category": "Access Control",
"descriptionText": "IAM policies that allow full administrative privileges (for all resources)",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
"platform": "Ansible"
}
}
4 changes: 2 additions & 2 deletions .../queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[
{
"queryName": "IAM Policies With Full Privileges",
"severity": "MEDIUM",
"severity": "HIGH",
"line": 8
}
]
]
2 changes: 1 addition & 1 deletion assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"id": "f2ea6481-1d31-4d40-946a-520dc6321dd7",
"queryName": "Kinesis Not Encrypted With KMS",
"severity": "HIGH",
"category": "Secret Management",
"category": "Encryption",
"descriptionText": "AWS Kinesis Streams and metadata should be protected with KMS",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html",
"platform": "Ansible"
Expand Down
4 changes: 2 additions & 2 deletions assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"id": "5b9d237a-57d5-4177-be0e-71434b0fef47",
"queryName": "KMS Key With Vulnerable Policy",
"severity": "HIGH",
"category": "Networking and Firewall",
"category": "Insecure Configurations",
"descriptionText": "Checks if the policy is vulnerable and needs updating.",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html",
"platform": "Ansible"
}
}
7 changes: 0 additions & 7 deletions ...le/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json
View file

This file was deleted.

0 ...sers_group_gets_read_access/metadata.json → ...cl_allows_read_to_all_users/metadata.json
View file
File renamed without changes.
0 ...l_users_group_gets_read_access/query.rego → ...t_acl_allows_read_to_all_users/query.rego
View file
File renamed without changes.
0 ...group_gets_read_access/test/negative.yaml → ...lows_read_to_all_users/test/negative.yaml
View file
File renamed without changes.
0 ...group_gets_read_access/test/positive.yaml → ...lows_read_to_all_users/test/positive.yaml
View file
File renamed without changes.
0 ...access/test/positive_expected_result.json → ..._users/test/positive_expected_result.json
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion ..._read_or_write_to_all_users/metadata.json → ..._action_from_all_principals/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"id": "7529b8d2-55d7-44d2-b1cd-d7d2984a2a81",
"queryName": "S3 Bucket ACL Allows Read Or Write to All Users",
"queryName": "S3 Bucket Allows WriteACP Action From All Principals",
"severity": "HIGH",
"category": "Access Control",
"descriptionText": "S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.",
Expand Down
0 ...ows_read_or_write_to_all_users/query.rego → ...acp_action_from_all_principals/query.rego
View file
File renamed without changes.
0 ..._or_write_to_all_users/test/negative.yaml → ...on_from_all_principals/test/negative.yaml
View file
File renamed without changes.
0 ..._or_write_to_all_users/test/positive.yaml → ...on_from_all_principals/test/positive.yaml
View file
File renamed without changes.
7 changes: 7 additions & 0 deletions ...s/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"queryName": "S3 Bucket Allows WriteACP Action From All Principals",
"severity": "HIGH",
"line": 8
}
]
0 ...les_with_master_key_id_null/metadata.json → .../aws/s3_bucket_sse_disabled/metadata.json
View file
File renamed without changes.
0 ..._rules_with_master_key_id_null/query.rego → ...ble/aws/s3_bucket_sse_disabled/query.rego
View file
File renamed without changes.
0 ...ith_master_key_id_null/test/negative.yaml → ...s3_bucket_sse_disabled/test/negative.yaml
View file
File renamed without changes.
0 ...ith_master_key_id_null/test/positive.yaml → ...s3_bucket_sse_disabled/test/positive.yaml
View file
File renamed without changes.
0 ...d_null/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "9232306a-f839-40aa-b3ef-b352001da9a5",
"queryName": "S3 Bucket Without Versioning",
"severity": "HIGH",
"severity": "MEDIUM",
"category": "Observability",
"descriptionText": "S3 bucket without versioning",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning",
"platform": "Ansible"
}
}
6 changes: 3 additions & 3 deletions assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
[
{
"queryName": "S3 Bucket Without Versioning",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 3
},
{
"queryName": "S3 Bucket Without Versioning",
"severity": "HIGH",
"severity": "MEDIUM",
"line": 15
}
]
]
4 changes: 2 additions & 2 deletions assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"id": "b176e927-bbe2-44a6-a9c3-041417137e5f",
"queryName": "AD Admin Not Configured For SQL Server",
"severity": "HIGH",
"category": "Access Control",
"category": "Insecure Configurations",
"descriptionText": "The Active Directory Administrator is not configured for a SQL server",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user",
"platform": "Ansible"
}
}
9 changes: 0 additions & 9 deletions assets/queries/ansible/azure/blob_container_with_public_access/metadata.json
View file

This file was deleted.

12 changes: 0 additions & 12 deletions ...ueries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json
View file

This file was deleted.

4 changes: 2 additions & 2 deletions ...ies/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"id": "69f72007-502e-457b-bd2d-5012e31ac049",
"queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache",
"severity": "MEDIUM",
"category": "Access Control",
"category": "Networking and Firewall",
"descriptionText": "Check if any firewall rule allows too many hosts to access Redis Cache.",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html",
"platform": "Ansible"
}
}
9 changes: 0 additions & 9 deletions assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json
View file

This file was deleted.

32 changes: 0 additions & 32 deletions ...ts/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json
View file

This file was deleted.

9 changes: 9 additions & 0 deletions assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"id": "054d07b5-941b-4c28-8eef-18989dc62323",
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"category": "Observability",
"descriptionText": "Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html",
"platform": "Ansible"
}
0 .../log_disconnections_is_not_set/query.rego → ...sql_log_disconnections_not_set/query.rego
View file
File renamed without changes.
0 ...connections_is_not_set/test/negative.yaml → ...disconnections_not_set/test/negative.yaml
View file
File renamed without changes.
0 ...connections_is_not_set/test/positive.yaml → ...disconnections_not_set/test/positive.yaml
View file
File renamed without changes.
32 changes: 32 additions & 0 deletions ...es/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
[
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 7
},
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 13
},
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 19
},
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 25
},
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 31
},
{
"queryName": "PostgreSQL Log Disconnections Not Set",
"severity": "MEDIUM",
"line": 37
}
]
4 changes: 2 additions & 2 deletions assets/queries/ansible/azure/redis_entirely_accessible/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"id": "0d0c12b9-edce-4510-9065-13f6a758750c",
"queryName": "Redis Entirely Accessible",
"severity": "HIGH",
"category": "Access Control",
"category": "Networking and Firewall",
"descriptionText": "Firewall rule allowing unrestricted access to Redis from the Internet",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address",
"platform": "Ansible"
}
}
9 changes: 9 additions & 0 deletions assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"id": "4d3817db-dd35-4de4-a80d-3867157e7f7f",
"queryName": "Storage Container Is Publicly Accessible",
"severity": "HIGH",
"category": "Access Control",
"descriptionText": "Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access",
"platform": "Ansible"
}
0 ...b_container_with_public_access/query.rego → ...ntainer_is_publicly_accessible/query.rego
View file
File renamed without changes.
0 ...ner_with_public_access/test/negative.yaml → ...is_publicly_accessible/test/negative.yaml
View file
File renamed without changes.
0 ...ner_with_public_access/test/positive.yaml → ...is_publicly_accessible/test/positive.yaml
View file
File renamed without changes.
12 changes: 12 additions & 0 deletions ...ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[
{
"queryName": "Storage Container Is Publicly Accessible",
"severity": "HIGH",
"line": 9
},
{
"queryName": "Storage Container Is Publicly Accessible",
"severity": "HIGH",
"line": 17
}
]
0 ...s_woth_unrestricted_traffic/metadata.json → ...s_with_unrestricted_traffic/metadata.json
View file
File renamed without changes.
0 ...oups_woth_unrestricted_traffic/query.rego → ...oups_with_unrestricted_traffic/query.rego
View file
File renamed without changes.
0 ..._unrestricted_traffic/test/negative1.yaml → ..._unrestricted_traffic/test/negative1.yaml
View file
File renamed without changes.
0 ..._unrestricted_traffic/test/negative2.json → ..._unrestricted_traffic/test/negative2.json
View file
File renamed without changes.
0 ..._unrestricted_traffic/test/positive1.yaml → ..._unrestricted_traffic/test/positive1.yaml
View file
File renamed without changes.
0 ..._unrestricted_traffic/test/positive2.json → ..._unrestricted_traffic/test/positive2.json
View file
File renamed without changes.
0 ...raffic/test/positive_expected_result.json → ...raffic/test/positive_expected_result.json
View file
File renamed without changes.
0 ..._volume_encrytpion_disabled/metadata.json → ..._volume_encryption_disabled/metadata.json
View file
File renamed without changes.
0 ...ebs_volume_encrytpion_disabled/query.rego → ...ebs_volume_encryption_disabled/query.rego
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/negative1.yaml → ...e_encryption_disabled/test/negative1.yaml
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/negative2.json → ...e_encryption_disabled/test/negative2.json
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/positive1.yaml → ...e_encryption_disabled/test/positive1.yaml
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/positive2.yaml → ...e_encryption_disabled/test/positive2.yaml
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/positive3.json → ...e_encryption_disabled/test/positive3.json
View file
File renamed without changes.
0 ...e_encrytpion_disabled/test/positive4.json → ...e_encryption_disabled/test/positive4.json
View file
File renamed without changes.
0 ...sabled/test/positive_expected_result.json → ...sabled/test/positive_expected_result.json
View file
File renamed without changes.
0 ..._not_encrypted_with_kms_cmk/metadata.json → ...udFormation/efs_without_kms/metadata.json
View file
File renamed without changes.
0 ...efs_not_encrypted_with_kms_cmk/query.rego → ...cloudFormation/efs_without_kms/query.rego
View file
File renamed without changes.
0 ...ncrypted_with_kms_cmk/test/negative1.yaml → ...ation/efs_without_kms/test/negative1.yaml
View file
File renamed without changes.
0 ...ncrypted_with_kms_cmk/test/negative2.json → ...ation/efs_without_kms/test/negative2.json
View file
File renamed without changes.
0 ...ncrypted_with_kms_cmk/test/positive1.yaml → ...ation/efs_without_kms/test/positive1.yaml
View file
File renamed without changes.
0 ...ncrypted_with_kms_cmk/test/positive2.json → ...ation/efs_without_kms/test/positive2.json
View file
File renamed without changes.
0 ...ms_cmk/test/positive_expected_result.json → ...ut_kms/test/positive_expected_result.json
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion assets/queries/cloudFormation/kms_key_with_vulnerable_policy/metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"id": "da905474-7454-43c0-b8d2-5756ab951aba",
"queryName": "KMS Key With Vulnerable Policy",
"severity": "HIGH",
"category": "Networking and Firewall",
"category": "Insecure Configurations",
"descriptionText": "Checks if the policy is vulnerable and needs updating",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy",
"platform": "CloudFormation"
Expand Down
4 changes: 2 additions & 2 deletions assets/queries/cloudFormation/redshift_publicly_accessible/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "bdf8dcb4-75df-4370-92c4-606e4ae6c4d3",
"queryName": "Redshift Publicly Accessible",
"severity": "MEDIUM",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html",
"platform": "CloudFormation"
}
}
10 changes: 5 additions & 5 deletions ...ts/queries/cloudFormation/redshift_publicly_accessible/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
[
{
"queryName": "Redshift Publicly Accessible",
"severity": "MEDIUM",
"severity": "HIGH",
"line": 4,
"fileName": "positive1.yaml"
},
{
"queryName": "Redshift Publicly Accessible",
"severity": "MEDIUM",
"severity": "HIGH",
"line": 17,
"fileName": "positive1.yaml"
},
{
"queryName": "Redshift Publicly Accessible",
"severity": "MEDIUM",
"severity": "HIGH",
"line": 5,
"fileName": "positive2.json"
},
{
"queryName": "Redshift Publicly Accessible",
"severity": "MEDIUM",
"severity": "HIGH",
"line": 30,
"fileName": "positive2.json"
}
]
]
Loading

0 comments on commit 07b528d

Please sign in to comment.