feat: migrated existed inspection rule tests

secure-sdl · Sep 8, 2020 · d687807 · d687807
1 parent 5cf29f0
commit d687807
Show file tree

Hide file tree

Showing 36 changed files with 2,314 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -35,6 +35,7 @@ FROM alpine:3.11.3
 RUN apk add --no-cache  git
 
 COPY --from=build_env /app/bin/ice /app/bin/ice
+COPY --from=build_env /app/assets /app/assets
 
 # Command to run the executable
 ENTRYPOINT ["/app/bin/ice"]
diff --git a/Makefile b/Makefile
@@ -1,4 +1,5 @@
 GOLINT := golangci-lint
+IMAGE_TAG := $(shell git rev-parse HEAD)
 
 .PHONY: dep
 dep: # Download required dependencies
@@ -11,4 +12,12 @@ lint: dep # Lint the files
 
 .PHONY: test
 test: dep # Run unit tests
-	go test -race -count=1 -short ./...
+	go test -race -count=1 -short ./...
+
+.PHONY: dockerise
+dockerise:
+	docker build --build-arg GIT_USER=$(user) --build-arg GIT_TOKEN=$(token) -t "ice:${IMAGE_TAG}" .
+
+.PHONY: mock
+mock:
+	mockgen -package mock -source pkg/engine/inspector.go > pkg/engine/mock/inspector.go
diff --git a/assets/queries/Fully_Open_Ingress.q b/assets/queries/Fully_Open_Ingress.q
@@ -1,12 +1,13 @@
 package Cx
 
 #CxPragma "$.resource ? (@.aws_security_group_rule != null || @.aws_security_group != null"
+
 #Security groups allow ingress from 0.0.0.0:0
 #https://www.terraform.io/docs/providers/aws/r/security_group.html
 #https://www.terraform.io/docs/providers/aws/r/security_group_rule.html
 
 
-result [ getMetadata({"id" : input.All[i].CxId, "data" : [rule], "search": ["0.0.0.0/0", "cidr_blocks"]}) ] {
+result [ getMetadata({"id" : input.All[i].CxId, "data" : [rule], "search": ["aws_security_group_rule", "ingress"]}) ] {
 	rule := input.All[i].resource.aws_security_group_rule[name]
     rule.type == "ingress"
     rule.from_port
@@ -15,7 +16,7 @@ result [ getMetadata({"id" : input.All[i].CxId, "data" : [rule], "search": ["0.0
 }
 
 
-result [ getMetadata({"id" : input.All[i].CxId, "data" : [ingrs], "search": ["0.0.0.0/0", "cidr_blocks"]}) ] {
+result [ getMetadata({"id" : input.All[i].CxId, "data" : [ingrs], "search": ["ingress", "cidr_blocks"]}) ] {
 	ingrs := input.All[i].resource.aws_security_group[name].ingress
     ingrs.from_port
     ingrs.to_port    

diff --git a/assets/queries/Lamda_Hardcoded_AWS_Access_Key.q b/assets/queries/Lamda_Hardcoded_AWS_Access_Key.q
@@ -2,21 +2,19 @@ package Cx
 
 #CxPragma "$.resource.aws_lambda_function"
 
+#Lambda hardcoded AWS access/secret keys
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function
+
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [vars], "search": "variables"}) ] {
-	some i    
-    vars = input.All[i].resource.aws_lambda_function[name].environment.variables
+	vars = input.All[i].resource.aws_lambda_function[name].environment.variables
     re_match("[A-Za-z0-9/+=]{40}", vars[_])
 }
 
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [vars], "search": "variables"}) ] {
-	some i    
-    vars = input.All[i].resource.aws_lambda_function[name].environment.variables
+	vars = input.All[i].resource.aws_lambda_function[name].environment.variables
     re_match("[A-Z0-9]{20}", vars[_])
 }
 
-has_field(obj, field) {
-    obj[field]
-}
 
 getMetadata(id) = res {
 	some cnt

diff --git a/assets/queries/Missing_Cluster_Log_Types.q b/assets/queries/Missing_Cluster_Log_Types.q
@@ -2,12 +2,12 @@ package Cx
 
 #CxPragma "$.resource.aws_eks_cluster"
 
+#Amazon EKS control plane logging don't enabled for all log types
+#https://www.terraform.io/docs/providers/aws/r/eks_cluster.html
+
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [existing_log_types_set], "search": "enabled_cluster_log_types"}) ] {
-	some i
-
-    required_log_types_set = { "api", "audit", "authenticator", "controllerManager", "scheduler"  }
-    logs := input.All[i].resource.aws_eks_cluster[_].enabled_cluster_log_types
-
+	required_log_types_set = { "api", "audit", "authenticator", "controllerManager", "scheduler"  }
+    logs := input.All[i].resource.aws_eks_cluster[_].enabled_cluster_log_types    
     existing_log_types_set := {x | x = logs[_]}
     existing_log_types_set & required_log_types_set != required_log_types_set
 }

diff --git a/assets/queries/Not_Encypted_Data_in_Launch_Configuration.q b/assets/queries/Not_Encypted_Data_in_Launch_Configuration.q
@@ -2,10 +2,12 @@ package Cx
 
 #CxPragma "$.resource.aws_launch_configuration"
 
+#data stored in the Launch configuration EBS is not securely encrypted
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/instance
+
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [block], "search": "block_device"}) ] {
-	some i    
-    enc = input.All[i].resource.aws_launch_configuration[name][block].encrypted
-    enc = false
+	enc := input.All[i].resource.aws_launch_configuration[name][block].encrypted
+    enc == false
     not contains(block, "ephemeral")
     contains(block, "block_device")
 }

diff --git a/assets/queries/Open_Access_to_Resources_through_API.q b/assets/queries/Open_Access_to_Resources_through_API.q
@@ -2,10 +2,12 @@ package Cx
 
 #CxPragma "$.resource.aws_api_gateway_method"
 
+#Open access to back-end resources through API
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method
+
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [], "search": "http_method"}) ] {
-	some i
-    input.All[i].resource.aws_api_gateway_method[_].authorization = "NONE"
-    input.All[i].resource.aws_api_gateway_method[_].http_method != "OPTIONS"
+	input.All[i].resource.aws_api_gateway_method[name].authorization = "NONE"
+    input.All[i].resource.aws_api_gateway_method[name].http_method != "OPTIONS"
 }
 
 getMetadata(id) = res {
@@ -15,9 +17,10 @@ getMetadata(id) = res {
         "id" : input.All[cnt].CxId,
         "file" : input.All[cnt].CxFile,
         "name" : "Open access to resources through API",
-        "severity": "Medium",
+        "severity": "Low",
         "cnt" : cnt,
         "search": id.search,
         "data" : id.data
     }
 }
+
diff --git a/assets/queries/Public_ECR_Policy.q b/assets/queries/Public_ECR_Policy.q
@@ -1,11 +1,12 @@
 package Cx
 
-
 #CxPragma "$.resource.aws_ecr_repository_policy"
 
+#Public ECR policy
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy
+
 result [ getMetadata({"id" : input.All[i].CxId, "data" : [pol], "search": "Principal"}) ] {
-	some i
-    pol := input.All[i].resource.aws_ecr_repository_policy[_].policy
+	pol := input.All[i].resource.aws_ecr_repository_policy[_].policy
     re_match("\"Principal\"\\s*:\\s*\"*\"", pol)
 }
 

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.14
 require (
 	github.com/checkmarxDev/repostore v1.0.3
 	github.com/checkmarxDev/scans v1.5.1
+	github.com/golang/mock v1.4.3
 	github.com/google/go-cmp v0.5.1 // indirect
 	github.com/gorilla/mux v1.7.5-0.20200711200521-98cb6bf42e08
 	github.com/hashicorp/hcl/v2 v2.6.0

diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go
@@ -54,6 +54,7 @@ func NewInspector(ctx context.Context, source QueriesSource, storage FilesStorag
 					Err(err).
 					Str("fileName", metadata.FileName).
 					Msgf("failed to prepare query for evaluation: %s", metadata.FileName)
+
 				continue
 			}
 			opaQueries = append(opaQueries, &preparedQuery{
@@ -63,6 +64,9 @@ func NewInspector(ctx context.Context, source QueriesSource, storage FilesStorag
 		}
 	}
 
+	log.Info().
+		Msgf("Inspector initialized with %d queries", len(opaQueries))
+
 	return &Inspector{
 		queries: opaQueries,
 		storage: storage,

diff --git a/pkg/engine/mock/inspector.go b/pkg/engine/mock/inspector.go