feat(query): Added modules to query 'Unrestricted Security Group Ingr…

…ess' (Checkmarx#4253)

Signed-off-by: Felipe Avelar <[email protected]>

assets/queries/terraform/aws/unrestricted_security_group_ingress/query.rego

@@ -1,5 +1,7 @@
 package Cx
 
+import data.generic.common as common_lib
+
 CxPolicy[result] {
 	rule := input.document[i].resource.aws_security_group_rule[name]
 
@@ -13,6 +15,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "One of 'rule.cidr_blocks' not equal '0.0.0.0/0'",
 		"keyActualValue": "One of 'rule.cidr_blocks' is equal '0.0.0.0/0'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_security_group_rule", name, "cidr_blocks"], []),
 	}
 }
 
@@ -28,20 +31,38 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "One of 'ingress.cidr_blocks' not equal '0.0.0.0/0'",
 		"keyActualValue": "One of 'ingress.cidr_blocks' equal '0.0.0.0/0'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_security_group_rule", name, "ingress", "cidr_blocks"], []),
 	}
 }
 
 CxPolicy[result] {
-	ingrs := input.document[i].resource.aws_security_group[name].ingress[_]
-
-	some j
-	contains(ingrs.cidr_blocks[j], "0.0.0.0/0")
+	ingrs := input.document[i].resource.aws_security_group[name].ingress[j]
+	contains(ingrs.cidr_blocks[idx], "0.0.0.0/0")
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("aws_security_group[%s]", [name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "One of 'ingress.cidr_blocks' not equal '0.0.0.0/0'",
 		"keyActualValue": "One of 'ingress.cidr_blocks' equal '0.0.0.0/0'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_security_group", name, "ingress", j, "cidr_blocks", idx], []),
+	}
+}
+
+# rule for modules
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_security_group_rule", "ingress_cidr_blocks") # based on module terraform-aws-modules/security-group/aws
+
+	cidr := module[keyToCheck][idxCidr]
+	contains(cidr, "0.0.0.0/0")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("module[%s].%s", [name, keyToCheck]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "One of 'ingress.cidr_blocks' not equal '0.0.0.0/0'",
+		"keyActualValue": "One of 'ingress.cidr_blocks' equal '0.0.0.0/0'",
+		"searchLine": common_lib.build_search_line(["module", name, "ingress_cidr_blocks", idxCidr], []),
 	}
 }

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/negative1.tf

@@ -0,0 +1,9 @@
+resource "aws_security_group_rule" "negative1" {
+  type              = "ingress"
+  from_port         = 3306
+  to_port           = 3306
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.2.0/0"]
+  security_group_id = aws_security_group.default.id
+}
+

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/negative2.tf

@@ -0,0 +1,9 @@
+resource "aws_security_group" "negative2" {
+  ingress {
+    from_port         = 3306
+    to_port           = 3306
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.2.0/0"]
+    security_group_id = aws_security_group.default.id
+  }
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/negative3.tf

@@ -0,0 +1,15 @@
+resource "aws_security_group" "negative3" {
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    cidr_blocks = ["1.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.1.0/0"]
+  }
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/negative4.tf

@@ -0,0 +1,10 @@
+module "web_server_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.3.0"
+
+  name        = "web-server"
+  description = "Security group for web-server with HTTP ports open within VPC"
+  vpc_id      = "vpc-12345678"
+
+  ingress_cidr_blocks = ["10.10.0.0/16"]
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive1.tf

@@ -0,0 +1,8 @@
+resource "aws_security_group_rule" "positive1" {
+  type              = "ingress"
+  from_port         = 3306
+  to_port           = 3306
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.default.id
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive2.tf

@@ -0,0 +1,9 @@
+resource "aws_security_group" "positive2" {
+  ingress {
+    from_port         = 3306
+    to_port           = 3306
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.default.id
+  }
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive3.tf

@@ -0,0 +1,15 @@
+resource "aws_security_group" "positive3" {
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    cidr_blocks = ["1.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive4.tf

@@ -0,0 +1,10 @@
+module "web_server_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.3.0"
+
+  name        = "web-server"
+  description = "Security group for web-server with HTTP ports open within VPC"
+  vpc_id      = "vpc-12345678"
+
+  ingress_cidr_blocks = ["0.0.0.0/0"]
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive5.tf

@@ -0,0 +1,10 @@
+module "web_server_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.3.0"
+
+  name        = "web-server"
+  description = "Security group for web-server with HTTP ports open within VPC"
+  vpc_id      = "vpc-12345678"
+
+  ingress_cidr_blocks = ["10.10.0.0/16", "0.0.0.0/0"]
+}

assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json

@@ -2,16 +2,31 @@
   {
     "queryName": "Unrestricted Security Group Ingress",
     "severity": "HIGH",
-    "line": 6
+    "line": 6,
+    "filename": "positive1.tf"
   },
   {
     "queryName": "Unrestricted Security Group Ingress",
     "severity": "HIGH",
-    "line": 15
+    "line": 6,
+    "filename": "positive2.tf"
   },
   {
     "queryName": "Unrestricted Security Group Ingress",
     "severity": "HIGH",
-    "line": 20
+    "line": 13,
+    "filename": "positive3.tf"
+  },
+  {
+    "queryName": "Unrestricted Security Group Ingress",
+    "severity": "HIGH",
+    "line": 9,
+    "filename": "positive4.tf"
+  },
+  {
+    "queryName": "Unrestricted Security Group Ingress",
+    "severity": "HIGH",
+    "line": 9,
+    "filename": "positive5.tf"
   }
 ]