Merge pull request #96 from aquasecurity/owenr-small-fixes

A few minor tweaks 😆
aquasecurity · Jan 21, 2022 · 932ef95 · 932ef95
2 parents dd4fe3b + 3d82bff
commit 932ef95
Show file tree

Hide file tree

Showing 74 changed files with 917 additions and 560 deletions.
diff --git a/avd_docs/digitalocean/compute/AVD-DIG-0001/Terraform.md b/avd_docs/digitalocean/compute/AVD-DIG-0001/Terraform.md
@@ -10,7 +10,7 @@ resource "digitalocean_firewall" "good_example" {
   inbound_rule {
     protocol         = "tcp"
     port_range       = "22"
-    source_addresses = ["192.168.1.0/24", "2002:1:2::/48"]
+    source_addresses = ["192.168.1.0/24", "fc00::/7"]
   }
 }
 ```

diff --git a/avd_docs/digitalocean/compute/AVD-DIG-0003/Terraform.md b/avd_docs/digitalocean/compute/AVD-DIG-0003/Terraform.md
@@ -10,7 +10,7 @@ resource "digitalocean_firewall" "good_example" {
   outbound_rule {
     protocol         = "tcp"
     port_range       = "22"
-    destination_addresses = ["192.168.1.0/24", "2002:1:2::/48"]
+    destination_addresses = ["192.168.1.0/24", "fc00::/7"]
   }
 }
 ```

diff --git a/provider/azure/database/database.go b/provider/azure/database/database.go
@@ -11,14 +11,17 @@ type Database struct {
 }
 
 type MariaDBServer struct {
+	types.Metadata
 	Server
 }
 
 type MySQLServer struct {
+	types.Metadata
 	Server
 }
 
 type PostgreSQLServer struct {
+	types.Metadata
 	Server
 	Config PostgresSQLConfig
 }

diff --git a/provider/azure/network/network.go b/provider/azure/network/network.go
@@ -10,18 +10,27 @@ type Network struct {
 
 type SecurityGroup struct {
 	types.Metadata
-	InboundAllowRules  []SecurityGroupRule
-	InboundDenyRules   []SecurityGroupRule
-	OutboundAllowRules []SecurityGroupRule
-	OutboundDenyRules  []SecurityGroupRule
+	Rules []SecurityGroupRule
 }
 
 type SecurityGroupRule struct {
 	types.Metadata
-	SourceAddresses       []types.StringValue
-	SourcePortRanges      []types.StringValue
-	DestinationAddresses  []types.StringValue
-	DestinationPortRanges []types.StringValue
+	Outbound             types.BoolValue
+	Allow                types.BoolValue
+	SourceAddresses      []types.StringValue
+	SourcePorts          []PortRange
+	DestinationAddresses []types.StringValue
+	DestinationPorts     []PortRange
+}
+
+type PortRange struct {
+	types.Metadata
+	Start int
+	End   int
+}
+
+func (r PortRange) Includes(port int) bool {
+	return port >= r.Start && port <= r.End
 }
 
 type NetworkWatcherFlowLog struct {
@@ -35,47 +44,42 @@ type RetentionPolicy struct {
 	Days    types.IntValue
 }
 
-
 func (n *Network) GetMetadata() *types.Metadata {
 	return &n.Metadata
 }
 
 func (n *Network) GetRawValue() interface{} {
 	return nil
-}    
-
+}
 
 func (s *SecurityGroup) GetMetadata() *types.Metadata {
 	return &s.Metadata
 }
 
 func (s *SecurityGroup) GetRawValue() interface{} {
 	return nil
-}    
-
+}
 
 func (s *SecurityGroupRule) GetMetadata() *types.Metadata {
 	return &s.Metadata
 }
 
 func (s *SecurityGroupRule) GetRawValue() interface{} {
 	return nil
-}    
-
+}
 
 func (n *NetworkWatcherFlowLog) GetMetadata() *types.Metadata {
 	return &n.Metadata
 }
 
 func (n *NetworkWatcherFlowLog) GetRawValue() interface{} {
 	return nil
-}    
-
+}
 
 func (r *RetentionPolicy) GetMetadata() *types.Metadata {
 	return &r.Metadata
 }
 
 func (r *RetentionPolicy) GetRawValue() interface{} {
 	return nil
-}    
+}
diff --git a/rules/aws/apigateway/enable_access_logging.go b/rules/aws/apigateway/enable_access_logging.go
@@ -20,25 +20,22 @@ var CheckEnableAccessLogging = rules.Register(
 		Links: []string{
 			"https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
 		},
-		Terraform:   &rules.EngineMetadata{
-            GoodExamples:        terraformEnableAccessLoggingGoodExamples,
-            BadExamples:         terraformEnableAccessLoggingBadExamples,
-            Links:               terraformEnableAccessLoggingLinks,
-            RemediationMarkdown: terraformEnableAccessLoggingRemediationMarkdown,
-        },
-        CloudFormation:   &rules.EngineMetadata{
-            GoodExamples:        cloudFormationEnableAccessLoggingGoodExamples,
-            BadExamples:         cloudFormationEnableAccessLoggingBadExamples,
-            Links:               cloudFormationEnableAccessLoggingLinks,
-            RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown,
-        },
-        Severity: severity.Medium,
+		Terraform: &rules.EngineMetadata{
+			GoodExamples:        terraformEnableAccessLoggingGoodExamples,
+			BadExamples:         terraformEnableAccessLoggingBadExamples,
+			Links:               terraformEnableAccessLoggingLinks,
+			RemediationMarkdown: terraformEnableAccessLoggingRemediationMarkdown,
+		},
+		CloudFormation: &rules.EngineMetadata{
+			GoodExamples:        cloudFormationEnableAccessLoggingGoodExamples,
+			BadExamples:         cloudFormationEnableAccessLoggingBadExamples,
+			Links:               cloudFormationEnableAccessLoggingLinks,
+			RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown,
+		},
+		Severity: severity.Medium,
 	},
 	func(s *state.State) (results rules.Results) {
 		for _, api := range s.AWS.APIGateway.APIs {
-			if !api.IsManaged() {
-				continue
-			}
 			for _, stage := range api.Stages {
 				if !stage.IsManaged() {
 					continue

diff --git a/rules/aws/apigateway/enable_access_logging.tf.go b/rules/aws/apigateway/enable_access_logging.tf.go
@@ -1,14 +1,14 @@
 package apigateway
 
 var terraformEnableAccessLoggingGoodExamples = []string{
-        `
+	`
  resource "aws_apigatewayv2_stage" "good_example" {
    api_id = aws_apigatewayv2_api.example.id
    name   = "example-stage"
  
    access_log_settings {
-     destination_arn = ""
-     format          = ""
+    destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+    format          = "json"
    }
  }
  
@@ -18,21 +18,21 @@ var terraformEnableAccessLoggingGoodExamples = []string{
    stage_name    = "example"
  
    access_log_settings {
-     destination_arn = ""
-     format          = ""
+     destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+     format          = "json"
    }
  }
  `,
 }
 
 var terraformEnableAccessLoggingBadExamples = []string{
-        `
+	`
  resource "aws_apigatewayv2_stage" "bad_example" {
    api_id = aws_apigatewayv2_api.example.id
    name   = "example-stage"
  }
  
- resource "aws_api_gateway_stage" "bad_example" {
+ resource "aws_apigatewayv2_stage" "bad_example" {
    deployment_id = aws_api_gateway_deployment.example.id
    rest_api_id   = aws_api_gateway_rest_api.example.id
    stage_name    = "example"
@@ -41,7 +41,7 @@ var terraformEnableAccessLoggingBadExamples = []string{
 }
 
 var terraformEnableAccessLoggingLinks = []string{
-        `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings`,
+	`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings`,
 }
 
 var terraformEnableAccessLoggingRemediationMarkdown = ``
diff --git a/rules/aws/apigateway/enable_cache_encryption.go b/rules/aws/apigateway/enable_cache_encryption.go
@@ -19,13 +19,13 @@ var CheckEnableCacheEncryption = rules.Register(
 		Resolution:  "Enable cache encryption",
 		Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`,
 		Links:       []string{},
-		Terraform:   &rules.EngineMetadata{
-            GoodExamples:        terraformEnableCacheEncryptionGoodExamples,
-            BadExamples:         terraformEnableCacheEncryptionBadExamples,
-            Links:               terraformEnableCacheEncryptionLinks,
-            RemediationMarkdown: terraformEnableCacheEncryptionRemediationMarkdown,
-        },
-        Severity:    severity.Medium,
+		Terraform: &rules.EngineMetadata{
+			GoodExamples:        terraformEnableCacheEncryptionGoodExamples,
+			BadExamples:         terraformEnableCacheEncryptionBadExamples,
+			Links:               terraformEnableCacheEncryptionLinks,
+			RemediationMarkdown: terraformEnableCacheEncryptionRemediationMarkdown,
+		},
+		Severity: severity.Medium,
 	},
 	func(s *state.State) (results rules.Results) {
 		for _, api := range s.AWS.APIGateway.APIs {

diff --git a/rules/aws/apigateway/enable_tracing.go b/rules/aws/apigateway/enable_tracing.go
@@ -19,13 +19,13 @@ var CheckEnableTracing = rules.Register(
 		Resolution:  "Enable tracing",
 		Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`,
 		Links:       []string{},
-		Terraform:   &rules.EngineMetadata{
-            GoodExamples:        terraformEnableTracingGoodExamples,
-            BadExamples:         terraformEnableTracingBadExamples,
-            Links:               terraformEnableTracingLinks,
-            RemediationMarkdown: terraformEnableTracingRemediationMarkdown,
-        },
-        Severity:    severity.Low,
+		Terraform: &rules.EngineMetadata{
+			GoodExamples:        terraformEnableTracingGoodExamples,
+			BadExamples:         terraformEnableTracingBadExamples,
+			Links:               terraformEnableTracingLinks,
+			RemediationMarkdown: terraformEnableTracingRemediationMarkdown,
+		},
+		Severity: severity.Low,
 	},
 	func(s *state.State) (results rules.Results) {
 		for _, api := range s.AWS.APIGateway.APIs {

diff --git a/rules/aws/apigateway/no_public_access.go b/rules/aws/apigateway/no_public_access.go
@@ -19,13 +19,13 @@ var CheckNoPublicAccess = rules.Register(
 		Resolution:  "Use and authorization method or require API Key",
 		Explanation: `API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization`,
 		Links:       []string{},
-		Terraform:   &rules.EngineMetadata{
-            GoodExamples:        terraformNoPublicAccessGoodExamples,
-            BadExamples:         terraformNoPublicAccessBadExamples,
-            Links:               terraformNoPublicAccessLinks,
-            RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
-        },
-        Severity:    severity.Low,
+		Terraform: &rules.EngineMetadata{
+			GoodExamples:        terraformNoPublicAccessGoodExamples,
+			BadExamples:         terraformNoPublicAccessBadExamples,
+			Links:               terraformNoPublicAccessLinks,
+			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
+		},
+		Severity: severity.Low,
 	},
 	func(s *state.State) (results rules.Results) {
 		for _, api := range s.AWS.APIGateway.APIs {

diff --git a/rules/aws/ecs/no_plaintext_secrets.go b/rules/aws/ecs/no_plaintext_secrets.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/aquasecurity/defsec/provider"
 	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/security"
 	"github.com/aquasecurity/defsec/severity"
 	"github.com/aquasecurity/defsec/state"
 	"github.com/owenrumney/squealer/pkg/squealer"
@@ -25,19 +26,19 @@ var CheckNoPlaintextSecrets = rules.Register(
 			"https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html",
 			"https://www.vaultproject.io/",
 		},
-		Terraform:   &rules.EngineMetadata{
-            GoodExamples:        terraformNoPlaintextSecretsGoodExamples,
-            BadExamples:         terraformNoPlaintextSecretsBadExamples,
-            Links:               terraformNoPlaintextSecretsLinks,
-            RemediationMarkdown: terraformNoPlaintextSecretsRemediationMarkdown,
-        },
-        CloudFormation:   &rules.EngineMetadata{
-            GoodExamples:        cloudFormationNoPlaintextSecretsGoodExamples,
-            BadExamples:         cloudFormationNoPlaintextSecretsBadExamples,
-            Links:               cloudFormationNoPlaintextSecretsLinks,
-            RemediationMarkdown: cloudFormationNoPlaintextSecretsRemediationMarkdown,
-        },
-        Severity: severity.Critical,
+		Terraform: &rules.EngineMetadata{
+			GoodExamples:        terraformNoPlaintextSecretsGoodExamples,
+			BadExamples:         terraformNoPlaintextSecretsBadExamples,
+			Links:               terraformNoPlaintextSecretsLinks,
+			RemediationMarkdown: terraformNoPlaintextSecretsRemediationMarkdown,
+		},
+		CloudFormation: &rules.EngineMetadata{
+			GoodExamples:        cloudFormationNoPlaintextSecretsGoodExamples,
+			BadExamples:         cloudFormationNoPlaintextSecretsBadExamples,
+			Links:               cloudFormationNoPlaintextSecretsLinks,
+			RemediationMarkdown: cloudFormationNoPlaintextSecretsRemediationMarkdown,
+		},
+		Severity: severity.Critical,
 	},
 	func(s *state.State) (results rules.Results) {
 
@@ -49,7 +50,7 @@ var CheckNoPlaintextSecrets = rules.Register(
 				continue
 			}
 			for key, val := range vars {
-				if result := scanner.Scan(val); result.TransgressionFound {
+				if result := scanner.Scan(val); result.TransgressionFound || security.IsSensitiveAttribute(key) {
 					results.Add(
 						fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description),
 						&definition,