Merge branch 'master' into kics-1145

paulrob-100 · Feb 26, 2024 · c04b09c · c04b09c
2 parents 1af7c1f + ca21626
commit c04b09c
Show file tree

Hide file tree

Showing 287 changed files with 9,482 additions and 11,979 deletions.
diff --git a/.github/scripts/docs-generator/docs-generator.py b/.github/scripts/docs-generator/docs-generator.py
@@ -92,7 +92,7 @@ def check_and_create_override_entry(meta_dict, template_dict):
         check_and_create_override_entry(meta_dict, template_dict)
         q_id = meta_dict['id']
         query_page = os.path.join('..', f"{meta_dict.get('platform').lower()}-queries", meta_dict.get('cloudProvider', '').lower(), meta_dict.get('id'))
-        meta_dict['descriptionText'] += f' (<a href="{query_page}" target="_blank">read more</a>)'
+        meta_dict['descriptionText'] = f'<a href="{query_page}" target="_blank">Query details</a>'
         template_dict[platform][sub_platform][severity][category][q_id] = meta_dict
 #
 # template dict ex:

diff --git a/.github/scripts/docs-generator/templates/general_template.md b/.github/scripts/docs-generator/templates/general_template.md
@@ -1,16 +1,15 @@
 ## Queries List
 This page contains all queries.
 
-|            Query            |Platform|Severity|Category|Description|Help|
-|-----------------------------|---|---|---|---|---|
+ |            Query            |Platform|Severity|Category|More info|
+|-----------------------------|---|---|---|---|
 {%- for platform in data %}
 {%- for sub_platform in data[platform] -%}
   {%- for severity in data[platform][sub_platform] -%}
     {%- for id in data[platform][sub_platform][severity] %}
 |{{data[platform][sub_platform][severity][id]['queryName']}}<br/><sup><sub>{{id}}</sub></sup>|{{platform -}}
     |<span style="color:{{colors[severity]}}">{{severity}}</span>|{{data[platform][sub_platform][severity][id]['category'] -}}
-    |{{data[platform][sub_platform][severity][id]['descriptionText'] -}}
-    |<a href="{{data[platform][sub_platform][severity][id]['descriptionUrl']}}">Documentation</a><br/>|
+    |{{data[platform][sub_platform][severity][id]['descriptionText'] -}}<br><a href="{{data[platform][sub_platform][severity][id]['descriptionUrl']}}">Documentation</a><br/>|
     {%- endfor -%}
   {%- endfor -%}
 {%- endfor -%}

diff --git a/.github/scripts/docs-generator/templates/platform_template.md b/.github/scripts/docs-generator/templates/platform_template.md
@@ -5,17 +5,16 @@ This page contains all queries from {{platform}}.
 {%- if sub_platform != 'default' %}
 
 ### {{sub_platform | upper}}
-Bellow are listed queries related with {{platform}} {{sub_platform | upper}}:
+Below are listed queries related to {{platform}} {{sub_platform | upper}}:
 
 {% endif %}
 
-|            Query             |Severity|Category|Description|Help|
-|------------------------------|--------|--------|-----------|----|
+|            Query             |Severity|Category|More info|
+|------------------------------|--------|--------|-----------|
 {%- for severity in data[sub_platform] -%}
   {%- for id in data[sub_platform][severity] %}
 |{{data[sub_platform][severity][id]['queryName']}}<br/><sup><sub>{{id}}</sub></sup>|<span style="color:{{colors[severity]}}">{{severity}}</span>|{{data[sub_platform][severity][id]['category'] -}}
-    |{{data[sub_platform][severity][id]['descriptionText'] -}}
-    |<a href="{{data[sub_platform][severity][id]['descriptionUrl']}}">Documentation</a><br/>|
+    |{{data[sub_platform][severity][id]['descriptionText'] -}}<br><a href="{{data[sub_platform][severity][id]['descriptionUrl']}}">Documentation</a><br/>|
   {%- endfor -%}
 {%- endfor -%}
-{%- endfor -%}
+{%- endfor -%}
diff --git a/README.md b/README.md
@@ -108,7 +108,7 @@ KICS is used by various companies and organizations, some are listed below. If y
 -   [JIT](https://www.jit.io/) ([SAST for IaC](https://www.jit.io/security-tools/kics))
 -   [Firefly](https://www.firefly.ai/)
 -   [Redpanda](https://redpanda.com/)
--   [Keptn](https://keptn.sh)
+-   [Keptn](https://github.com/keptn) / [Keptn Lifecycle Toolkit](https://keptn.sh)
 
 **Keeping Infrastructure as Code Secure!**
 

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego
@@ -22,4 +22,25 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId is undefined", [name]),
 	}
-}
+} 
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, Resources] := walk(docs)
+	resource := Resources[name]
+	resource.Type == "AWS::CloudFront::Distribution"
+	distributionConfig := resource.Properties.DistributionConfig
+
+	not cf_lib.isCloudFormationFalse(distributionConfig.Enabled)
+	distributionConfig.WebACLId == ""
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("%s%s.Properties.DistributionConfig.WebACLId", [cf_lib.getPath(path), name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId should be properly defined", [distributionConfig.WebACLId]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId contains invalid value", [distributionConfig.WebACLId]),
+	}
+} 
diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive3.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive3.yaml
@@ -0,0 +1,24 @@
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  cloudfrontdistribution:
+    Type: AWS::CloudFront::Distribution
+    Properties:
+      DistributionConfig:
+        Enabled: true
+        CacheBehaviors:
+          - LambdaFunctionAssociations:
+              - EventType: string-value
+                LambdaFunctionARN: string-value
+        DefaultCacheBehavior:
+          LambdaFunctionAssociations:
+            - EventType: string-value
+              LambdaFunctionARN: string-value
+        IPV6Enabled: boolean-value
+        Origins:
+          - CustomOriginConfig:
+              OriginKeepaliveTimeout: integer-value
+              OriginReadTimeout: integer-value
+        WebACLId: ""
+      Tags:
+        - Key: string-value
+          Value: string-value
diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive4.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive4.json
@@ -0,0 +1,47 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
+  "Resources": {
+    "cloudfrontdistribution": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "Enabled": true,
+          "CacheBehaviors": [
+            {
+              "LambdaFunctionAssociations": [
+                {
+                  "EventType": "string-value",
+                  "LambdaFunctionARN": "string-value"
+                }
+              ]
+            }
+          ],
+          "DefaultCacheBehavior": {
+            "LambdaFunctionAssociations": [
+              {
+                "EventType": "string-value",
+                "LambdaFunctionARN": "string-value"
+              }
+            ]
+          },
+          "IPV6Enabled": "boolean-value",
+          "Origins": [
+            {
+              "CustomOriginConfig": {
+                "OriginKeepaliveTimeout": "integer-value",
+                "OriginReadTimeout": "integer-value"
+              }
+            }
+          ],
+          "WebACLId": ""
+        },
+        "Tags": [
+          {
+            "Value": "string-value",
+            "Key": "string-value"
+          }
+        ]
+      }
+    }
+  }
+}
diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json
@@ -10,5 +10,17 @@
     "queryName": "CloudFront Without WAF",
     "severity": "LOW",
     "line": 13
+  },
+  {
+    "fileName": "positive3.yaml",
+    "queryName": "CloudFront Without WAF",
+    "severity": "LOW",
+    "line": 21
+  },
+  {
+    "fileName": "positive4.json",
+    "queryName": "CloudFront Without WAF",
+    "severity": "LOW",
+    "line": 36
   }
 ]
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/query.rego b/assets/queries/openAPI/general/maximum_length_undefined/query.rego
@@ -1,6 +1,7 @@
 package Cx
 
 import data.generic.openapi as openapi_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
 	doc := input.document[i]
@@ -11,6 +12,7 @@ CxPolicy[result] {
 	info := openapi_lib.is_operation(path)
 	openapi_lib.content_allowed(info.operation, info.code)
 	openapi_lib.undefined_field_in_string_type(value, "maxLength")
+	not limited_regex(value)
 
 	result := {
 		"documentId": doc.id,
@@ -19,6 +21,7 @@ CxPolicy[result] {
 		"keyExpectedValue": "'maxLength' should be defined",
 		"keyActualValue": "'maxLength' is undefined",
 		"overrideKey": version,
+		"searchLine": common_lib.build_search_line(path,["type"]),
 	}
 }
 
@@ -30,6 +33,7 @@ CxPolicy[result] {
 	[path, value] := walk(doc)
 	openapi_lib.is_operation(path) == {}
 	openapi_lib.undefined_field_in_string_type(value, "maxLength")
+	not limited_regex(value)
 
 	result := {
 		"documentId": doc.id,
@@ -38,5 +42,12 @@ CxPolicy[result] {
 		"keyExpectedValue": "'maxLength' should be defined",
 		"keyActualValue": "'maxLength' is undefined",
 		"overrideKey": version,
+		"searchLine": common_lib.build_search_line(path,["type"]),
 	}
 }
+
+limited_regex(value){
+	not contains(value.pattern, "+")
+	not contains(value.pattern, "*")
+	not regex.match("[^\\\\]{\\d+,}", value.pattern)
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative7.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative7.json
@@ -0,0 +1,42 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "format": "int32",
+                  "pattern": "[a-z0-9-]"
+                },
+                "message": {
+                  "type": "string",
+                  "pattern": "[a-z]{3}"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative8.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative8.json
@@ -0,0 +1,42 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "format": "int32",
+                  "pattern": "[a-z0-9-]?"
+                },
+                "message": {
+                  "type": "string",
+                  "pattern": "[a-z]\\{2,\\}"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive7.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive7.json
@@ -0,0 +1,42 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "format": "int32",
+                  "pattern": "[a-z0-9-]*"
+                },
+                "message": {
+                  "type": "string",
+                  "pattern": "[a-z]{3,}"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive8.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive8.json
@@ -0,0 +1,42 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "format": "int32",
+                  "pattern": "[a-z0-9-]{2,3}"
+                },
+                "message": {
+                  "type": "string",
+                  "pattern": "[a-z]+"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}